ci: Ensure all version references are up-to-date prior to release (#447)

* Create references.sh Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * WIP: check docs in pre-submits Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Clean up Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Fix based on comments Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add instructions to RELEASE.md Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Check references match version in PR body Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> --------- Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
2026-05-20 07:22:47 +00:00 · 2023-01-27 20:12:37 -03:00
parent 2444233891
commit 5deacad765
3 changed files with 110 additions and 3 deletions
--- a/.github/workflows/scripts/pre-release/references.sh
+++ b/.github/workflows/scripts/pre-release/references.sh
@@ -0,0 +1,85 @@
+#!/bin/bash
+
+# Verify that all references point to the same version
+
+set -euo pipefail
+
+function get_first_nonblank_line() {
+    while read line; do
+        [[ "$line" =~ [^[:blank:]] ]] && break
+    done < "$1"
+    echo "$line"
+}
+
+###
+### SHA256SUM.md
+###
+
+line=$(get_first_nonblank_line SHA256SUM.md)
+
+# Ensure both visible text and link point to the same release
+version_txt="$(sed -E "s~.*\[v(.*)\].*~\1~" <<< "$line")"
+version_lnk="$(sed -E "s~.*/v(.*)\)$~\1~" <<< "$line")"
+
+if [[ "$version_txt" != "$version_lnk" ]]; then
+    mark_txt="$(head -c ${#version_txt} < /dev/zero | tr '\0' '^')"
+    mark_lnk="$(head -c ${#version_lnk} < /dev/zero | tr '\0' '^')"
+
+    marks="${line/"$version_txt"/"$mark_txt"}"
+    marks="${marks/"$version_lnk"/"$mark_lnk"}"
+    marks="$(sed 's/[^^]/ /g' <<< "$marks")"
+
+    echo "SHA256SUM.md: Visible text and linked URL do not match:"
+    echo "$line"
+    echo "$marks"
+
+    exit 1
+fi
+
+# Ensure version matches what's declared in the PR body
+if [[ "$version_txt" != "$RELEASE_TAG" ]]; then
+    echo "SHA256SUM.md version doesn't match version declared in PR body"
+    echo "PR body: #label:release v$RELEASE_TAG"
+    echo "SHA256SUM.md: v$version_txt"
+
+    exit 1
+fi
+
+###
+### go.mod
+###
+
+# Get major version from go.mod
+major_version_go_mod="$(get_first_nonblank_line go.mod | sed -E 's~.*/v(.*)~\1~')"
+
+# Get major version declared in PR body
+major_version="$(sed -E 's/(.+)\..+\..+/\1/' <<< "$RELEASE_TAG")"
+
+# Ensure major version from SHA256SUM.md matches go.mod's
+if [[ "$major_version_go_mod" != "$major_version" ]]; then
+    echo "go.mod version doesn't match version declared in PR body:"
+    echo "PR body: v$major_version (v$RELEASE_TAG)"
+    echo "go.mod:  v$major_version_go_mod"
+
+    exit 1
+fi
+
+###
+### README.md
+###
+
+# Select all version numbers following a reference to slsa-verifier that are different
+# from the version defined in SHA256SUM.md
+results=$(
+    grep -Pon ".*?slsa-verifier.*?\d+\.\d+\.\d+" README.md |
+    grep -v "$RELEASE_TAG$" |
+    sed -E 's/(.*)/  \1/' || true
+)
+
+if [[ "$results" != "" ]]; then
+    echo "README.md version doesn't match version declared in PR body:"
+    echo "PR body: #label:release v$RELEASE_TAG"
+    echo "README.md:"
+    echo "$results"
+    exit 1
+fi