Releasing
How to cut a dimos release. Throughout this document, replaceX.Y.Z with the version you are releasing (e.g. 0.0.13).
1. Preparing for a release
-
Check for an existing
release/*branch on the remote (git ls-remote --heads origin 'release/*', or the Branches page). If one is still around from a previous release, complete section 3 for that branch before continuing. -
Bump the version on
main.uv version --bump patch(orminor/major). Open a PR, squash-merge. -
Create the temporary release branch from the version-bump commit (need CI to complete on main before push will succeed):
-
Create a backport label for this release. Repo → Issues → Labels (in left sidebar) → New label, named
backport release/X.Y.Z. (Orgh label create "backport release/X.Y.Z" --repo dimensionalOS/dimos.) The backport bot only runs when this label exists. -
To backport a fix from
main: add thebackport release/X.Y.Zlabel to a PR targetingmain(before or after merging). The backport bot will open a cherry-pick PR onto the release branch; review it and squash-merge.
2. Creating the release
-
Run the full test suite locally on the release branch.
-
Run the
releaseworkflow on therelease/X.Y.Zbranch. - Monitor the CI run. When it reaches the publish-pypi step, you’ll need other team members to approve the release.
-
After completion, the bot will have pushed a signed merge-back commit directly to
main. Confirm withgit log --first-parent main -1— the tip should beMerge release/X.Y.Z back to main. Then verifyvX.Y.Zshows on https://github.com/dimensionalOS/dimos/releases and on https://pypi.org/project/dimos/.
3. Cleanup
At this point, you can leave the branch around for potential patch releases, or cleanup immediately (recreating the branch from the tag if needed). When ready to cleanup the branch, follow these steps:-
Rename the release branch out of the protected
release/*namespace, then delete it. Therelease/*ruleset blocks direct deletion; renaming takes the branch out of scope. Web UI: Repo → Branches → findrelease/X.Y.Z→ ⋯ → Rename branch → e.g.archived/X.Y.Z. Then delete it from the same Branches page. Or viagh: -
Delete the
backport release/X.Y.Zlabel from the Labels page (orgh label delete "backport release/X.Y.Z").
Patch fix on a released version
When you need to ship a patch fix:-
If the release branch has already been deleted, re-cut from the tag and recreate the label (step 1.4):
-
Apply a patch version bump:
uv version --bump patch - Apply any fixes and follow sections 2 and 3 as before.
Verifying a release tag
git tag -v exits 0 and reports a good signature from dimos-release-bot when the tag is valid. GitHub’s web UI shows “Unverified” because the GPG key isn’t bound to a GitHub user account — this is expected.
Rotating the App private key
Rotate immediately on suspected compromise.- App settings → Private keys → Generate a private key → download the new
.pem. - Update the
RELEASE_BOT_APP_PRIVATE_KEYsecret in therelease-tagenvironment with the new key contents. - App settings → Private keys → delete the old key.
Rotating the GPG signing key
Rotate immediately on suspected compromise. Sam/Stash have revocation certificates which can be published to revoke the old key. Regenerate the key in memory on Linux (private material never touches persistent storage —/dev/shm is always tmpfs):
RELEASE_BOT_GPG_PRIVATE_KEY secret in the release-tag environment, repo variable RELEASE_BOT_GPG_KEY_ID, and commit the replacement docs/release-signing-key.asc.