Hello @fresh-pie ,
There are various considerations when upgrading Foreman, and different environments have different ones. Let me outline the way our release process works which may help you understand how to make the right decision for your environment.
Every 3 months we branch for the next release. Shortly after branching, we begin releasing release candidates of the upcoming release, usually once every couple of weeks, until we feel fairly confident that the release is stable enough to go out to production usage. Users who are able to test out release candidates in their environment help us immensely in identifying any serious issues - while we have fairly good test coverage, Foreman is a huge beast and covering every path and every possible plugin combination is impossible.
We continue to maintain the latest two releases, with the latest normally getting bug fixes and the older release only getting fixes for security issues or very severe bugs. When a new release goes out, that means it’s the end of life for the previous “old” release.
All security issues are reported on our website, and in the case of serious ones we also mention them when announcing a release fixing them. The frequency of security vulnerability fixes varies greatly, sometimes we have several fixes in one release while other times we can go a couple of releases without any.
As for upgrade frequency - some users will upgrade every time a new major or minor release comes out, others only upgrade once for every major one and some may prefer to wait a few before taking a long outage window to upgrade several versions at once. The decision depends on your environment’s requirements with regards to availability, stability, security, new features etc.
We do recommend regularly upgrading to make sure you are at least on a supported version in case of security issues, and to avoid running into issues when upgrading many versions in one go. Most single-version upgrades are fairly quick and hopefully painless to run, other than a short outage while the upgrade process is running. It is also recommended to take a VM snapshot or backup before upgrading, in case something goes wrong during upgrade and you need to revert to the previous version.
If you require a more stable environment with less frequent upgrades, there are also a couple of commercial offerings based on Foreman that have a different release cadence and support SLAs - Red Hat Satellite and ATIX Orcharhino.