From 93625579a0bd5ddb496523ccfae6ac7d48a1794a Mon Sep 17 00:00:00 2001
From: Mauro Ezequiel Moltrasio <mmoltras@redhat.com>
Date: Fri, 8 May 2026 11:39:16 +0200
Subject: [PATCH 1/2] docs: add CHANGELOG.md and update release.md

In order to make it easier to track what version of fact has what
features, a rough best-effort maintained change log file has been added.
This new file will require some additional work during releases, so the
corresponding release document has been updated.

Some release instructions for Konflux have been removed, these are now
the responsibility of the release engineer and we do not have to do them
ourselves.

The PR template also gets a new item in the checklist, reminding people
to add an entry in the change log if one is required.
---
 .github/pull_request_template.md |  1 +
 CHANGELOG.md                     | 69 ++++++++++++++++++++++++++++++
 docs/release.md                  | 73 ++++++++++++++++++--------------
 3 files changed, 112 insertions(+), 31 deletions(-)
 create mode 100644 CHANGELOG.md

diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 031e493c..ed2d438f 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -5,6 +5,7 @@ A detailed explanation of the changes in your PR.
 Feel free to remove this section if it is overkill for your PR, and the title of your PR is sufficiently descriptive.
 
 ## Checklist
+- [ ] Patch has a change log entry **OR** does not need one.
 - [ ] Investigated and inspected CI test results
 - [ ] Updated documentation accordingly
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 00000000..7b687a39
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,69 @@
+# Change log
+
+This document is maintained in a best effort manner. If you consider
+your change is worthy of a note, please add a line to the list below. If
+possible include a PR number for easier tracking.
+
+## Next
+
+* ROX-30256: track files and directories being renamed (#308)
+* ROX-33198: Instrument inode tracking on file open lsm hook (#391)
+* ROX-33217: Instrument inode tracking on directory being created path mkdir (#465)
+* ROX-33216: implement inode tracking for path_rename (#487)
+* ROX-33218: Instrument inode tracking on directory being deleted (#530)
+* ROX-33199: unlink inode tracking (#429)
+* ROX-33197: implement periodic scanning of host paths (#329)
+* feat: make the maximum number of tracked inodes configurable (#409)
+* Moves glob/wildcard matching into Fact. (#323)
+* ROX-33540: adds rate limiting (#499)
+* ROX-33471: do not attach progs when no paths configured (#371)
+* ROX-31937: Generate third-party deps license files. (#192)
+* cleanup(bpf): reduce preemption fragility in overlayfs dedup (#558)
+* ROX-33133: Enable post-quantum crypto-policies for fact (#349)
+* ROX-33133: Enable post-quantum crypto-policies for upstream fact (#364)
+* ROX-32841: Quote args (#295)
+* ROX-31266: Implement tests with valid and invalid utf 8 strings (#251)
+* test: add tests for files being created and modified with text editors (#215)
+* chore(tests): replace __eq__ with diff() for detailed test diagnostics (#314)
+* Update edition to 2024 (#413)
+* cleanup: restrict broadcast channels to the output component (#557)
+
+## v0.2
+
+* feat: sanitize paths generated by calling d_path (#181)
+* ROX-30258: Track file ownership changes (#156)
+* ROX-30257: implement permission change tracking (#157)
+* ROX-31430: delegate TLS to host implementation (#168)
+* feat(ebpf): use bpf_loop for local d_path implementation (#175)
+* 087a210 ROX-30437: basic inode tracking for host path resolution (#166)
+* Add performance test pipeline (#104)
+* ROX-30630: run BPF bootstrap test in CI (#131)
+* Replace custom d_path with bpf_d_path (#154)
+* fix(fact-ebpf): improve kernel compatibility (#125)
+* ROX-30836: implement hotreloading for monitored paths (#120)
+* ROX-30836: implement hotreloading configuration for outputs (#119)
+* ROX-30836: implement configuration hotreloading (#110)
+* ROX-30255: track file deletions (#86)
+* ROX-30438: Reimplement kernel side path filtering (#79)
+* ROX-30254: Track file creation events (#65)
+* ROX-30746: implement layered configuration (#53)
+* ROX-30294: Add prometheus metrics (#40)
+* ROX-30260: Konflux arm64 builds (#35)
+* ROX-30260: add support for arm64 [upstream] (#30)
+
+## v0.1
+
+* Initial release
+* file_open added as the only supported LSM hook.
+* JSON and gRPC outputs.
+* Pre-flight check for BPF LSM support.
+* Miscellaneous helper functions for host information querying.
+* Basic health check endpoint.
+* Basic configuration via CLI and environment variables only.
+* Basic gRPC mock server for validation.
+* CI
+  * Basic job for compiling, testing and linting.
+  * x86 container builds.
+  * Onboarded to Konflux (only half way through).
+  * Integrated with MintMaker.
+  * Integration tests on Fedora coreos for both GHA and Konflux builds.
diff --git a/docs/release.md b/docs/release.md
index 6a12e2ba..d15c3b07 100644
--- a/docs/release.md
+++ b/docs/release.md
@@ -31,15 +31,42 @@ which the release is forked.
     git push --set-upstream origin "release-${FACT_RELEASE}"
     ```
 
-At this point you will need to wait for the downstream release engineers
-to create the git resources for Konflux before proceeding.
+## Update CHANGELOG.md and version on main
 
-## Update Konflux resources and application version
+1.  Set the following environment variable:
+
+    *   `FACT_RELEASE`: The next version of fact to be released.
+
+    ```sh
+    export FACT_RELEASE=0.2
+    ```
+
+1.  On the `main` branch, run the following commands.
+
+    ```sh
+    sed -i \
+        -e "s/^## Next/&\n\n## ${FACT_RELEASE}.0/" \
+        CHANGELOG.md
+
+    sed -i \
+        -e "/^version = / s/\".*\"/\"${FACT_RELEASE}.0-dev\"/" \
+        fact/Cargo.toml
+    ```
+
+1. Create a new branch for these changes and push it to the repository.
+    ```sh
+    git checkout -b "release/update-versions-${FACT_RELEASE}"
+    git add .
+    git commit -m "chore: update change log and application version for ${FACT_RELEASE}"
+    git push --set-upstream origin "release/update-versions-${FACT_RELEASE}"
+    ```
+
+1. Create a PR pointing to the main branch and get it merged.
+
+## Pin compiler version and update the application version
 
 1.  Set the following environment variables:
 
-    *   `STACKROX_SUFFIX`: The major and minor versions of ACS that will
-        use this `fact` version (e.g., `4-10`).
     *   `FACT_RELEASE`: The release version you set in the previous
         section.
     *   `FACT_PATCH`: The patch version for this release (e.g., `0`).
@@ -48,52 +75,36 @@ to create the git resources for Konflux before proceeding.
         (e.g., `1.88`).
 
     ```sh
-    export STACKROX_SUFFIX=4-10
     export FACT_RELEASE=0.2
     export FACT_PATCH=0
     export RUST_VERSION=1.88
     ```
 
-1.  On the release branch, run the following commands to update the
-Konflux build configuration and the application version.
+1.  On the release branch, run the following commands.
 
     ```sh
-    sed -i \
-        -e "/appstudio.openshift.io\/application: / s/$/-${STACKROX_SUFFIX}/" \
-        -e "/appstudio.openshift.io\/component: / s/$/-${STACKROX_SUFFIX}/" \
-        -e "/serviceAccountName: / s/$/-${STACKROX_SUFFIX}/" \
-        .tekton/fact-build.yaml
+    sed -i -e "/^RUST_VERSION / s/stable/${RUST_VERSION}/" \
+        constants.mk
 
     sed -i \
         -e "/^version = / s/\".*\"/\"${FACT_RELEASE}.0\"/" \
         fact/Cargo.toml
     ```
 
-1.  Run the following command to pin the Rust version to be used.
-
-    ```sh
-    sed -i -e "/^RUST_VERSION / s/stable/${RUST_VERSION}/" \
-        constants.mk
-    ```
-
-1.  Run the following command to stop mintmaker from attempting to
-    update our crate dependencies.
-
-    ```sh
-    sed -i -e "/\"cargo\",/d" .github/renovate.json5
-    ```
-
 1. Create a new branch for these changes and push it to the repository.
     ```sh
-    git checkout -b "release/konflux-resources-${FACT_RELEASE}"
+    git checkout -b "release/prepare-${FACT_RELEASE}"
     git add .
-    git commit -m "Update Konflux resources for release ${FACT_RELEASE}"
-    git push --set-upstream origin "release/konflux-resources-${FACT_RELEASE}"
+    git commit -m "chore: prepare release branch for ${FACT_RELEASE}"
+    git push --set-upstream origin "release/prepare-${FACT_RELEASE}"
     ```
 
 1. Create a PR pointing to the release branch and get it merged.
-1. Once the PR is in, you can go ahead and tag the fact release.
 
+1. Since the release of artifacts via Konflux require some additional
+configuration, you will need to wait for the release engineer to make
+these and request a tag for fact. Once this happens, you can create a
+new tag with the following commands:
     ```sh
     git checkout "release-${FACT_RELEASE}"
     git pull --ff-only

From f33847413d5c626a66dd2457f5733909e0f43b7e Mon Sep 17 00:00:00 2001
From: Mauro Ezequiel Moltrasio <mmoltras@redhat.com>
Date: Fri, 8 May 2026 11:53:07 +0200
Subject: [PATCH 2/2] Make RUST_VERSION update more resilient

---
 docs/release.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/release.md b/docs/release.md
index d15c3b07..1d002c89 100644
--- a/docs/release.md
+++ b/docs/release.md
@@ -83,7 +83,7 @@ which the release is forked.
 1.  On the release branch, run the following commands.
 
     ```sh
-    sed -i -e "/^RUST_VERSION / s/stable/${RUST_VERSION}/" \
+    sed -i -e "s/^RUST_VERSION .*/RUST_VERSION ?= ${RUST_VERSION}/" \
         constants.mk
 
     sed -i \