From 5deacad7654196761ac3d397c73b4319b33640a2 Mon Sep 17 00:00:00 2001 From: Pedro Nacht Date: Fri, 27 Jan 2023 20:12:37 -0300 Subject: [PATCH] ci: Ensure all version references are up-to-date prior to release (#447) * Create references.sh Signed-off-by: Pedro Kaj Kjellerup Nacht * WIP: check docs in pre-submits Signed-off-by: Pedro Kaj Kjellerup Nacht * Clean up Signed-off-by: Pedro Kaj Kjellerup Nacht * Fix based on comments Signed-off-by: Pedro Kaj Kjellerup Nacht * Add instructions to RELEASE.md Signed-off-by: Pedro Kaj Kjellerup Nacht * Check references match version in PR body Signed-off-by: Pedro Kaj Kjellerup Nacht --------- Signed-off-by: Pedro Kaj Kjellerup Nacht Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- .github/workflows/pre-submit.actions.yml | 21 +++++ .../scripts/pre-release/references.sh | 85 +++++++++++++++++++ RELEASE.md | 7 +- 3 files changed, 110 insertions(+), 3 deletions(-) create mode 100755 .github/workflows/scripts/pre-release/references.sh diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml index d7ed85c..0d8f827 100644 --- a/.github/workflows/pre-submit.actions.yml +++ b/.github/workflows/pre-submit.actions.yml @@ -39,3 +39,24 @@ jobs: with: name: dist path: dist/ + + check-docs: + runs-on: ubuntu-latest + if: ${{ contains(github.event.pull_request.body, '#label:release') }} + env: + BODY: ${{ github.event.pull_request.body }} + steps: + - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + + - name: Check documentation is up-to-date + run: | + RELEASE_TAG=$( + echo "$BODY" | \ + grep -oE '^[[:blank:]]*#label:release[[:blank:]]+v?[0-9]+\.[0-9]+\.[0-9]+' | \ + sed -E 's/.*([0-9]+\.[0-9]+\.[0-9])/\1/' + ) + if [[ -z "$RELEASE_TAG" ]]; then + echo "Invalid release PR body. Must include `#label:release vX.Y.Z" + exit 1 + fi + RELEASE_TAG="${RELEASE_TAG}" ./.github/workflows/scripts/pre-release/references.sh diff --git a/.github/workflows/scripts/pre-release/references.sh b/.github/workflows/scripts/pre-release/references.sh new file mode 100755 index 0000000..e9ab23f --- /dev/null +++ b/.github/workflows/scripts/pre-release/references.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# Verify that all references point to the same version + +set -euo pipefail + +function get_first_nonblank_line() { + while read line; do + [[ "$line" =~ [^[:blank:]] ]] && break + done < "$1" + echo "$line" +} + +### +### SHA256SUM.md +### + +line=$(get_first_nonblank_line SHA256SUM.md) + +# Ensure both visible text and link point to the same release +version_txt="$(sed -E "s~.*\[v(.*)\].*~\1~" <<< "$line")" +version_lnk="$(sed -E "s~.*/v(.*)\)$~\1~" <<< "$line")" + +if [[ "$version_txt" != "$version_lnk" ]]; then + mark_txt="$(head -c ${#version_txt} < /dev/zero | tr '\0' '^')" + mark_lnk="$(head -c ${#version_lnk} < /dev/zero | tr '\0' '^')" + + marks="${line/"$version_txt"/"$mark_txt"}" + marks="${marks/"$version_lnk"/"$mark_lnk"}" + marks="$(sed 's/[^^]/ /g' <<< "$marks")" + + echo "SHA256SUM.md: Visible text and linked URL do not match:" + echo "$line" + echo "$marks" + + exit 1 +fi + +# Ensure version matches what's declared in the PR body +if [[ "$version_txt" != "$RELEASE_TAG" ]]; then + echo "SHA256SUM.md version doesn't match version declared in PR body" + echo "PR body: #label:release v$RELEASE_TAG" + echo "SHA256SUM.md: v$version_txt" + + exit 1 +fi + +### +### go.mod +### + +# Get major version from go.mod +major_version_go_mod="$(get_first_nonblank_line go.mod | sed -E 's~.*/v(.*)~\1~')" + +# Get major version declared in PR body +major_version="$(sed -E 's/(.+)\..+\..+/\1/' <<< "$RELEASE_TAG")" + +# Ensure major version from SHA256SUM.md matches go.mod's +if [[ "$major_version_go_mod" != "$major_version" ]]; then + echo "go.mod version doesn't match version declared in PR body:" + echo "PR body: v$major_version (v$RELEASE_TAG)" + echo "go.mod: v$major_version_go_mod" + + exit 1 +fi + +### +### README.md +### + +# Select all version numbers following a reference to slsa-verifier that are different +# from the version defined in SHA256SUM.md +results=$( + grep -Pon ".*?slsa-verifier.*?\d+\.\d+\.\d+" README.md | + grep -v "$RELEASE_TAG$" | + sed -E 's/(.*)/ \1/' || true +) + +if [[ "$results" != "" ]]; then + echo "README.md version doesn't match version declared in PR body:" + echo "PR body: #label:release v$RELEASE_TAG" + echo "README.md:" + echo "$results" + exit 1 +fi diff --git a/RELEASE.md b/RELEASE.md index 41cae97..4a923bf 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -116,10 +116,11 @@ $ sha256sum slsa-verifier-linux-amd64 $ sed -i "s/v1.0.0/v1.1.1/g" ./README.md ``` -4. Send a pull request with the changes. In the description, explain the steps to verify the hash update, i.e., reviewers shoud LGTM only if the provenance verification succeeds -and the hash in the pull request matches the one computed on the binary. You can use [#slsa-framework/slsa-github-generator#113](https://github.com/slsa-framework/slsa-github-generator/pull/113) as example. +4. Send a pull request with the changes. In the description: + - add the string `#label:release vX.Y.Z` on its own line; + - explain the steps to verify the hash update, i.e., reviewers shoud LGTM only if the provenance verification succeeds and the hash in the pull request matches the one computed on the binary. You can use [#slsa-framework/slsa-github-generator#113](https://github.com/slsa-framework/slsa-github-generator/pull/113) as an example. -5. Replace all version / commit references to the slsa-verifier repo with references to the newly released version [e2e.installer-action.yml](https://github.com/slsa-framework/example-package/blob/main/.github/workflows/e2e.installer-action.yml). Each reference has the comment `# UPDATE ON RELEASE`. +5. Update all version / commit references to the `slsa-verifier` repo in [`example-package`'s e2e.installer-action.yml](https://github.com/slsa-framework/example-package/blob/main/.github/workflows/e2e.installer-action.yml). Each reference has the comment `# UPDATE ON RELEASE`. ## Update builders