Incorporate Supply Chain Management

Supply Chain Management encompasses the flow of physical goods, activities, processes and systems with the goal of delivering finished products to consumers. It is generally employed as a practice in large scale organizations to support and provide assembled products to customers in an efficient and reliable manner.

As with most software paradigms, supply chain management in software can be adapted to encompass the supply chain of software dependencies from its lowest abstraction to highest, like OS or Docker images.

In a way, a Release Engineering system can be seen as an implementation of a Supply Chain system for a software product.

Any enterprise product needs to make sure that the product is secure. Bulk of the security vulnerabilities are exposed after the product is shipped and therefore, it's important to design the Release Engineering system with traceability and verifiability of its components in mind.

When a bug or a security vulnerability is discovered, responsible teams should be able to determine which product versions are affected.

We found that tying Git SHAs and dependency versions to our product versions in the form of a Release Train label to be immensely useful in understanding when a particular dependency bump was introduced. For Tanzu Application Service, we label our trains RT-yyyy-xxx. All GitHub issues, Release Train branches, and the final released versions are tied to this Release Train label.

And since we keep a record of changes introduced into every release train, each Git SHA points to a logical change by the team, allowing us to track down and plan a remedy. These links are bi-directional through Git and we can delineate a release train from a Git SHA and vice versa.