release.sh: release to freedesktop.org, not to GNOME

GNOME has changed the process to publish releases to download.gnome.org.
Now, it is required to do it from the CI of projects hosted in GNOME's
repositories.

As we don't have the project hosted there, we have 2 options:
- Create a mirror and set up the CI so we continue using
  download.gnome.org.
- Stop publishing the tarballs there and do it in gitlab.freedesktop.org
  from now on.

After a brief discussion we have decided that the second makes more
sense, so adapt release.sh to do that.

https://discourse.gnome.org/t/gnome-release-service-ftpadmin-replacement-coming-11th-december/25487
https://handbook.gnome.org/maintainers/making-a-release.html

MAINTAINERS.md

@@ -191,7 +191,9 @@ release type that you specify, like devel, rc1, rc, major, major-post, etc.
 Run the script with `--help` to see all options.
 
 Notes:
-- You need access to master.gnome.org, see [here](https://handbook.gnome.org/infrastructure/accounts.html).
+- You need a private token from gitlab.freedesktop.org with 'api' level access
+  to the project. It can be saved to `~/.config/nm-release-token` or passed to
+  the `--gitlab-token` argument of `release.sh`.
 - The GPG key used to sign the tags must be exported to a keyserver.
 
 Versioning scheme, automatically handled by the script (version numbers are
@@ -203,7 +205,7 @@ called MAJOR.MINOR.MICRO):
   number less, and MICRO is >= 90).
 
 The main differences between the different kind of releases are:
-- Development releases: for depelopment and testing purposes only.
+- Development releases: for development and testing purposes only.
 - Release candidates (RC): stabilization phase before a stable release. Normally
   there are one or two RCs with ~2 weeks cadence. More RCs can be releases if
   they are needed.

contrib/fedora/rpm/release.sh

@@ -27,7 +27,8 @@
 #   * Run in a "clean" environment, i.e. no unusual environment variables set, on a recent
 #     Fedora, with suitable dependencies installed.
 #
-#   * First, ensure that you have ssh keys for "master.gnome.org" installed (and ssh-agent running).
+#   * First, ensure that you have a valid Gitlab's private token for gitlab.freedestkop.org
+#     stored in ~/.config/nm-release-token, or pass one with --gitlab-token argument.
 #     Also, ensure you have a GPG key that you want to use for signing. Also, have gpg-agent running
 #     and possibly configure `git config --get user.signingkey` for the proper key.
 #
@@ -39,9 +40,13 @@
 #
 # Run with --no-test to do the actual release.
 
-die() {
+fail_msg() {
     echo -n "FAIL: "
     echo_color 31 "$@"
+}
+
+die() {
+    fail_msg "$@"
     exit 1
 }
 
@@ -63,6 +68,7 @@ print_usage() {
     echo "     [--no-check-gitlab] \\"
     echo "     [--no-check-news] \\"
     echo "     [--no-warn-publish-docs] \\"
+    echo "     [--gitlab-token <private_gitlab_token>] \\"
 }
 
 die_help() {
@@ -235,6 +241,11 @@ while [ "$#" -ge 1 ]; do
         --help|-h)
             die_help
             ;;
+        --gitlab-token)
+            [ "$#" -ge 1 ] || die_usage "provide a value for --gitlab-token"
+            GITLAB_TOKEN="$1"
+            shift
+            ;;
         devel|rc1|rc|major|major-post|minor)
             [ -z "$RELEASE_MODE" ] || die_usage "duplicate release-mode"
             RELEASE_MODE="$A"
@@ -501,27 +512,23 @@ case "$RELEASE_MODE" in
 esac
 
 build_tag() {
+    local BUILD_TAG="$1"
+    local TAR_FILE="NetworkManager-$2.tar.xz"
+    local SUM_FILE="$TAR_FILE.sha256sum"
+
     git checkout "$BUILD_TAG" || die "failed to checkout $BUILD_TAG"
-
     ./contrib/fedora/rpm/build_clean.sh -r || die "build release failed"
-
+    cp "./build/meson-dist/$TAR_FILE" /tmp/ || die "failed to copy $TAR_FILE to /tmp"
-    test -f "./build/meson-dist/$RELEASE_FILE" \
+    cp "./build/meson-dist/$SUM_FILE" /tmp/ || die "failed to copy $SUM_FILE to /tmp"
-    || die "release file \"./build/meson-dist/$RELEASE_FILE\" not found"
-
-    cp "./build/meson-dist/$RELEASE_FILE" /tmp/ || die "failed to copy release tarball to /tmp"
-
-    if test -f "./build/meson-dist/$RELEASE_FILE.sig" ; then
-        cp "./build/meson-dist/$RELEASE_FILE.sig" /tmp/ || die "failed to copy signature for tarball to /tmp"
-    fi
-
     git clean -fdx
 }
 
-RELEASE_FILES=()
+RELEASE_TAR_VERSIONS=()
+RELEASE_TAGS=()
 if [ -n "$BUILD_TAG" ]; then
-    RELEASE_FILE="NetworkManager-$TAR_VERSION.tar.xz"
+    build_tag "$BUILD_TAG" "$TAR_VERSION"
-    RELEASE_FILES+=("$RELEASE_FILE")
+    RELEASE_TAR_VERSIONS+=("$TAR_VERSION")
-    build_tag
+    RELEASE_TAGS+=("$BUILD_TAG")
 fi
 git checkout -B "$CUR_BRANCH" "$TMP_BRANCH" || die "cannot checkout $CUR_BRANCH"
 
@@ -531,9 +538,6 @@ if [ "$RELEASE_MODE" = rc1 ]; then
     git branch "$RELEASE_BRANCH" "$TMP_BRANCH" || die "cannot checkout $CUR_BRANCH"
     BRANCHES+=( "$RELEASE_BRANCH" )
     CLEANUP_REFS+=( "refs/heads/$RELEASE_BRANCH" )
-fi
-
-if [ "$RELEASE_MODE" = rc1 ]; then
     git checkout "$TMP_BRANCH"
     b="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 2)).0"
     set_version_number "${VERSION_ARR[0]}" "$((${VERSION_ARR[1]} + 2))" 0
@@ -543,29 +547,86 @@ if [ "$RELEASE_MODE" = rc1 ]; then
     CLEANUP_REFS+=("refs/tags/$b-dev")
     BUILD_TAG="$b-dev"
     TAR_VERSION="$b"
-    RELEASE_FILE="NetworkManager-$TAR_VERSION.tar.xz"
+    build_tag "$BUILD_TAG" "$TAR_VERSION"
-    RELEASE_FILES+=("$RELEASE_FILE")
+    RELEASE_TAR_VERSIONS+=("$TAR_VERSION")
-    build_tag
+    RELEASE_TAGS+=("$BUILD_TAG")
     git checkout -B "$CUR_BRANCH" "$TMP_BRANCH" || die "cannot checkout $CUR_BRANCH"
 fi
 
-if ! [ "$DRY_RUN" = 0 ]; then
+if [[ $GITLAB_TOKEN == "" ]]; then
-    ssh master.gnome.org true || die "failed to \`ssh master.gnome.org\`"
+    [[ -r ~/.config/nm-release-token ]] || die "cannot read ~/.config/nm-release-token"
+    GITLAB_TOKEN=$(< ~/.config/nm-release-token)
 fi
 
-for r in "${RELEASE_FILES[@]}"; do
+# This step is not necessary for authentication, we use it only to provide a meaningful error message.
-    do_command rsync -va --append-verify -P "/tmp/$r" master.gnome.org: || die "failed to rsync \"/tmp/$r\""
+curl --request GET --header "PRIVATE-TOKEN: $GITLAB_TOKEN" \
-done
+    "https://gitlab.freedesktop.org/api/v4/personal_access_tokens/self" &>/dev/null \
+    || die "failed to authenticate at gitlab.freedesktop.org with the private token"
 
 do_command git push "$ORIGIN" "${BRANCHES[@]}" || die "failed to to push branches ${BRANCHES[@]} to $ORIGIN"
 
+CREATE_RELEASE_FAIL=0
+for I in "${!RELEASE_TAR_VERSIONS[@]}"; do
+    TAR_FILE="NetworkManager-${RELEASE_TAR_VERSIONS[$I]}.tar.xz"
+    SUM_FILE="$TAR_FILE.sha256sum"
+    BUILD_TAG="${RELEASE_TAGS["$I"]}"
     FAIL=0
-for r in "${RELEASE_FILES[@]}"; do
+
-    do_command ssh master.gnome.org ftpadmin install --unattended "$r" || FAIL=1
+    # upload tarball and checksum file as generic packages
-done
+    for F in "$TAR_FILE" "$SUM_FILE"; do
-if [ "$FAIL" = 1 ]; then
+        do_command curl --location --fail-with-body --header "PRIVATE-TOKEN: $GITLAB_TOKEN" \
-    die "ftpadmin install failed. This was the last step. Invoke the command manually"
+            --upload-file "/tmp/$F" \
+            "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_TAG/$F" \
+            || FAIL=1
+
+        if [[ $FAIL = 1 ]]; then
+            fail_msg "failed to upload $F"
+            CREATE_RELEASE_FAIL=1
+            break
         fi
+    done
+
+    [[ $FAIL = 1 ]] && continue
+
+    # create release
+    do_command curl --location  --header 'Content-Type: application/json' --header "PRIVATE-TOKEN: $GITLAB_TOKEN" \
+         --request POST "https://gitlab.freedesktop.org/api/v4/projects/411/releases" \
+         --data "$(cat <<END
+            {
+                "name": "NetworkManager $BUILD_TAG",
+                "tag_name": "$BUILD_TAG", 
+                "assets": {
+                    "links": [
+                        {
+                            "name": "NetworkManager $BUILD_TAG tarball with docs",
+                            "url": "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_TAG/$TAR_FILE",
+                            "direct_asset_path": "/$TAR_FILE",
+                            "link_type":"package"
+                        },
+                        {
+                            "name": "NetworkManager $BUILD_TAG tarball sha256sum",
+                            "url": "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_TAG/$SUM_FILE",
+                            "direct_asset_path": "/$SUM_FILE",
+                            "link_type":"package"
+                        },
+                        {
+                            "name": "NEWS",
+                            "url": "https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/$BUILD_TAG/NEWS?ref_type=tags",
+                            "direct_asset_path": "/NEWS",
+                            "link_type":"other"
+                        }
+                    ]
+                }
+            }
+END
+            )" || FAIL=1
+
+    if [[ $? != 0 ]]; then
+        fail_msg "failed to create NetworkManager $BUILD_TAG release"
+        CREATE_RELEASE_FAIL=1
+        continue
+    fi
+done
 
 CLEANUP_CHECKOUT_BRANCH=
 if [ "$DRY_RUN" = 0 ]; then
@@ -576,3 +637,7 @@ else
     git checkout -B "$CUR_BRANCH" "$CUR_HEAD" || die "cannot reset $CUR_BRANCH to $CUR_HEAD"
     echo "delete reference. Restore with $(echo_color 36 -n git checkout -B "\"$CUR_BRANCH\"" "$H")"
 fi
+
+if [[ $CREATE_RELEASE_FAIL == 1 ]]; then
+    die "failed creating the release at gitlab.freedesktop.org. This was the last step, create it manually from the web UI"
+fi