-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update build script to remove PKG_VERSION, use only PKG_PATH or PKG_GITREF modes. #427
Conversation
scripts/build-debianpackage
Outdated
# Grab package version from changelog | ||
CHANGELOG_VERSION=`dpkg-parsechangelog --show-field Version` | ||
|
||
# If PKG_VERSION was set, check that it matches the version in debian/changelog |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is why I had this PR in draft - this check breaks CI and will probably break nightlies, as the versions won't match. could keep it and apply only for tags matching prod format regex...
f65718f
to
d79137a
Compare
Nothing wrong with your code from a quick skim, but I'm not really sure we need to keep PKG_VERSION around? It currently does only two things 1) verify prod signed tag 2) print out what version we're using. No. 2 is duplicative of dpkg-buildpackage's own message ("dpkg-buildpackage: info: source package securedrop-client So that just leaves No. 1, verifying the prod signed tag. And I feel like there's a better way to do that... for example, we could run |
I'd go so far as to say (2) is actually misleading (hence the PR) - the package version is determined by the changelog, not by the tagged version that gets checked out. IMO we still have 3 basic cases to cover:
But maybe what this actually points to is that we should be decomposing this script, doing the source tree prep and optional verification elsewhere if required, always just providing the prepped source tree, and focusing on the debian build bits. |
Agreed.
The third bullet is really just a special case of the second, no? In the MediaWiki release script that's basically how I treated it - accept any git ref, but if that ref is a tag, perform extra checks: https://gitlab.wikimedia.org/repos/releng/release/-/blob/f9857bd33d694aa6c492372f4111f599a3df6c87/make-release/makerelease2.py#L82
"Yes, but..." I think that would be the ideal state to end up in, but I think we right now don't have a lot of confidence/trust in our builds yet because it is convoluted that I think having just one thing to run for now is better and once the whole process is simpler we can start breaking it down a bit. |
…om an existing source tree
18ccd06
to
490f618
Compare
OK this is probably in better shape if @legoktm or anyone else has 👀 time. PKG_VERSION dropped altogether, some hip-height guardrails added around production builds. (Note that I'm choosing to verify if the ref provided just looks like a tag, this is intentional to catch branches named using the release tag format.) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor thing, otherwise looks good. I do think we have officially reached the limits of what we can safely + easily do in bash scripting and any more complexity likely needs a Python port first.
scripts/build-debianpackage
Outdated
setup_source_tree | ||
PKG_PATH="/tmp/${PKG_NAME}/" | ||
if [[ -n "${PKG_GITREF:-}" ]]; then | ||
echo "PKG_PATH not set, using git reference $PKG_GITREF)..." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unnecessary ) ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nuked!
I'd agree with this assessment, was hard to resist the temptation. |
490f618
to
0256947
Compare
- Documented workflow for releases from a dedicated release branch - Clarified process for applying bugfixes - Clarified steps for managing application and debian changelogs and versions - Updated commands to reflect changes in freedomofpress/securedrop-builder#427
- Documented workflow for releases from a dedicated release branch - Clarified process for applying bugfixes - Clarified steps for managing application and debian changelogs and versions - Updated commands to reflect changes in freedomofpress/securedrop-builder#427
- Documented workflow for releases from a dedicated release branch - Clarified process for applying bugfixes - Clarified steps for managing application and debian changelogs and versions - Updated commands to reflect changes in freedomofpress/securedrop-builder#427
- Documented workflow for releases from a dedicated release branch - Clarified process for applying bugfixes - Clarified steps for managing application and debian changelogs and versions - Updated commands to reflect changes in freedomofpress/securedrop-builder#427
0256947
to
271414b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, test plan checks out. Docs PR is in progress, don't think we need to block on that.
Fixes #426
Removes option to build using PKG_VERSION. Build options are now PKG_PATH and PKG_GITREF:
$PKG_PATH
to build package (no checkout, no tag verification)In all cases the package version will be derived from the latest version in the source tree's
debian/changelog
If a release tag PKG_GITREF is specified and doesn't match the changelog version, the build will not proceed.Testing:
X.Y.Z
withPKG_GITREF=X.Y.Z scripts/build-debianpackage
PKG_GITREF=<ref here> scripts/build-debianpackage
PKG_PATH=../securedrop-foo scripts/build-debianpackage