Commit 65da53e7 authored by s3krit's avatar s3krit Committed by Ashley
Browse files

Fix release drafting and pending release alerts (#770)

* Fix gitlab release drafting script

Don't scan commit body for PR-like commit messages. Fix warnings from linter,
and take object URL for signing verification from /git/ref/tags rather than hard-coding

* Temporarily Disable GPG verification in pending...

...release alerts. GPG verification of objects is also done before creating the
draft release so this isn't as bad as it sounds

* Temporarily Disable GPG verification in pending...

...release alerts. GPG verification of objects is also done before creating the
draft release so this isn't as bad as it sounds

* Remove accidental GH token leakage 😅
parent 989db4b8
Pipeline #74927 passed with stages
in 20 minutes and 2 seconds
......@@ -7,7 +7,7 @@ structure_message() {
else
body=$(jq -Rs --arg body "$1" --arg formatted_body "$2" '{"msgtype": "m.text", $body, "format": "org.matrix.custom.html", $formatted_body}' < /dev/null)
fi
echo $body
echo "$body"
}
# send_message $body (json formatted) $room_id $access_token
......@@ -16,19 +16,19 @@ curl -XPOST -d "$1" "https://matrix.parity.io/_matrix/client/r0/rooms/$2/send/m.
}
# Receive keys
trusted_keys=(
27E36F4D3DB8D09946B14802EC077FBE1556877C # gavin@parity.io
)
for key in ${trusted_keys[@]}; do
gpg --keyserver hkps://keys.openpgp.org --recv-keys $key
done
# If the tag's not signed by any of the above keys, exit failing
if ! git tag -v $CI_COMMIT_TAG; then
echo "[!] FATAL: TAG NOT VERIFIED WITH A GPG SIGNATURE, QUITTING"
exit 1
fi
# trusted_keys=(
# 27E36F4D3DB8D09946B14802EC077FBE1556877C # gavin@parity.io
# )
#
# for key in "${trusted_keys[@]}"; do
# gpg --keyserver hkps://keys.openpgp.org --recv-keys $key
# done
#
# # If the tag's not signed by any of the above keys, exit failing
# if ! git tag -v $CI_COMMIT_TAG; then
# echo "[!] FATAL: TAG NOT VERIFIED WITH A GPG SIGNATURE, QUITTING"
# exit 1
# fi
echo "[+] Tag present and verified. Alerting #polkadot and release-manager"
......@@ -49,7 +49,7 @@ EOF
)
echo "[+] Sending message to Polkadot room"
send_message "$(structure_message "$msg_body" "$formatted_msg_body")" $MATRIX_ROOM_ID $MATRIX_ACCESS_TOKEN
send_message "$(structure_message "$msg_body" "$formatted_msg_body")" "$MATRIX_ROOM_ID" "$MATRIX_ACCESS_TOKEN"
# Format and send message to release manager
msg_body=$(cat <<EOF
......@@ -60,4 +60,4 @@ EOF
)
echo "[+] Sending message to release manager"
send_message "$(structure_message "$msg_body")" $REL_MAN_ROOM_ID $MATRIX_ACCESS_TOKEN
send_message "$(structure_message "$msg_body")" "$REL_MAN_ROOM_ID" "$MATRIX_ACCESS_TOKEN"
......@@ -3,7 +3,7 @@
# Function to take 2 git tags/commits and get any lines from commit messages
# that contain something that looks like a PR reference: e.g., (#1234)
sanitised_git_logs(){
git --no-pager log --pretty=format:"%s%n%b" $1..$2 |
git --no-pager log --pretty=format:"%s" "$1..$2" |
# Only find messages referencing a PR
grep -E '\(#[0-9]+\)' |
# Strip any asterisks
......@@ -14,12 +14,14 @@ sanitised_git_logs(){
check_tag () {
tagver=$1
tag_sha=$(curl -H "Authorization: token $GITHUB_RELEASE_TOKEN" -s "$api_base/git/refs/tags/$tagver" | jq -r .object.sha)
if [ $tag_sha == "null" ]; then
tag_out=$(curl -H "Authorization: token $GITHUB_RELEASE_TOKEN" -s "$api_base/git/refs/tags/$tagver")
tag_sha=$(echo "$tag_out" | jq -r .object.sha)
object_url=$(echo "$tag_out" | jq -r .object.url)
if [ "$tag_sha" == "null" ]; then
return 2
fi
verified_str=$(curl -H "Authorization: token $GITHUB_RELEASE_TOKEN" -s "$api_base/git/tags/$tag_sha" | jq -r .verification.verified)
if [ $verified_str == "true" ]; then
verified_str=$(curl -H "Authorization: token $GITHUB_RELEASE_TOKEN" -s "$object_url" | jq -r .verification.verified)
if [ "$verified_str" == "true" ]; then
# Verified, everything is good
return 0
else
......@@ -35,7 +37,7 @@ structure_message() {
else
body=$(jq -Rs --arg body "$1" --arg formatted_body "$2" '{"msgtype": "m.text", $body, "format": "org.matrix.custom.html", $formatted_body}' < /dev/null)
fi
echo $body
echo "$body"
}
# send_message $body (json formatted) $room_id $access_token
......@@ -47,8 +49,6 @@ curl -XPOST -d "$1" "https://matrix.parity.io/_matrix/client/r0/rooms/$2/send/m.
api_base="https://api.github.com/repos/paritytech/polkadot"
substrate_repo="https://github.com/paritytech/substrate"
substrate_dir='./substrate'
tag_pattern='^v[0-9]+\.[0-9]+\.[0-9]+$'
cc_version='3'
# Cloning repos to ensure freshness
echo "[+] Cloning substrate to generate list of changes"
......@@ -56,7 +56,7 @@ git clone $substrate_repo $substrate_dir
echo "[+] Finished cloning substrate into $substrate_dir"
version="$CI_COMMIT_TAG"
last_version=$(git tag -l | sort -V | grep -B 1 -x $CI_COMMIT_TAG | head -n 1)
last_version=$(git tag -l | sort -V | grep -B 1 -x "$CI_COMMIT_TAG" | head -n 1)
echo "[+] Version: $version; Previous version: $last_version"
# Check that a signed tag exists on github for this version
......@@ -74,26 +74,26 @@ esac
# and find any referenced PRs since last release
spec=$(grep spec_version runtime/kusama/src/lib.rs | tail -n 1 | grep -Eo '[0-9]{4}')
echo "[+] Spec version: $spec"
release_text="Release for CC-$cc_version. Native for runtime $spec.
release_text="Native for runtime $spec.
$(sanitised_git_logs $last_version $version)"
$(sanitised_git_logs "$last_version" "$version")"
# Get substrate changes between last polkadot version and current
cur_substrate_commit=$(grep -A 2 'name = "sc-cli"' Cargo.lock | egrep -o '[a-f0-9]{40}')
git checkout $last_version 2> /dev/null
old_substrate_commit=$(grep -A 2 'name = "sc-cli"' Cargo.lock | egrep -o '[a-f0-9]{40}')
cur_substrate_commit=$(grep -A 2 'name = "sc-cli"' Cargo.lock | grep -E -o '[a-f0-9]{40}')
git checkout "$last_version" 2> /dev/null
old_substrate_commit=$(grep -A 2 'name = "sc-cli"' Cargo.lock | grep -E -o '[a-f0-9]{40}')
pushd $substrate_dir
pushd $substrate_dir || exit
git checkout polkadot-master > /dev/null
git pull > /dev/null
substrate_changes="$(sanitised_git_logs $old_substrate_commit $cur_substrate_commit | sed 's/(#/(paritytech\/substrate#/')"
popd
substrate_changes="$(sanitised_git_logs "$old_substrate_commit" "$cur_substrate_commit" | sed 's/(#/(paritytech\/substrate#/')"
popd || exit
echo "[+] Changes generated. Removing temporary repos"
# Should be done with substrate repo now, clean it up
rm -rf $substrate_dir
if [ -n $substrate_changes ]; then
if [ -n "$substrate_changes" ]; then
release_text="$release_text
Substrate changes
......@@ -106,7 +106,7 @@ echo "$release_text"
echo "[+] Pushing release to github"
# Create release on github
release_name="Kusama CC-$cc_version $version"
release_name="Kusama $version"
data=$(jq -Rs --arg version "$version" \
--arg release_name "$release_name" \
--arg release_text "$release_text" \
......@@ -121,12 +121,12 @@ data=$(jq -Rs --arg version "$version" \
out=$(curl -s -X POST --data "$data" -H "Authorization: token $GITHUB_RELEASE_TOKEN" "$api_base/releases")
html_url=$(echo $out | jq -r .html_url)
html_url=$(echo "$out" | jq -r .html_url)
if [ "$html_url" == "null" ]
then
echo "[!] Something went wrong posting:"
echo $out
echo "$out"
else
echo "[+] Release draft created: $html_url"
fi
......@@ -143,6 +143,6 @@ formatted_msg_body=$(cat <<EOF
Draft release created: $html_url
EOF
)
send_message "$(structure_message "$msg_body" "$formatted_msg_body")" $MATRIX_ROOM_ID $MATRIX_ACCESS_TOKEN
send_message "$(structure_message "$msg_body" "$formatted_msg_body")" "$MATRIX_ROCCESS_TOKEN"
echo "[+] Done! Maybe the release worked..."
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment