WIP: Add confirm-release workflow

.github/scripts/confirm-release.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+
+set -e
+
+CHECKSUM_FILE="Django-${VERSION}.checksum.txt"
+MEDIA_URL_PREFIX="https://media.djangoproject.com"
+RELEASE_URL_PREFIX="https://www.djangoproject.com/m/releases/"
+DOWNLOAD_PREFIX="https://www.djangoproject.com/download"
+
+if [[ ! "${VERSION}" =~ ^[0-9]+\.[0-9]+(\.[0-9]+|a[0-9]+|b[0-9]+|rc[0-9]+)?$ ]] ; then
+    echo "Not a valid version"
+fi
+
+rm -rf "${VERSION}"
+mkdir "${VERSION}"
+cd "${VERSION}"
+
+function cleanup {
+    cd ..
+    rm -rf "${VERSION}"
+}
+trap cleanup EXIT
+
+echo "Download checksum file ..."
+curl --fail --output "$CHECKSUM_FILE" "${MEDIA_URL_PREFIX}/pgp/${CHECKSUM_FILE}"
+
+echo "Verify checksum file ..."
+if [ -n "${GPG_KEY}" ] ; then
+    gpg --recv-keys "${GPG_KEY}"
+fi
+gpg --verify "${CHECKSUM_FILE}"
+
+echo "Finding release artifacts ..."
+mapfile -t RELEASE_ARTIFACTS < <(grep "${DOWNLOAD_PREFIX}" "${CHECKSUM_FILE}")
+
+echo "Found these release artifacts: "
+for ARTIFACT_URL in "${RELEASE_ARTIFACTS[@]}" ; do
+    echo "- $ARTIFACT_URL"
+done
+
+echo "Downloading artifacts ..."
+for ARTIFACT_URL in "${RELEASE_ARTIFACTS[@]}" ; do
+    ARTIFACT_ACTUAL_URL=$(curl  --head --write-out '%{redirect_url}' --output /dev/null --silent "${ARTIFACT_URL}")
+    curl --location --fail --output "$(basename "${ARTIFACT_ACTUAL_URL}")" "${ARTIFACT_ACTUAL_URL}"
+
+done
+
+echo "Verifying artifact hashes ..."
+# The `2> /dev/null` moves notes like "sha256sum: WARNING: 60 lines are improperly formatted"
+# to /dev/null. That's fine because the return code of the script is still set on error and a
+# wrong checksum will still show up as `FAILED`
+echo "- MD5 checksums"
+md5sum --check "${CHECKSUM_FILE}" 2> /dev/null
+echo "- SHA1 checksums"
+sha1sum --check "${CHECKSUM_FILE}" 2> /dev/null
+echo "- SHA256 checksums"
+sha256sum --check "${CHECKSUM_FILE}" 2> /dev/null

.github/workflows/confirm-release.yml

@@ -0,0 +1,24 @@
+name: Confirm Release
+
+on:
+    workflow_dispatch:
+        inputs:
+            version:
+                required: true
+                description: The Django version to verify. Should be in the format `major.minor`, `major.minor.patch`, `major.minor((a|b|rc)prerelease)` e.g. 4.2, 4.2.3, 4.2a1
+            environment:
+                type: environment
+
+jobs:
+    confirm-release:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Check out the repository
+              uses: actions/checkout@v4
+
+            - name: Run confirm-release script
+              run: ./confirm-release.sh
+              working-directory: ./.github/scripts
+              env:
+                  VERSION: ${{ inputs.version }}
+                  GPG_KEY: ${{ vars.GPG_FINGERPRINT }}