build: Add verify-release script#1913
Merged
lukpueh merged 3 commits intotheupdateframework:developfrom Mar 24, 2022
Merged
Conversation
verify-release * Builds a release from current commit * Notifies if git describe does not match built version * Notifies if built version is not the latest GitHub or PyPI version * Asserts that the GitHub and PyPI release artifacts match the built release artifacts This should be useful after release as any developer (or a CI job) can easily verify that the release matches the sources in git. Note that the last checks currently fail as the 1.0 build was not reproducible. They should succeed after next release. Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Pull Request Test Coverage Report for Build 2034328794
💛 - Coveralls |
jku
commented
Mar 22, 2022
lukpueh
reviewed
Mar 22, 2022
lukpueh
reviewed
Mar 22, 2022
Member
lukpueh
left a comment
There was a problem hiding this comment.
Cool stuff, @jku! I tried it out and it works nicely.
Are we supposed to run it with development requirements installed? It only needs requests and build to be installed. Maybe it's worth mentioning requirements somewhere, e.g. in the doc header or in RELEASE.md?
Will get back with an actual code review.
We are interested in what pip thinks is the current tuf version: make that explicit in method naming and comments. Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
lukpueh
requested changes
Mar 24, 2022
Member
lukpueh
left a comment
There was a problem hiding this comment.
LGTM, modulo the bug you discovered yourself.
Use a hard-coded list of artifacts that we expect to find in a release. Specifically check that each of those files matches the corresponding file in locally built release. Also add two missing annotations. Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Member
Author
|
Issue is fixed. The testing is obviously not quite 100.0% (since we dont have a positive test case on pypi.org yet) but I have done the manual testing I could. |
7 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
verify-release
release artifacts
This should be useful after release as any developer (or a CI job) can
easily verify that the release matches the sources in git.
Note that the last checks currently fail as the 1.0 build was not
reproducible. They should succeed after next release.
Signed-off-by: Jussi Kukkonen jkukkonen@vmware.com
Some comments: