actions/forgejo-release
actions/forgejo-release
1
0
Fork 0
mirror of https://code.forgejo.org/actions/forgejo-release.git synced 2025-03-03 10:09:23 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request 'fix: override=true must not needlessly delete a tag' (#39) from limiting-factor/forgejo-release:wip-override into main

Browse source 
Reviewed-on: https://code.forgejo.org/actions/forgejo-release/pulls/39
Reviewed-by: earl-warren <earl-warren@noreply.code.forgejo.org>
This commit is contained in:
earl-warren 2025-02-23 20:43:42 +00:00
commit e2af55222e
WARNING! Although there is a key with this ID in the database it does not verify this commit! This commit is SUSPICIOUS.
GPG key ID: F128CBE6AB3A7201
2 changed files with 87 additions and 60 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

131
forgejo-release.sh
View file

@ -19,26 +19,47 @@ if ${VERBOSE:-false}; then set -x; fi
: ${RETRY:=1} : ${RETRY:=1}
: ${DELAY:=10} : ${DELAY:=10}
TAG_FILE="$TMP_DIR/tag$$.json"
export GNUPGHOME export GNUPGHOME
setup_tea() { setup_tea() {
if ! test -f "$BIN_DIR"/tea ; then if ! test -f "$BIN_DIR"/tea; then
ARCH=$(dpkg --print-architecture) ARCH=$(dpkg --print-architecture)
curl -sL https://dl.gitea.io/tea/$TEA_VERSION/tea-$TEA_VERSION-linux-"$ARCH" > "$BIN_DIR"/tea curl -sL https://dl.gitea.io/tea/$TEA_VERSION/tea-$TEA_VERSION-linux-"$ARCH" >"$BIN_DIR"/tea
chmod +x "$BIN_DIR"/tea chmod +x "$BIN_DIR"/tea
fi
}
get_tag() {
if ! test -f "$TAG_FILE"; then
if api GET repos/$REPO/tags/"$TAG" >"$TAG_FILE"; then
echo "tag $TAG exists"
else
echo "tag $TAG does not exists"
fi
fi
test -s "$TAG_FILE"
}
matched_tag() {
if get_tag; then
local sha=$(jq --raw-output .commit.sha <"$TAG_FILE")
test "$sha" = "$SHA"
else
return 1
fi fi
} }
ensure_tag() { ensure_tag() {
if api GET repos/$REPO/tags/"$TAG" > "$TMP_DIR"/tag.json ; then if get_tag; then
local sha=$(jq --raw-output .commit.sha < "$TMP_DIR"/tag.json) if ! matched_tag; then
if test "$sha" != "$SHA" ; then cat "$TAG_FILE"
cat "$TMP_DIR"/tag.json echo "the tag SHA in the $REPO repository does not match the tag SHA that triggered the build: $SHA"
echo "the tag SHA in the $REPO repository does not match the tag SHA that triggered the build: $SHA" return 1
false fi
fi
else else
api POST repos/$REPO/tags --data-raw '{"tag_name": "'"$TAG"'", "target": "'"$SHA"'"}' api POST repos/$REPO/tags --data-raw '{"tag_name": "'"$TAG"'", "target": "'"$SHA"'"}' >"$TAG_FILE"
fi fi
} }
@ -50,15 +71,15 @@ upload_release() {
for file in "$RELEASE_DIR"/*; do for file in "$RELEASE_DIR"/*; do
assets=("${assets[@]}" -a "$file") assets=("${assets[@]}" -a "$file")
done done
if $PRERELEASE || echo "${TAG}" | grep -qi '\-rc' ; then if $PRERELEASE || echo "${TAG}" | grep -qi '\-rc'; then
releaseType="--prerelease" releaseType="--prerelease"
echo "Uploading as Pre-Release" echo "Uploading as Pre-Release"
else else
echo "Uploading as Stable" echo "Uploading as Stable"
fi fi
ensure_tag ensure_tag
if ! "$BIN_DIR"/tea release create "${assets[@]}" --repo $REPO --note "$RELEASENOTES" --tag "$TAG" --title "$TITLE" --draft ${releaseType} >& "$TMP_DIR"/tea.log ; then if ! "$BIN_DIR"/tea release create "${assets[@]}" --repo $REPO --note "$RELEASENOTES" --tag "$TAG" --title "$TITLE" --draft ${releaseType} >&"$TMP_DIR"/tea.log; then
if grep --quiet 'Unknown API Error: 500' "$TMP_DIR"/tea.log && grep --quiet services/release/release.go:194 "$TMP_DIR"/tea.log ; then if grep --quiet 'Unknown API Error: 500' "$TMP_DIR"/tea.log && grep --quiet services/release/release.go:194 "$TMP_DIR"/tea.log; then
echo "workaround v1.20 race condition https://codeberg.org/forgejo/forgejo/issues/1370" echo "workaround v1.20 race condition https://codeberg.org/forgejo/forgejo/issues/1370"
sleep 10 sleep 10
"$BIN_DIR"/tea release create "${assets[@]}" --repo $REPO --note "$RELEASENOTES" --tag "$TAG" --title "$TITLE" --draft ${releaseType} "$BIN_DIR"/tea release create "${assets[@]}" --repo $REPO --note "$RELEASENOTES" --tag "$TAG" --title "$TITLE" --draft ${releaseType}
@ -90,29 +111,31 @@ maybe_use_release_note_assistant() {
sign_release() { sign_release() {
local passphrase local passphrase
if test -s "$GPG_PASSPHRASE"; then if test -s "$GPG_PASSPHRASE"; then
passphrase="--passphrase-file $GPG_PASSPHRASE" passphrase="--passphrase-file $GPG_PASSPHRASE"
fi fi
gpg --import --no-tty --pinentry-mode loopback $passphrase "$GPG_PRIVATE_KEY" gpg --import --no-tty --pinentry-mode loopback $passphrase "$GPG_PRIVATE_KEY"
for asset in "$RELEASE_DIR"/* ; do for asset in "$RELEASE_DIR"/*; do
if [[ $asset =~ .sha256$ ]] ; then if [[ $asset =~ .sha256$ ]]; then
continue continue
fi fi
gpg --armor --detach-sign --no-tty --pinentry-mode loopback $passphrase < "$asset" > "$asset".asc gpg --armor --detach-sign --no-tty --pinentry-mode loopback $passphrase <"$asset" >"$asset".asc
done done
} }
maybe_sign_release() { maybe_sign_release() {
if test -s "$GPG_PRIVATE_KEY"; then if test -s "$GPG_PRIVATE_KEY"; then
sign_release sign_release
fi fi
} }
maybe_override() { maybe_override() {
if test "$OVERRIDE" = "false"; then if test "$OVERRIDE" = "false"; then
return return
fi
api DELETE repos/$REPO/releases/tags/"$TAG" >&/dev/null || true
if get_tag && ! matched_tag; then
api DELETE repos/$REPO/tags/"$TAG"
fi fi
api DELETE repos/$REPO/releases/tags/"$TAG" >& /dev/null || true
api DELETE repos/$REPO/tags/"$TAG" >& /dev/null || true
} }
upload() { upload() {
@ -126,9 +149,9 @@ upload() {
} }
setup_api() { setup_api() {
if ! which jq curl ; then if ! which jq curl; then
apt-get -qq update apt-get -qq update
apt-get install -y -qq jq curl apt-get install -y -qq jq curl
fi fi
} }
@ -144,40 +167,40 @@ api() {
wait_release() { wait_release() {
local ready=false local ready=false
for i in $(seq $RETRY); do for i in $(seq $RETRY); do
if api GET repos/$REPO/releases/tags/"$TAG" | jq --raw-output .draft > "$TMP_DIR"/draft; then if api GET repos/$REPO/releases/tags/"$TAG" | jq --raw-output .draft >"$TMP_DIR"/draft; then
if test "$(cat "$TMP_DIR"/draft)" = "false"; then if test "$(cat "$TMP_DIR"/draft)" = "false"; then
ready=true ready=true
break break
fi
echo "release $TAG is still a draft"
else
echo "release $TAG does not exist yet"
fi fi
echo "release $TAG is still a draft" echo "waiting $DELAY seconds"
else sleep $DELAY
echo "release $TAG does not exist yet"
fi
echo "waiting $DELAY seconds"
sleep $DELAY
done done
if ! $ready ; then if ! $ready; then
echo "no release for $TAG" echo "no release for $TAG"
return 1 return 1
fi fi
} }
download() { download() {
setup_api setup_api
( (
mkdir -p $RELEASE_DIR mkdir -p $RELEASE_DIR
cd $RELEASE_DIR cd $RELEASE_DIR
if [[ ${DOWNLOAD_LATEST} == "true" ]] ; then if [[ ${DOWNLOAD_LATEST} == "true" ]]; then
echo "Downloading the latest release" echo "Downloading the latest release"
api GET repos/$REPO/releases/latest > "$TMP_DIR"/assets.json api GET repos/$REPO/releases/latest >"$TMP_DIR"/assets.json
elif [[ ${DOWNLOAD_LATEST} == "false" ]] ; then elif [[ ${DOWNLOAD_LATEST} == "false" ]]; then
wait_release wait_release
echo "Downloading tagged release ${TAG}" echo "Downloading tagged release ${TAG}"
api GET repos/$REPO/releases/tags/"$TAG" > "$TMP_DIR"/assets.json api GET repos/$REPO/releases/tags/"$TAG" >"$TMP_DIR"/assets.json
fi fi
jq --raw-output '.assets[] | "\(.browser_download_url) \(.name)"' < "$TMP_DIR"/assets.json | while read url name ; do # `name` may contain whitespace, therefore, it must be last jq --raw-output '.assets[] | "\(.browser_download_url) \(.name)"' <"$TMP_DIR"/assets.json | while read url name; do # `name` may contain whitespace, therefore, it must be last
curl --fail -H "Authorization: token $TOKEN" -o "$name" -L "$url" curl --fail -H "Authorization: token $TOKEN" -o "$name" -L "$url"
done done
) )
} }

16
testdata/forgejo-release-test.sh vendored
View file

@ -2,6 +2,7 @@
# SPDX-License-Identifier: MIT # SPDX-License-Identifier: MIT
set -ex set -ex
PS4='${BASH_SOURCE[0]}:$LINENO: ${FUNCNAME[0]}: '
test_teardown() { test_teardown() {
setup_api setup_api
@ -44,16 +45,19 @@ test_ensure_tag() {
# idempotent # idempotent
# #
ensure_tag ensure_tag
api GET repos/$REPO/tags/$TAG > $TMP_DIR/tag1.json mv $TAG_FILE $TMP_DIR/tag1.json
ensure_tag ensure_tag
api GET repos/$REPO/tags/$TAG > $TMP_DIR/tag2.json mv $TAG_FILE $TMP_DIR/tag2.json
diff -u $TMP_DIR/tag[12].json diff -u $TMP_DIR/tag[12].json
# #
# sanity check on the SHA of an existing tag # sanity check on the SHA of an existing tag
# #
( (
SHA=12345 SHA=12345
! ensure_tag ! matched_tag
! ensure_tag
) )
api DELETE repos/$REPO/tags/$TAG api DELETE repos/$REPO/tags/$TAG
} }
@ -94,8 +98,8 @@ test_maybe_sign_release_skipped() {
} }
test_maybe_sign_release_verify() { test_maybe_sign_release_verify() {
for file in $RELEASE_DIR/file-one.txt $RELEASE_DIR/file-two.txt; do for file in $RELEASE_DIR/file-one.txt $RELEASE_DIR/file-two.txt; do
gpg --verify $file.asc $file gpg --verify $file.asc $file
done done
} }