Merge pull request #25 from octokit/updates-release-steps-checks

Adds details on how to run a manual file integrity check
octokit · Jun 15, 2022 · abed2b8 · abed2b8
2 parents f5a3abf + a9dfdbd
commit abed2b8
Show file tree

Hide file tree

Showing 4 changed files with 112 additions and 17 deletions.
diff --git a/RELEASE.md b/RELEASE.md
@@ -2,14 +2,17 @@
 
 1. Create a list of all the changes since the prior release
     1. Compare the previous release to `master` using `https://github.com/octokit/octopoller.rb/compare/`v1.3.3.7...master` (assuming that the last release was `v1.3.3.7`)
-1. Ensure there are no breaking changes _(if there are breaking changes you'll need to create a release branch without those changes or bump the major version)_
-1. Update the version
+2. Ensure there are no breaking changes _(if there are breaking changes you'll need to create a release branch without those changes or bump the major version)_
+3. Update the version
     1. Checkout `master`
-    1. Update the constant in `lib/octopoller/version.rb` (when `bundle` is executed the version in the `Gemfile.lock` will be updated)
-    1. Run `bin/setup` so that `Gemfile.lock` will be updated with the new version
-    1. Commit and push directly to `master`
-1. Run the `script/release` script to cut a release
-1. Draft a new release at <https://github.com/octokit/octopoller.rb/releases/new> containing the changelog from step 1
+    2. Update the constant in `lib/octopoller/version.rb` (when `bundle` is executed the version in the `Gemfile.lock` will be updated)
+    3. Run `bin/setup` so that `Gemfile.lock` will be updated with the new version
+    4. Commit and push directly to `master`
+5. (Optional) Run `script/release` with no parameters to execute a dry run of a release
+6. Run the `script/release -r` script to cut a release (this will also run `script/validate` to perform the permission check)
+7. Draft a new release at <https://github.com/octokit/octopoller.rb/releases/new> containing the changelog from step 1
+
+----
 
 ## Prerequisites
 

diff --git a/script/package b/script/package
@@ -4,4 +4,15 @@
 
 mkdir -p pkg
 gem build *.gemspec
-mv *.gem pkg
+
+./script/validate || rm *.gem
+
+echo "*** Packing and moving the octopoller gem ***"
+if [ -f *.gem ]; then
+  mv *.gem pkg
+  echo -e '☑ success'
+else
+  echo -e '☒ failure'
+  exit 1
+fi
+
diff --git a/script/release b/script/release
@@ -5,12 +5,49 @@
 
 set -e
 
-version="$(script/package | grep Version: | awk '{print $2}')"
-[ -n "$version" ] || exit 1
-
-echo $version
-git commit --allow-empty -a -m "Release $version"
-git tag "v$version"
-git push origin
-git push origin "v$version"
-gem push pkg/*-${version}.gem
+usage() { 
+  echo "Usage: $0 [-r] Tags and releases/publishes Octopoller" 1>&2; exit 1; 
+}
+
+while [ $# -gt 0 ]
+do
+    case $1 in
+        '-r')
+            r=true
+            ;;
+        '-h')
+            usage
+            ;;
+        *)
+            echo "No valid parameter passed in, performing a dry run...";
+            ;;
+    esac
+    shift
+done
+
+if [ -z "${r}" ]; then
+  ./script/package
+    echo "*** Dry run: octopoller was not tagged or released ***"
+    echo -e '☑ success'
+else
+
+  # We execite the script separately to get logging and proper exit conditions
+  ./script/package
+
+  # We need to pull the version from the actual file that is about to be published
+  file=$(ls pkg/*.gem| head -1)
+  version=$(echo $file | sed -e 's/.*octopoller-\(.*\).gem.*/\1/') 
+
+  [ -n "$version" ] || exit 1
+
+  echo "*** Tagging and publishing $version of octopoller ***"
+
+  git commit --allow-empty -a -m "Release $version"
+  git tag "v$version"
+  git push origin
+  git push origin "v$version"
+  gem push pkg/*-${version}.gem
+  echo -e '☑ success'
+fi
+
+
diff --git a/script/validate b/script/validate
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+# Usage: script/gem
+# Validates the packed gem to determine if file permissions are correct.
+
+<<'###SCRIPT_COMMENT'
+Purpose: 
+(Given octopoller.rb is currently shipped "manually")
+
+Because different environments behave differently, it is recommended that the integrity and file permissions of the files packed in the gem are verified.
+This is to help prevent things like releasing world writeable files in the gem. The simple check below looks at each file contained in the packed gem and
+verifies that the files are only owner writeable.
+
+Requirements:
+This script expects that script/package, script/release or 'gem build *.gemspec' have been run
+
+###SCRIPT_COMMENT
+
+
+FILE=$(ls *.gem| head -1)
+
+echo "*** Validating file permissions in the octopoller gem ***"
+
+if [ ! -f "$FILE" ]; then
+    echo "$FILE does not exist. Please run script/package, script/release or 'gem build *.gemspec' to generate the gem to be validated"
+    echo -e '☒ failure'
+    exit 1
+fi
+
+tar -xf "${FILE}"
+
+# naive check to quickly see if any files in the gem are set to the wrong permissions
+for f in $(tar --numeric-owner -tvf data.tar.gz )
+do
+  if [ $f == "-rw-rw-rw-" ]; then
+     echo "World writeable files (-rw-rw-rw- | 666) detected in the gem. Please repack and make sure that all files in the gem are owner read write ( -rw-r--r-- | 644 )"
+     echo -e '☒ failure'
+     rm -f checksums.yaml.gz data.tar.gz metadata.gz
+     exit 1
+  fi
+done
+
+# Check clean up
+echo -e '☑ success'
+rm -f checksums.yaml.gz data.tar.gz metadata.gz