Shell script to verify staged release candidate artifacts #2824
Conversation
snazy
force-pushed
the
release-verification
branch
8 times, most recently
from
9f81def to
29e8c26
Compare
snazy
changed the title
snazy
force-pushed
the
release-verification
branch
11 times, most recently
from
b8f99e0 to
bc3f147
Compare
Performs a bunch of verifications against a proposed (staged) release candidate using the new `tools/verify-release/verify-release.sh` script against Maven artifacts, main distributions and Helm chart. Checks: * GPG signature and checksum verifications * All expected artifacts are present * Build artifacts are reproducible (minus known exceptions) * jar files * Main distribution zip/tarball * Helm chart * Build passes. * DISCLAIMER/LICENSE/NOTICE files are present in artifacts that require those More information in the added web site page. Fixes apache#2822
snazy
force-pushed
the
release-verification
branch
from
bc3f147 to
f9dde4b
Compare
There was a problem hiding this comment.
Excellent improvement that will greatly simplify release verification!
My impression is that the tool is mostly focusing on artifact comparison and reproducible builds. A possible future addition would be to actually test the distribution by building and running basic tests, including tests for Helm chart.
| * Maven staging repository | ||
| * `DISCLAIMER`, `LICENSE` and `NOTICE` files are correct for the repository. | ||
| * Contents of jar artifacts `META-INF/LICENSE` and `META-INF/NOTICE` files are correct. | ||
| * All files have license headers if necessary. |
There was a problem hiding this comment.
Why not include a step to automate this?
I usually use the below to test the source distribution and check for licenses etc.
./gradlew rat test :checkForCopiedCode \
:polaris-server:assemble \
:polaris-server:quarkusAppPartsBuild --rerun \
-Dquarkus.container-image.tag=${version} \
-Dquarkus.container-image.build=trueThere was a problem hiding this comment.
The assumption is that CI, which performs all these checks, is "green".
There was a problem hiding this comment.
BTW: The script can keep (-k option) the (temporary) directory, which contains all the downloaded and locally built artifacts.
Tests can be run from there.
site/content/release-verify.md
Outdated
| * Contents of jar artifacts `META-INF/LICENSE` and `META-INF/NOTICE` files are correct. | ||
| * All files have license headers if necessary. | ||
| This is (mostly) verified using the "rat" tool during builds/CI. | ||
| * No compiled artifacts are bundled in the source archive. |
There was a problem hiding this comment.
This could also be automated:
executable_files=$(find . -type f ! -size 0 | perl -lne 'print if -B' | xargs file | grep executable)
if [ -n "$executable_files" ]; then
echo "Binary executable files found:"
echo "$executable_files"
exit 1
fiThere was a problem hiding this comment.
Hm, I think the line 52 should read No disallowed binary artifacts are bundled in the source archive..
A strict "no binary artifacts at all" is difficult to achieve, as png and jpeg are binary.
Bash scripts for example are permitted, as those are "text" files, despite being executable.
2 participants
Performs a bunch of verifications against a proposed (staged) release candidate using the new
tools/verify-release/verify-release.shscript against Maven artifacts, main distributions and Helm chart.Checks:
More information in the added web site page.
Fixes #2822