Fix release drafting and pending release alerts (#770)

* Fix gitlab release drafting script Don't scan commit body for PR-like commit messages. Fix warnings from linter, and take object URL for signing verification from /git/ref/tags rather than hard-coding * Temporarily Disable GPG verification in pending... ...release alerts. GPG verification of objects is also done before creating the draft release so this isn't as bad as it sounds * Temporarily Disable GPG verification in pending... ...release alerts. GPG verification of objects is also done before creating the draft release so this isn't as bad as it sounds * Remove accidental GH token leakage 😅
2026-04-26 20:27:58 +00:00 · 2020-01-16 19:38:10 +01:00
parent a5d9645bf4
commit fb30862d23
2 changed files with 38 additions and 38 deletions
@@ -7,7 +7,7 @@ structure_message() {
  else
    body=$(jq -Rs --arg body "$1" --arg formatted_body "$2" '{"msgtype": "m.text", $body, "format": "org.matrix.custom.html", $formatted_body}' < /dev/null)
  fi
-  echo $body
+  echo "$body"
 }

 # send_message $body (json formatted) $room_id $access_token
@@ -16,19 +16,19 @@ curl -XPOST -d "$1" "https://matrix.parity.io/_matrix/client/r0/rooms/$2/send/m.
 }

 # Receive keys
-trusted_keys=(
-27E36F4D3DB8D09946B14802EC077FBE1556877C # gavin@parity.io
-)
-
-for key in ${trusted_keys[@]}; do
-  gpg --keyserver hkps://keys.openpgp.org --recv-keys $key
-done
-
-# If the tag's not signed by any of the above keys, exit failing
-if ! git tag -v $CI_COMMIT_TAG; then
-  echo "[!] FATAL: TAG NOT VERIFIED WITH A GPG SIGNATURE, QUITTING"
-  exit 1
-fi
+# trusted_keys=(
+# 27E36F4D3DB8D09946B14802EC077FBE1556877C # gavin@parity.io
+# )
+#
+# for key in "${trusted_keys[@]}"; do
+#   gpg --keyserver hkps://keys.openpgp.org --recv-keys $key
+# done
+#
+# # If the tag's not signed by any of the above keys, exit failing
+# if ! git tag -v $CI_COMMIT_TAG; then
+#   echo "[!] FATAL: TAG NOT VERIFIED WITH A GPG SIGNATURE, QUITTING"
+#   exit 1
+# fi

 echo "[+] Tag present and verified. Alerting #polkadot and release-manager"

@@ -49,7 +49,7 @@ EOF
 )

 echo "[+] Sending message to Polkadot room"
-send_message "$(structure_message "$msg_body" "$formatted_msg_body")" $MATRIX_ROOM_ID $MATRIX_ACCESS_TOKEN
+send_message "$(structure_message "$msg_body" "$formatted_msg_body")" "$MATRIX_ROOM_ID" "$MATRIX_ACCESS_TOKEN"

 # Format and send message to release manager
 msg_body=$(cat <<EOF
@@ -60,4 +60,4 @@ EOF
 )

 echo "[+] Sending message to release manager"
-send_message "$(structure_message "$msg_body")" $REL_MAN_ROOM_ID $MATRIX_ACCESS_TOKEN
+send_message "$(structure_message "$msg_body")" "$REL_MAN_ROOM_ID" "$MATRIX_ACCESS_TOKEN"
@@ -3,7 +3,7 @@
 # Function to take 2 git tags/commits and get any lines from commit messages
 # that contain something that looks like a PR reference: e.g., (#1234)
 sanitised_git_logs(){
-  git --no-pager log --pretty=format:"%s%n%b" $1..$2 |
+  git --no-pager log --pretty=format:"%s" "$1..$2" |
  # Only find messages referencing a PR
  grep -E '\(#[0-9]+\)' |
  # Strip any asterisks
@@ -14,12 +14,14 @@ sanitised_git_logs(){

 check_tag () {
  tagver=$1
-  tag_sha=$(curl -H "Authorization: token $GITHUB_RELEASE_TOKEN" -s "$api_base/git/refs/tags/$tagver" | jq -r .object.sha)
-  if [ $tag_sha == "null" ]; then
+  tag_out=$(curl -H "Authorization: token $GITHUB_RELEASE_TOKEN" -s "$api_base/git/refs/tags/$tagver")
+  tag_sha=$(echo "$tag_out" | jq -r .object.sha)
+  object_url=$(echo "$tag_out" | jq -r .object.url)
+  if [ "$tag_sha" == "null" ]; then
    return 2
  fi
-  verified_str=$(curl -H "Authorization: token $GITHUB_RELEASE_TOKEN" -s "$api_base/git/tags/$tag_sha" | jq -r .verification.verified)
-  if [ $verified_str == "true" ]; then
+  verified_str=$(curl -H "Authorization: token $GITHUB_RELEASE_TOKEN" -s "$object_url" | jq -r .verification.verified)
+  if [ "$verified_str" == "true" ]; then
    # Verified, everything is good
    return 0
  else
@@ -35,7 +37,7 @@ structure_message() {
  else
    body=$(jq -Rs --arg body "$1" --arg formatted_body "$2" '{"msgtype": "m.text", $body, "format": "org.matrix.custom.html", $formatted_body}' < /dev/null)
  fi
-  echo $body
+  echo "$body"
 }

 # send_message $body (json formatted) $room_id $access_token
@@ -47,8 +49,6 @@ curl -XPOST -d "$1" "https://matrix.parity.io/_matrix/client/r0/rooms/$2/send/m.
 api_base="https://api.github.com/repos/paritytech/polkadot"
 substrate_repo="https://github.com/paritytech/substrate"
 substrate_dir='./substrate'
-tag_pattern='^v[0-9]+\.[0-9]+\.[0-9]+$'
-cc_version='3'

 # Cloning repos to ensure freshness
 echo "[+] Cloning substrate to generate list of changes"
@@ -56,7 +56,7 @@ git clone $substrate_repo $substrate_dir
 echo "[+] Finished cloning substrate into $substrate_dir"

 version="$CI_COMMIT_TAG"
-last_version=$(git tag -l | sort -V | grep -B 1 -x $CI_COMMIT_TAG | head -n 1)
+last_version=$(git tag -l | sort -V | grep -B 1 -x "$CI_COMMIT_TAG" | head -n 1)
 echo "[+] Version: $version; Previous version: $last_version"

 # Check that a signed tag exists on github for this version
@@ -74,26 +74,26 @@ esac
 # and find any referenced PRs since last release
 spec=$(grep spec_version runtime/kusama/src/lib.rs | tail -n 1 | grep -Eo '[0-9]{4}')
 echo "[+] Spec version: $spec"
-release_text="Release for CC-$cc_version. Native for runtime $spec.
+release_text="Native for runtime $spec.

-$(sanitised_git_logs $last_version $version)"
+$(sanitised_git_logs "$last_version" "$version")"

 # Get substrate changes between last polkadot version and current
-cur_substrate_commit=$(grep -A 2 'name = "sc-cli"' Cargo.lock | egrep -o '[a-f0-9]{40}')
-git checkout $last_version 2> /dev/null
-old_substrate_commit=$(grep -A 2 'name = "sc-cli"' Cargo.lock | egrep -o '[a-f0-9]{40}')
+cur_substrate_commit=$(grep -A 2 'name = "sc-cli"' Cargo.lock | grep -E -o '[a-f0-9]{40}')
+git checkout "$last_version" 2> /dev/null
+old_substrate_commit=$(grep -A 2 'name = "sc-cli"' Cargo.lock | grep -E -o '[a-f0-9]{40}')

-pushd $substrate_dir
+pushd $substrate_dir || exit
  git checkout polkadot-master > /dev/null
  git pull > /dev/null
-  substrate_changes="$(sanitised_git_logs $old_substrate_commit $cur_substrate_commit | sed 's/(#/(paritytech\/substrate#/')"
-popd
+  substrate_changes="$(sanitised_git_logs "$old_substrate_commit" "$cur_substrate_commit" | sed 's/(#/(paritytech\/substrate#/')"
+popd || exit

 echo "[+] Changes generated. Removing temporary repos"
 # Should be done with substrate repo now, clean it up
 rm -rf $substrate_dir

-if [ -n $substrate_changes ]; then
+if [ -n "$substrate_changes" ]; then
  release_text="$release_text

 Substrate changes
@@ -106,7 +106,7 @@ echo "$release_text"

 echo "[+] Pushing release to github"
 # Create release on github
-release_name="Kusama CC-$cc_version $version"
+release_name="Kusama $version"
 data=$(jq -Rs --arg version "$version" \
  --arg release_name "$release_name" \
  --arg release_text "$release_text" \
@@ -121,12 +121,12 @@ data=$(jq -Rs --arg version "$version" \

 out=$(curl -s -X POST --data "$data" -H "Authorization: token $GITHUB_RELEASE_TOKEN" "$api_base/releases")

-html_url=$(echo $out | jq -r .html_url)
+html_url=$(echo "$out" | jq -r .html_url)

 if [ "$html_url" == "null" ]
 then
  echo "[!] Something went wrong posting:"
-  echo $out
+  echo "$out"
 else
  echo "[+] Release draft created: $html_url"
 fi
@@ -143,6 +143,6 @@ formatted_msg_body=$(cat <<EOF
 Draft release created: $html_url
 EOF
 )
-send_message "$(structure_message "$msg_body" "$formatted_msg_body")" $MATRIX_ROOM_ID $MATRIX_ACCESS_TOKEN
+send_message "$(structure_message "$msg_body" "$formatted_msg_body")" "$MATRIX_ROCCESS_TOKEN"

 echo "[+] Done! Maybe the release worked..."