release.sh: release to freedesktop.org, not to GNOME

GNOME has changed the process to publish releases to download.gnome.org. Now, it is required to do it from the CI of projects hosted in GNOME's repositories. As we don't have the project hosted there, we have 2 options: - Create a mirror and set up the CI so we continue using download.gnome.org. - Stop publishing the tarballs there and do it in gitlab.freedesktop.org from now on. After a brief discussion we have decided that the second makes more sense, so adapt release.sh to do that. https://discourse.gnome.org/t/gnome-release-service-ftpadmin-replacement-coming-11th-december/25487 https://handbook.gnome.org/maintainers/making-a-release.html
2024-12-20 15:27:25 +01:00
parent 45dad85911
commit f05192ada8
2 changed files with 103 additions and 36 deletions
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@@ -191,7 +191,9 @@ release type that you specify, like devel, rc1, rc, major, major-post, etc.
 Run the script with `--help` to see all options.

 Notes:
- You need access to master.gnome.org, see [here](https://handbook.gnome.org/infrastructure/accounts.html).
+- You need a private token from gitlab.freedesktop.org with 'api' level access
+  to the project. It can be saved to `~/.config/nm-release-token` or passed to
+  the `--gitlab-token` argument of `release.sh`.
 - The GPG key used to sign the tags must be exported to a keyserver.

 Versioning scheme, automatically handled by the script (version numbers are
@@ -203,7 +205,7 @@ called MAJOR.MINOR.MICRO):
  number less, and MICRO is >= 90).

 The main differences between the different kind of releases are:
- Development releases: for depelopment and testing purposes only.
+- Development releases: for development and testing purposes only.
 - Release candidates (RC): stabilization phase before a stable release. Normally
  there are one or two RCs with ~2 weeks cadence. More RCs can be releases if
  they are needed.
--- a/contrib/fedora/rpm/release.sh
+++ b/contrib/fedora/rpm/release.sh
@@ -27,7 +27,8 @@
 #   * Run in a "clean" environment, i.e. no unusual environment variables set, on a recent
 #     Fedora, with suitable dependencies installed.
 #
-#   * First, ensure that you have ssh keys for "master.gnome.org" installed (and ssh-agent running).
+#   * First, ensure that you have a valid Gitlab's private token for gitlab.freedestkop.org
+#     stored in ~/.config/nm-release-token, or pass one with --gitlab-token argument.
 #     Also, ensure you have a GPG key that you want to use for signing. Also, have gpg-agent running
 #     and possibly configure `git config --get user.signingkey` for the proper key.
 #
@@ -39,9 +40,13 @@
 #
 # Run with --no-test to do the actual release.

-die() {
+fail_msg() {
    echo -n "FAIL: "
    echo_color 31 "$@"
+}
+
+die() {
+    fail_msg "$@"
    exit 1
 }

@@ -63,6 +68,7 @@ print_usage() {
    echo "     [--no-check-gitlab] \\"
    echo "     [--no-check-news] \\"
    echo "     [--no-warn-publish-docs] \\"
+    echo "     [--gitlab-token <private_gitlab_token>] \\"
 }

 die_help() {
@@ -235,6 +241,11 @@ while [ "$#" -ge 1 ]; do
        --help|-h)
            die_help
            ;;
+        --gitlab-token)
+            [ "$#" -ge 1 ] || die_usage "provide a value for --gitlab-token"
+            GITLAB_TOKEN="$1"
+            shift
+            ;;
        devel|rc1|rc|major|major-post|minor)
            [ -z "$RELEASE_MODE" ] || die_usage "duplicate release-mode"
            RELEASE_MODE="$A"
@@ -501,27 +512,23 @@ case "$RELEASE_MODE" in
 esac

 build_tag() {
+    local BUILD_TAG="$1"
+    local TAR_FILE="NetworkManager-$2.tar.xz"
+    local SUM_FILE="$TAR_FILE.sha256sum"
+
    git checkout "$BUILD_TAG" || die "failed to checkout $BUILD_TAG"
-
    ./contrib/fedora/rpm/build_clean.sh -r || die "build release failed"
-
-    test -f "./build/meson-dist/$RELEASE_FILE" \
-    || die "release file \"./build/meson-dist/$RELEASE_FILE\" not found"
-
-    cp "./build/meson-dist/$RELEASE_FILE" /tmp/ || die "failed to copy release tarball to /tmp"
-
-    if test -f "./build/meson-dist/$RELEASE_FILE.sig" ; then
-        cp "./build/meson-dist/$RELEASE_FILE.sig" /tmp/ || die "failed to copy signature for tarball to /tmp"
-    fi
-
+    cp "./build/meson-dist/$TAR_FILE" /tmp/ || die "failed to copy $TAR_FILE to /tmp"
+    cp "./build/meson-dist/$SUM_FILE" /tmp/ || die "failed to copy $SUM_FILE to /tmp"
    git clean -fdx
 }

-RELEASE_FILES=()
+RELEASE_TAR_VERSIONS=()
+RELEASE_TAGS=()
 if [ -n "$BUILD_TAG" ]; then
-    RELEASE_FILE="NetworkManager-$TAR_VERSION.tar.xz"
-    RELEASE_FILES+=("$RELEASE_FILE")
-    build_tag
+    build_tag "$BUILD_TAG" "$TAR_VERSION"
+    RELEASE_TAR_VERSIONS+=("$TAR_VERSION")
+    RELEASE_TAGS+=("$BUILD_TAG")
 fi
 git checkout -B "$CUR_BRANCH" "$TMP_BRANCH" || die "cannot checkout $CUR_BRANCH"

@@ -531,9 +538,6 @@ if [ "$RELEASE_MODE" = rc1 ]; then
    git branch "$RELEASE_BRANCH" "$TMP_BRANCH" || die "cannot checkout $CUR_BRANCH"
    BRANCHES+=( "$RELEASE_BRANCH" )
    CLEANUP_REFS+=( "refs/heads/$RELEASE_BRANCH" )
-fi
-
-if [ "$RELEASE_MODE" = rc1 ]; then
    git checkout "$TMP_BRANCH"
    b="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 2)).0"
    set_version_number "${VERSION_ARR[0]}" "$((${VERSION_ARR[1]} + 2))" 0
@@ -543,29 +547,86 @@ if [ "$RELEASE_MODE" = rc1 ]; then
    CLEANUP_REFS+=("refs/tags/$b-dev")
    BUILD_TAG="$b-dev"
    TAR_VERSION="$b"
-    RELEASE_FILE="NetworkManager-$TAR_VERSION.tar.xz"
-    RELEASE_FILES+=("$RELEASE_FILE")
-    build_tag
+    build_tag "$BUILD_TAG" "$TAR_VERSION"
+    RELEASE_TAR_VERSIONS+=("$TAR_VERSION")
+    RELEASE_TAGS+=("$BUILD_TAG")
    git checkout -B "$CUR_BRANCH" "$TMP_BRANCH" || die "cannot checkout $CUR_BRANCH"
 fi

-if ! [ "$DRY_RUN" = 0 ]; then
-    ssh master.gnome.org true || die "failed to \`ssh master.gnome.org\`"
+if [[ $GITLAB_TOKEN == "" ]]; then
+    [[ -r ~/.config/nm-release-token ]] || die "cannot read ~/.config/nm-release-token"
+    GITLAB_TOKEN=$(< ~/.config/nm-release-token)
 fi

-for r in "${RELEASE_FILES[@]}"; do
-    do_command rsync -va --append-verify -P "/tmp/$r" master.gnome.org: || die "failed to rsync \"/tmp/$r\""
-done
+# This step is not necessary for authentication, we use it only to provide a meaningful error message.
+curl --request GET --header "PRIVATE-TOKEN: $GITLAB_TOKEN" \
+    "https://gitlab.freedesktop.org/api/v4/personal_access_tokens/self" &>/dev/null \
+    || die "failed to authenticate at gitlab.freedesktop.org with the private token"

 do_command git push "$ORIGIN" "${BRANCHES[@]}" || die "failed to to push branches ${BRANCHES[@]} to $ORIGIN"

-FAIL=0
-for r in "${RELEASE_FILES[@]}"; do
-    do_command ssh master.gnome.org ftpadmin install --unattended "$r" || FAIL=1
+CREATE_RELEASE_FAIL=0
+for I in "${!RELEASE_TAR_VERSIONS[@]}"; do
+    TAR_FILE="NetworkManager-${RELEASE_TAR_VERSIONS[$I]}.tar.xz"
+    SUM_FILE="$TAR_FILE.sha256sum"
+    BUILD_TAG="${RELEASE_TAGS["$I"]}"
+    FAIL=0
+
+    # upload tarball and checksum file as generic packages
+    for F in "$TAR_FILE" "$SUM_FILE"; do
+        do_command curl --location --fail-with-body --header "PRIVATE-TOKEN: $GITLAB_TOKEN" \
+            --upload-file "/tmp/$F" \
+            "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_TAG/$F" \
+            || FAIL=1
+
+        if [[ $FAIL = 1 ]]; then
+            fail_msg "failed to upload $F"
+            CREATE_RELEASE_FAIL=1
+            break
+        fi
+    done
+
+    [[ $FAIL = 1 ]] && continue
+
+    # create release
+    do_command curl --location  --header 'Content-Type: application/json' --header "PRIVATE-TOKEN: $GITLAB_TOKEN" \
+         --request POST "https://gitlab.freedesktop.org/api/v4/projects/411/releases" \
+         --data "$(cat <<END
+            {
+                "name": "NetworkManager $BUILD_TAG",
+                "tag_name": "$BUILD_TAG", 
+                "assets": {
+                    "links": [
+                        {
+                            "name": "NetworkManager $BUILD_TAG tarball with docs",
+                            "url": "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_TAG/$TAR_FILE",
+                            "direct_asset_path": "/$TAR_FILE",
+                            "link_type":"package"
+                        },
+                        {
+                            "name": "NetworkManager $BUILD_TAG tarball sha256sum",
+                            "url": "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_TAG/$SUM_FILE",
+                            "direct_asset_path": "/$SUM_FILE",
+                            "link_type":"package"
+                        },
+                        {
+                            "name": "NEWS",
+                            "url": "https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/$BUILD_TAG/NEWS?ref_type=tags",
+                            "direct_asset_path": "/NEWS",
+                            "link_type":"other"
+                        }
+                    ]
+                }
+            }
+END
+            )" || FAIL=1
+
+    if [[ $? != 0 ]]; then
+        fail_msg "failed to create NetworkManager $BUILD_TAG release"
+        CREATE_RELEASE_FAIL=1
+        continue
+    fi
 done
-if [ "$FAIL" = 1 ]; then
-    die "ftpadmin install failed. This was the last step. Invoke the command manually"
-fi

 CLEANUP_CHECKOUT_BRANCH=
 if [ "$DRY_RUN" = 0 ]; then
@@ -576,3 +637,7 @@ else
    git checkout -B "$CUR_BRANCH" "$CUR_HEAD" || die "cannot reset $CUR_BRANCH to $CUR_HEAD"
    echo "delete reference. Restore with $(echo_color 36 -n git checkout -B "\"$CUR_BRANCH\"" "$H")"
 fi
+
+if [[ $CREATE_RELEASE_FAIL == 1 ]]; then
+    die "failed creating the release at gitlab.freedesktop.org. This was the last step, create it manually from the web UI"
+fi