Versioning & Releases
SafeLLM follows Semantic Versioning (SemVer) to ensure predictable, auditable releases.
Version Format
Section titled “Version Format”MAJOR.MINOR.PATCH| Type | When to increment | Example |
|---|---|---|
| PATCH | Bug fixes, no behavior change | Regex fix, crash fix |
| MINOR | New features, backward compatible | New L1 filter, new PII type |
| MAJOR | Breaking changes | Config format change, API change |
Source of Truth
Section titled “Source of Truth”The version is defined in a single file:
safellm-oss/VERSIONAll other artifacts (Docker images, Helm charts, pyproject.toml) read from this file.
Release Process
Section titled “Release Process”1. Update VERSION
Section titled “1. Update VERSION”echo "2.0.0" > VERSION2. Commit
Section titled “2. Commit”git add VERSIONgit commit -m "chore(release): v2.0.0"3. Create Tag
Section titled “3. Create Tag”git tag -a v2.0.0 -m "Release v2.0.0"git push origin v2.0.04. Automatic Pipeline
Section titled “4. Automatic Pipeline”Pushing the tag triggers GitHub Actions which:
- Builds multi-arch Docker image (amd64, arm64)
- Tags the image:
ghcr.io/safellmio/safellm-apisix-gateway-sidecar:2.0.0(exact version)ghcr.io/safellmio/safellm-apisix-gateway-sidecar:2.0(minor)docker.io/safellm/safellm-apisix-gateway-sidecar:2.0.0(exact version)docker.io/safellm/safellm-apisix-gateway-sidecar:2.0(minor)docker.io/safellm/safellm-apisix-gateway-sidecar:2(major)ghcr.io/safellmio/safellm-apisix-gateway-sidecar:latest(optional)
- Pushes to GHCR (and optionally Docker Hub)
- Creates GitHub Release with:
- Release notes
- Image digest (SHA256)
docker-compose.release.yaml
Pinned Versions (Production Requirement)
Section titled “Pinned Versions (Production Requirement)”Development (OK to use build:)
Section titled “Development (OK to use build:)”# docker-compose.yml (dev)services: sidecar: build: context: . dockerfile: sidecar/DockerfileProduction (Must pin versions)
Section titled “Production (Must pin versions)”# docker-compose.release.yaml (prod)services: apisix: image: apache/apisix:3.14.1-debian # Pinned sidecar: image: ghcr.io/safellmio/safellm-apisix-gateway-sidecar:2.0.0 # Pinned redis: image: redis:7.2-alpine # PinnedMaximum Security (Pin by digest)
Section titled “Maximum Security (Pin by digest)”services: sidecar: image: ghcr.io/safellmio/safellm-apisix-gateway-sidecar@sha256:abc123...Docker Registries
Section titled “Docker Registries”SafeLLM images are published to:
| Registry | URL | Purpose |
|---|---|---|
| GHCR | ghcr.io/safellmio/safellm-apisix-gateway-sidecar | Primary, GitHub integration |
| Docker Hub | docker.io/safellm/safellm-apisix-gateway-sidecar | Public distribution |
Both registries have identical images with the same digest.
Helm Chart Versioning
Section titled “Helm Chart Versioning”Helm charts follow the same version as the application:
apiVersion: v2name: safellm-ossversion: 2.0.0 # Chart versionappVersion: '2.0.0' # App version (same)Install specific version:
helm install safellm safellm/safellm-oss --version 2.0.0Verifying Releases
Section titled “Verifying Releases”Check image digest
Section titled “Check image digest”docker inspect ghcr.io/safellmio/safellm-apisix-gateway-sidecar:2.0.0 --format='{{.RepoDigests}}'docker inspect safellm/safellm-apisix-gateway-sidecar:2.0.0 --format='{{.RepoDigests}}'Compare with release notes
Section titled “Compare with release notes”Each GitHub Release includes the expected digest. Compare:
# From release notesExpected: sha256:abc123...
# From your local pullActual: sha256:abc123...Version History
Section titled “Version History”| Version | Date | Notes |
|---|---|---|
| 2.0.0 | 2026-02 | Current OSS release baseline |
| 0.8.0 | 2026-01 | Initial OSS release |
See CHANGELOG for detailed history.