Merge branch 'split-metadata-handling-out-of-4-make-release-des-1852'

author: Joakim Hulthe <joakim.hulthe@mullvad.net> 2025-03-19 10:47:00 +0100
committer: Joakim Hulthe <joakim.hulthe@mullvad.net> 2025-03-19 10:47:00 +0100
commit: 1cb64dd714e0bfca67f90cce6c7d80633e60e417 (patch)
tree: ad35adfccbaa7d996817c40056d8fa544dbb1edd
parent: f8e58ab81e97ce5099fe6cd7d463f36604ae6bd8 (diff)
parent: d9509c1a4c9078e4afc6420a37f74e01d26417b7 (diff)
download: mullvadvpn-1cb64dd714e0bfca67f90cce6c7d80633e60e417.tar.xz
mullvadvpn-1cb64dd714e0bfca67f90cce6c7d80633e60e417.zip
3 files changed, 144 insertions, 78 deletions
diff --git a/desktop/scripts/release/4-make-release b/desktop/scripts/release/4-make-release
index aa713966ff..71f52a2acd 100755
--- a/desktop/scripts/release/4-make-release
+++ b/desktop/scripts/release/4-make-release
@@ -2,21 +2,16 @@
 
 # This script downloads the build artifacts along with the signatures, verifies the signatures and
 # creates a GitHub draft release. This should be run after `3-verify-build`.
-# This will also publish new version metadata
 
 set -eu
 
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 cd "$SCRIPT_DIR"
 
-if [ $# -lt 3 ]; then
+if [ $# -ne 1 ]; then
     echo "Please provide the following arguments:"
     echo "    $(basename "$0") \\"
-    echo "        <product version> \\"
-    echo "        <build server SSH destination> \\"
-    echo "        <metadata server SSH destination>"
-    echo ""
-    echo "Note that the metadata server SSH destination is part of the rsync command executed on the build server and will be checked against the SSH config of build@\$buildserver_host."
+    echo "        <product version>"
     exit 1
 fi
 
@@ -31,80 +26,12 @@ if ! gh auth status > /dev/null; then
 fi
 
 PRODUCT_VERSION=$1
-BUILDSERVER_HOST=$2
-CDN_HOST=$3
 
 ARTIFACT_DIR="./artifacts"
-URL_BASE="https://releases.mullvad.net/desktop/releases"
 
 rm -rf $ARTIFACT_DIR
 mkdir -p $ARTIFACT_DIR
 
-function download_and_verify {
-    # Find GnuPG command to use. Prefer gpg2
-    gpg_cmd=$(command -v gpg2 || command -v gpg)
-
-    for ext in .exe _arm64.exe _x64.exe _amd64.deb _arm64.deb _x86_64.rpm _aarch64.rpm .pkg; do
-        pkg_filename="MullvadVPN-${PRODUCT_VERSION}${ext}"
-        pkg_path="$ARTIFACT_DIR/$pkg_filename"
-        url="$URL_BASE/$PRODUCT_VERSION/$pkg_filename"
-        echo ">>> Downloading $pkg_filename - $url"
-        curl -o "$pkg_path" --progress-bar --fail "$url"
-        curl -o "$pkg_path.asc" --progress-bar --fail "$url.asc"
-
-        echo ""
-        echo ">>> Verifying integrity of $pkg_filename"
-        if ! $gpg_cmd --verify "$pkg_path.asc" "$pkg_path"; then
-            echo ""
-            echo "!!! INTEGRITY CHECKING FAILED !!!"
-            rm "$pkg_path" "$pkg_path.asc"
-            exit 1
-        fi
-        echo ""
-        echo "GOOD SIGNATURE FOR $pkg_filename"
-        echo ""
-    done
-}
-
-function publish_metadata {
-    local platforms
-    platforms=(windows macos linux)
-    local signed_dir="signed/"
-
-    rm -rf currently_published/
-
-    echo ">>> Fetching current version metadata"
-    meta pull --assume-yes "${platforms[@]}"
-    echo ""
-
-    echo ">>> Backing up released data"
-    cp -r $signed_dir currently_published/
-    echo ""
-
-    echo ">>> Replacing work/ directory with latest published data"
-    cp -rf signed/ work/
-    echo ""
-
-    echo ">>> Adding new release $$PRODUCT_VERSION (rollout = 1)"
-    meta add-release "$PRODUCT_VERSION" "${platforms[@]}"
-    echo ""
-
-    echo ">>> Signing $PRODUCT_VERSION metadata"
-    meta sign "${platforms[@]}"
-    echo ""
-
-    echo ">>> Verifying signed metadata"
-    meta verify "${platforms[@]}"
-    echo ""
-
-    echo ">>> New metadata including $$PRODUCT_VERSION"
-    git --no-pager diff --no-index -- currently_published/ $signed_dir || true
-    echo ""
-
-    read -rp "Press enter to upload if the diff looks good "
-    ./publish-metadata-to-api $signed_dir "$BUILDSERVER_HOST" "$CDN_HOST"
-}
-
 function publish_release {
     echo ">>> Downloading changelog"
     local changelog_path
@@ -158,7 +85,5 @@ function publish_release {
     echo "The above URL contains the text \"untagged\", but don't worry it is tagged properly and everything will look correct once it's published."
 }
 
-download_and_verify
-# TODO: Uncomment before releasing installer downloader
-# publish_metadata
+./download-release-artifacts "$PRODUCT_VERSION"
 publish_release
diff --git a/desktop/scripts/release/5-update-and-publish-metadata b/desktop/scripts/release/5-update-and-publish-metadata
new file mode 100755
index 0000000000..b9bf9915ab
--- /dev/null
+++ b/desktop/scripts/release/5-update-and-publish-metadata
@@ -0,0 +1,84 @@
+#!/usr/bin/env bash
+
+# This script downloads the build artifacts along with the signatures, verifies the signatures and
+# publishes new version metadata to Mullvads API. This should be run after `4-make-release`.
+
+set -eu
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+cd "$SCRIPT_DIR"
+
+if [ $# -ne 3 ]; then
+    echo "Please provide the following arguments:"
+    echo "    $(basename "$0") \\"
+    echo "        <product version> \\"
+    echo "        <build server SSH destination> \\"
+    echo "        <metadata server SSH destination>"
+    echo ""
+    echo "Note that the metadata server SSH destination is part of the rsync command executed on the build server and will be checked against the SSH config of build@\$buildserver_host."
+    exit 1
+fi
+
+# Duplicated from /scripts/utils/gh-ready-check
+if ! command -v gh > /dev/null; then
+    echo "gh (GitHub CLI) is required to run this script"
+    exit 1
+fi
+if ! gh auth status > /dev/null; then
+    echo "Authentication through gh (GitHub CLI) is required to run this script"
+    exit 1
+fi
+
+PRODUCT_VERSION=$1
+BUILDSERVER_HOST=$2
+METADATA_SERVER_HOST=$3
+
+ARTIFACT_DIR="./artifacts"
+
+function publish_metadata {
+    local platforms
+    platforms=(windows macos linux)
+    local signed_dir="signed/"
+
+    rm -rf currently_published/
+
+    echo ">>> Fetching current version metadata"
+    meta pull --assume-yes "${platforms[@]}"
+    echo ""
+
+    echo ">>> Backing up released data"
+    cp -r $signed_dir currently_published/
+    echo ""
+
+    echo ">>> Replacing work/ directory with latest published data"
+    cp -rf signed/ work/
+    echo ""
+
+    echo ">>> Adding new release $PRODUCT_VERSION (rollout = 1)"
+    meta add-release "$PRODUCT_VERSION" "${platforms[@]}" 1
+    echo ""
+
+    echo ">>> Signing $PRODUCT_VERSION metadata"
+    meta sign "${platforms[@]}"
+    echo ""
+
+    echo ">>> Verifying signed metadata"
+    meta verify "${platforms[@]}"
+    echo ""
+
+    echo ">>> New metadata including $$PRODUCT_VERSION"
+    git --no-pager diff --no-index -- currently_published/ $signed_dir || true
+    echo ""
+
+    read -rp "Press enter to upload if the diff looks good "
+    ./publish-metadata-to-api $signed_dir "$BUILDSERVER_HOST" "$METADATA_SERVER_HOST"
+}
+
+function remove_release_artifacts {
+    echo ">>> Cleaning up $ARTIFACT_DIR"
+    rm -r "$ARTIFACT_DIR"
+}
+
+./download-release-artifacts "$PRODUCT_VERSION"
+publish_metadata
+remove_release_artifacts
diff --git a/desktop/scripts/release/download-release-artifacts b/desktop/scripts/release/download-release-artifacts
new file mode 100755
index 0000000000..b6444cbd66
--- /dev/null
+++ b/desktop/scripts/release/download-release-artifacts
@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+
+# This script downloads the build artifacts along with the signatures, and verifies them.
+
+set -eu
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+cd "$SCRIPT_DIR"
+
+if [ $# -ne 1 ]; then
+    echo "Please provide the following arguments:"
+    echo "    $(basename "$0") \\"
+    echo "        <product version>"
+    exit 1
+fi
+
+PRODUCT_VERSION=$1
+
+ARTIFACT_DIR="./artifacts"
+URL_BASE="https://releases.mullvad.net/desktop/releases"
+
+mkdir -p $ARTIFACT_DIR
+
+# Find GnuPG command to use. Prefer gpg2
+gpg_cmd=$(command -v gpg2 || command -v gpg)
+
+for ext in .exe _arm64.exe _x64.exe _amd64.deb _arm64.deb _x86_64.rpm _aarch64.rpm .pkg; do
+    pkg_filename="MullvadVPN-${PRODUCT_VERSION}${ext}"
+    pkg_path="$ARTIFACT_DIR/$pkg_filename"
+    url="$URL_BASE/$PRODUCT_VERSION/$pkg_filename"
+
+    if [ -f "$pkg_path" ]; then
+        echo ">>> Using existing file: $pkg_filename"
+    else
+        echo ">>> Downloading $pkg_filename - $url"
+        curl -o "$pkg_path" --progress-bar --fail "$url"
+    fi
+
+    if [ -f "$pkg_path.asc" ]; then
+        echo ">>> Using existing file: $pkg_filename.asc"
+    else
+        echo ">>> Downloading $pkg_filename.asc - $url.asc"
+        curl -o "$pkg_path.asc" --progress-bar --fail "$url.asc"
+    fi
+
+    echo ""
+    echo ">>> Verifying integrity of $pkg_filename"
+    if ! $gpg_cmd --verify "$pkg_path.asc" "$pkg_path"; then
+        echo ""
+        echo "!!! INTEGRITY CHECKING FAILED !!!"
+        rm "$pkg_path" "$pkg_path.asc"
+        exit 1
+    fi
+    echo ""
+    echo "GOOD SIGNATURE FOR $pkg_filename"
+    echo ""
+done
author	Joakim Hulthe <joakim.hulthe@mullvad.net>	2025-03-19 10:47:00 +0100
committer	Joakim Hulthe <joakim.hulthe@mullvad.net>	2025-03-19 10:47:00 +0100
commit	1cb64dd714e0bfca67f90cce6c7d80633e60e417 (patch)
tree	ad35adfccbaa7d996817c40056d8fa544dbb1edd
parent	f8e58ab81e97ce5099fe6cd7d463f36604ae6bd8 (diff)
parent	d9509c1a4c9078e4afc6420a37f74e01d26417b7 (diff)
download	mullvadvpn-1cb64dd714e0bfca67f90cce6c7d80633e60e417.tar.xz mullvadvpn-1cb64dd714e0bfca67f90cce6c7d80633e60e417.zip