#!/usr/bin/env bash # This script downloads the build artifacts along with the signatures, verifies the signatures and # creates a GitHub draft release. This should be run after `3-verify-build`. set -eu SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" cd "$SCRIPT_DIR" REPO_ROOT=../../../ PRODUCT_VERSION_PATH=$REPO_ROOT/dist-assets/desktop-product-version.txt PRODUCT_VERSION=$(cat $PRODUCT_VERSION_PATH) $REPO_ROOT/scripts/utils/gh-ready-check REPO_URL="git@github.com:mullvad/mullvadvpn-app" ARTIFACT_DIR=$(mktemp -d) REPO_DIR=$(mktemp -d) CHANGELOG_PATH="$REPO_DIR/CHANGELOG.md" URL_BASE="https://releases.mullvad.net/desktop/releases" function download_and_verify { # Find GnuPG command to use. Prefer gpg2 gpg_cmd=$(command -v gpg2 || command -v gpg) for ext in .exe _arm64.exe _x64.exe _amd64.deb _arm64.deb _x86_64.rpm _aarch64.rpm .pkg; do pkg_filename="MullvadVPN-${PRODUCT_VERSION}${ext}" pkg_path="$ARTIFACT_DIR/$pkg_filename" url="$URL_BASE/$PRODUCT_VERSION/$pkg_filename" echo ">>> Downloading $pkg_filename - $url" curl -o "$pkg_path" --progress-bar --fail "$url" curl -o "$pkg_path.asc" --progress-bar --fail "$url.asc" echo "" echo ">>> Verifying integrity of $pkg_filename" if ! $gpg_cmd --verify "$pkg_path.asc" "$pkg_path"; then echo "" echo "!!! INTEGRITY CHECKING FAILED !!!" rm "$pkg_path" "$pkg_path.asc" exit 1 fi echo "" echo "GOOD SIGNATURE IN $pkg_filename" echo "" done } function publish_release { echo ">>> Cloning repository to extract changelog" git clone --depth 1 --branch "$PRODUCT_VERSION" $REPO_URL "$REPO_DIR" 2> /dev/null > /dev/null (cd "$REPO_DIR" && git verify-tag "$PRODUCT_VERSION") echo "" changelog_end_version_pattern="20[0-9]\{2\}\.[0-9]\{1,2\}" if [[ $PRODUCT_VERSION == *-beta* ]]; then changelog_end_version_pattern=".*" fi changelog_extract=$(sed -n "/^## \[$PRODUCT_VERSION\]/,/^## \[$changelog_end_version_pattern\]/p" "$CHANGELOG_PATH") changelog=$(echo "$changelog_extract" | sed '$d' | \ awk 'NF { last = last ? last ORS $0 : $0 } END { print last }') release_flags=( --draft --verify-tag --notes-file - --title "$PRODUCT_VERSION" ) previous_release=$(echo "$changelog_extract" | tail -1 | grep -oP '## \[\K[^\]]+') body="This release is for desktop only." if [[ $PRODUCT_VERSION == *-beta* ]]; then body+="\n\nHere is a list of all changes since last release [$previous_release](https://github.com/mullvad/mullvadvpn-app/releases/tag/$previous_release):" release_flags+=(--prerelease) else body+="\n\nHere is a list of all changes since last stable release [$previous_release](https://github.com/mullvad/mullvadvpn-app/releases/tag/$previous_release):" release_flags+=(--latest) fi version_count=$(echo "$changelog" | grep -c "^## ") if [ "$version_count" -eq 1 ]; then changelog=$(echo "$changelog" | tail -n +2) fi body+="\n$changelog" echo ">>> Creating GitHub release" # shellcheck disable=SC2059 # shellcheck disable=SC2046 printf "$body" | gh release create "${release_flags[@]}" "$PRODUCT_VERSION" $(printf "%s " "$ARTIFACT_DIR"/*) } download_and_verify publish_release