-
Notifications
You must be signed in to change notification settings - Fork 384
/
Copy path4-make-release
executable file
·133 lines (103 loc) · 4.35 KB
/
4-make-release
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#!/usr/bin/env bash
# This script downloads the build artifacts along with the signatures, verifies the signatures and
# creates a GitHub draft release. This should be run after `3-verify-build`.
# This also publishes new version metadata
set -eu
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
cd "$SCRIPT_DIR"
REPO_ROOT=../../../
PRODUCT_VERSION_PATH=$REPO_ROOT/dist-assets/desktop-product-version.txt
PRODUCT_VERSION=$(cat $PRODUCT_VERSION_PATH)
$REPO_ROOT/scripts/utils/gh-ready-check
REPO_URL="git@github.com:mullvad/mullvadvpn-app"
ARTIFACT_DIR="./artifacts"
REPO_DIR=$(mktemp -d)
CHANGELOG_PATH="$REPO_DIR/CHANGELOG.md"
URL_BASE="https://releases.mullvad.net/desktop/releases"
rm -rf $ARTIFACT_DIR
mkdir -p $ARTIFACT_DIR
function download_and_verify {
# Find GnuPG command to use. Prefer gpg2
gpg_cmd=$(command -v gpg2 || command -v gpg)
for ext in .exe _arm64.exe _x64.exe _amd64.deb _arm64.deb _x86_64.rpm _aarch64.rpm .pkg; do
pkg_filename="MullvadVPN-${PRODUCT_VERSION}${ext}"
pkg_path="$ARTIFACT_DIR/$pkg_filename"
url="$URL_BASE/$PRODUCT_VERSION/$pkg_filename"
echo ">>> Downloading $pkg_filename - $url"
curl -o "$pkg_path" --progress-bar --fail "$url"
curl -o "$pkg_path.asc" --progress-bar --fail "$url.asc"
echo ""
echo ">>> Verifying integrity of $pkg_filename"
if ! $gpg_cmd --verify "$pkg_path.asc" "$pkg_path"; then
echo ""
echo "!!! INTEGRITY CHECKING FAILED !!!"
rm "$pkg_path" "$pkg_path.asc"
exit 1
fi
echo ""
echo "GOOD SIGNATURE IN $pkg_filename"
echo ""
done
}
# Preconditions:
# - $VERSION_METADATA_SECRET must be set to an ed25519 secret
function publish_metadata {
local platforms
platforms=(windows macos linux)
rm -rf currently_published/
echo ">>> Fetching current version metadata"
meta pull --assume-yes "${platforms[@]}"
echo ""
echo ">>> Backing up released data"
cp -r signed/ currently_published/
echo ""
echo ">>> Adding new release $$PRODUCT_VERSION (rollout = 1)"
meta add-release "$PRODUCT_VERSION" "${platforms[@]}"
echo ""
echo ">>> Signing $PRODUCT_VERSION metadata"
meta sign --secret "$VERSION_METADATA_SECRET" "${platforms[@]}"
echo ""
echo ">>> Verifying signed metadata"
meta verify "${platforms[@]}"
echo ""
echo ">>> New metadata including $$PRODUCT_VERSION"
git diff --no-index -- currently_published/ signed/
echo ""
read -rp "Press enter to upload if the diff looks good "
# TODO: push metadata
}
function publish_release {
echo ">>> Cloning repository to extract changelog"
git clone --depth 1 --branch "$PRODUCT_VERSION" $REPO_URL "$REPO_DIR" 2> /dev/null > /dev/null
(cd "$REPO_DIR" && git verify-tag "$PRODUCT_VERSION")
echo ""
changelog_end_version_pattern="20[0-9]\{2\}\.[0-9]\{1,2\}"
if [[ $PRODUCT_VERSION == *-beta* ]]; then
changelog_end_version_pattern=".*"
fi
changelog_extract=$(sed -n "/^## \[$PRODUCT_VERSION\]/,/^## \[$changelog_end_version_pattern\]/p" "$CHANGELOG_PATH")
changelog=$(echo "$changelog_extract" | sed '$d' | \
awk 'NF { last = last ? last ORS $0 : $0 } END { print last }')
release_flags=( --draft --verify-tag --notes-file - --title "$PRODUCT_VERSION" )
previous_release=$(echo "$changelog_extract" | tail -1 | grep -oP '## \[\K[^\]]+')
body="This release is for desktop only."
if [[ $PRODUCT_VERSION == *-beta* ]]; then
body+="\n\nHere is a list of all changes since last release [$previous_release](https://github.com/mullvad/mullvadvpn-app/releases/tag/$previous_release):"
release_flags+=(--prerelease)
else
body+="\n\nHere is a list of all changes since last stable release [$previous_release](https://github.com/mullvad/mullvadvpn-app/releases/tag/$previous_release):"
release_flags+=(--latest)
fi
version_count=$(echo "$changelog" | grep -c "^## ")
if [ "$version_count" -eq 1 ]; then
changelog=$(echo "$changelog" | tail -n +2)
fi
body+="\n$changelog"
echo ">>> Creating GitHub release"
# shellcheck disable=SC2059
# shellcheck disable=SC2046
printf "$body" | gh release create "${release_flags[@]}" "$PRODUCT_VERSION" $(printf "%s " "$ARTIFACT_DIR"/*)
}
download_and_verify
publish_metadata
publish_release