From 53ad94f319930a5bf8cb9bd935ebd4e028741903 Mon Sep 17 00:00:00 2001 From: Timmy Willison Date: Wed, 17 Jul 2024 10:13:53 -0400 Subject: [PATCH] Release: correct build date in verification; other improvements - the date is actually the date of the commit *prior* to the tag commit, as the files are built and then committed. - also, the CDN should still be checked for non-stable releases, and should use different filenames (including in the map files). - certain files should be skipped when checking the CDN. - removed file diffing because it ended up being far too noisy, making it difficult to find the info I needed. - because the build script required an addition, release verification will not work until the next release. - print all files in failure case and whether each matched - avoid npm script log in GH release notes changelog - exclude changelog.md from release:clean command - separate the post-release script from release-it for now, so we can keep manual verification before each push. The exact command is printed at the ened for convenience. Closes gh-5521 --- .github/workflows/verify-release.yml | 8 +- .gitignore | 4 +- .release-it.cjs | 10 +- build/release/README.md | 8 ++ build/release/post-release.sh | 2 +- build/release/verify.js | 138 +++++++++++++++++---------- build/tasks/build.js | 5 +- package.json | 3 +- 8 files changed, 120 insertions(+), 58 deletions(-) diff --git a/.github/workflows/verify-release.yml b/.github/workflows/verify-release.yml index cd43efac2..1c1b191e4 100644 --- a/.github/workflows/verify-release.yml +++ b/.github/workflows/verify-release.yml @@ -1,16 +1,17 @@ name: Reproducible Builds on: - # On tags push: + # On tags tags: - '*' # Or manually workflow_dispatch: inputs: version: - description: 'Version to verify (>= 4.0.0-beta.2)' + description: 'Version to verify (>= 4.0.0-rc.1)' required: false + jobs: run: name: Verify release @@ -28,6 +29,9 @@ jobs: with: node-version: ${{ env.NODE_VERSION }} + - name: Install dependencies + run: npm ci + - run: npm run release:verify env: VERSION: ${{ github.event.inputs.version || github.ref_name }} diff --git a/.gitignore b/.gitignore index b3cc97d99..2b984efe7 100644 --- a/.gitignore +++ b/.gitignore @@ -31,8 +31,8 @@ npm-debug.log* /test/data/qunit-fixture.js # Release artifacts -changelog.* -contributors.* +changelog.html +contributors.html # Ignore BrowserStack testing files local.log diff --git a/.release-it.cjs b/.release-it.cjs index 1de0de548..ff55b0ef1 100644 --- a/.release-it.cjs +++ b/.release-it.cjs @@ -14,16 +14,22 @@ module.exports = { "sed -i 's/main\\/AUTHORS.txt/${version}\\/AUTHORS.txt/' package.json", "after:bump": "cross-env VERSION=${version} npm run build:all", "before:git:release": "git add -f dist/ dist-module/ changelog.md", - "after:release": `bash ./build/release/post-release.sh \${version} ${ blogURL }` + "after:release": "echo 'Run the following to complete the release:' && " + + `echo './build/release/post-release.sh $\{version} ${ blogURL }'` }, git: { - changelog: "npm run release:changelog -- ${from} ${to}", + + // Use the node script directly to avoid an npm script + // command log entry in the GH release notes + changelog: "node build/release/changelog.js ${from} ${to}", commitMessage: "Release: ${version}", getLatestTagFromAllRefs: true, + pushRepo: "git@github.com:jquery/jquery.git", requireBranch: "main", requireCleanWorkingDir: true }, github: { + pushRepo: "git@github.com:jquery/jquery.git", release: true, tokenRef: "JQUERY_GITHUB_TOKEN" }, diff --git a/build/release/README.md b/build/release/README.md index 7d050d336..9aef670a1 100644 --- a/build/release/README.md +++ b/build/release/README.md @@ -84,6 +84,14 @@ The release script will not run without this token. **Note**: `preReleaseBase` is set in the npm script to `1` to ensure any pre-releases start at `.1` instead of `.0`. This does not interfere with stable releases. +1. Run the post-release script: + + ```sh + ./build/release/post-release.sh $VERSION $BLOG_URL + ``` + + This will push the release files to the CDN and jquery-dist repos, and push the commit to the jQuery repo to remove the release files and update the AUTHORS.txt URL in the package.json. + 1. Once the release is complete, publish the blog post. ## Stable releases diff --git a/build/release/post-release.sh b/build/release/post-release.sh index 2bc4e2657..6cc4d6517 100644 --- a/build/release/post-release.sh +++ b/build/release/post-release.sh @@ -51,7 +51,7 @@ git add package.json # Leave the tmp folder as some files are needed # after the release (such as for emailing archives). npm run build:clean -git rm --cached -r dist/ dist-module +git rm --cached -r dist/ dist-module/ git add dist/package.json dist/wrappers dist-module/package.json dist-module/wrappers git commit -m "Release: remove dist files from main branch" diff --git a/build/release/verify.js b/build/release/verify.js index f167666b2..423a63c8c 100644 --- a/build/release/verify.js +++ b/build/release/verify.js @@ -1,9 +1,6 @@ /** * Verify the latest release is reproducible - * Works with versions 4.0.0-beta.2 and later */ -import chalk from "chalk"; -import * as Diff from "diff"; import { exec as nodeExec } from "node:child_process"; import crypto from "node:crypto"; import { createWriteStream } from "node:fs"; @@ -22,7 +19,12 @@ const SRC_REPO = "https://github.com/jquery/jquery.git"; const CDN_URL = "https://code.jquery.com"; const REGISTRY_URL = "https://registry.npmjs.org/jquery"; -const rstable = /^(\d+\.\d+\.\d+)$/; +const excludeFromCDN = [ + /^package\.json$/, + /^jquery\.factory\./ +]; + +const rjquery = /^jquery/; async function verifyRelease( { version } = {} ) { if ( !version ) { @@ -33,24 +35,34 @@ async function verifyRelease( { version } = {} ) { console.log( `Verifying jQuery ${ version }...` ); let verified = true; + const matchingFiles = []; + const mismatchingFiles = []; - // Only check stable versions against the CDN - if ( rstable.test( version ) ) { - await Promise.all( - release.files.map( async( file ) => { - const cdnContents = await fetch( new URL( file.name, CDN_URL ) ).then( - ( res ) => res.text() - ); - if ( cdnContents !== file.contents ) { - console.log( `${ file.name } is different from the CDN:` ); - diffFiles( file.contents, cdnContents ); + // Check all files against the CDN + await Promise.all( + release.files + .filter( ( file ) => excludeFromCDN.every( ( re ) => !re.test( file.name ) ) ) + .map( async( file ) => { + const url = new URL( file.cdnName, CDN_URL ); + const response = await fetch( url ); + if ( !response.ok ) { + throw new Error( + `Failed to download ${ + file.cdnName + } from the CDN: ${ response.statusText }` + ); + } + const cdnContents = await response.text(); + if ( cdnContents !== file.cdnContents ) { + mismatchingFiles.push( url.href ); verified = false; + } else { + matchingFiles.push( url.href ); } } ) - ); - } + ); - // Check all releases against npm. + // Check all files against npm. // First, download npm tarball for version const npmPackage = await fetch( REGISTRY_URL ).then( ( res ) => res.json() ); @@ -66,9 +78,10 @@ async function verifyRelease( { version } = {} ) { // Check the tarball checksum const tgzSum = await sumTarball( npmTarballPath ); if ( tgzSum !== release.tgz.contents ) { - console.log( `${ version }.tgz is different from npm:` ); - diffFiles( release.tgz.contents, tgzSum ); + mismatchingFiles.push( `npm:${ version }.tgz` ); verified = false; + } else { + matchingFiles.push( `npm:${ version }.tgz` ); } await Promise.all( @@ -80,16 +93,26 @@ async function verifyRelease( { version } = {} ) { ); if ( npmContents !== file.contents ) { - console.log( `${ file.name } is different from the CDN:` ); - diffFiles( file.contents, npmContents ); + mismatchingFiles.push( `npm:${ file.path }/${ file.name }` ); verified = false; + } else { + matchingFiles.push( `npm:${ file.path }/${ file.name }` ); } } ) ); if ( verified ) { - console.log( `jQuery ${ version } is reproducible!` ); + console.log( `jQuery ${ version } is reproducible! All files match!` ); } else { + console.log(); + for ( const file of matchingFiles ) { + console.log( `✅ ${ file }` ); + } + console.log(); + for ( const file of mismatchingFiles ) { + console.log( `❌ ${ file }` ); + } + throw new Error( `jQuery ${ version } is NOT reproducible!` ); } } @@ -101,19 +124,32 @@ async function buildRelease( { version } ) { console.log( `Cloning jQuery ${ version }...` ); await rimraf( releaseFolder ); await mkdir( releaseFolder, { recursive: true } ); + + // Uses a depth of 2 so we can get the commit date of + // the commit used to build, which is the commit before the tag await exec( - `git clone -q -b ${ version } --depth=1 ${ SRC_REPO } ${ releaseFolder }` + `git clone -q -b ${ version } --depth=2 ${ SRC_REPO } ${ releaseFolder }` ); // Install node dependencies console.log( `Installing dependencies for jQuery ${ version }...` ); await exec( "npm ci", { cwd: releaseFolder } ); + // Find the date of the commit just before the release, + // which was used as the date in the built files + const { stdout: date } = await exec( "git log -1 --format=%ci HEAD~1", { + cwd: releaseFolder + } ); + // Build the release console.log( `Building jQuery ${ version }...` ); const { stdout: buildOutput } = await exec( "npm run build:all", { cwd: releaseFolder, env: { + + // Keep existing environment variables + ...process.env, + RELEASE_DATE: date, VERSION: version } } ); @@ -125,24 +161,35 @@ async function buildRelease( { version } ) { console.log( packOutput ); // Get all top-level /dist and /dist-module files - const distFiles = await readdir( path.join( releaseFolder, "dist" ), { - withFileTypes: true - } ); + const distFiles = await readdir( + path.join( releaseFolder, "dist" ), + { withFileTypes: true } + ); const distModuleFiles = await readdir( path.join( releaseFolder, "dist-module" ), - { - withFileTypes: true - } + { withFileTypes: true } ); const files = await Promise.all( [ ...distFiles, ...distModuleFiles ] .filter( ( dirent ) => dirent.isFile() ) - .map( async( dirent ) => ( { - name: dirent.name, - path: path.basename( dirent.parentPath ), - contents: await readFile( path.join( dirent.parentPath, dirent.name ), "utf8" ) - } ) ) + .map( async( dirent ) => { + const contents = await readFile( + path.join( dirent.parentPath, dirent.name ), + "utf8" + ); + return { + name: dirent.name, + path: path.basename( dirent.parentPath ), + contents, + cdnName: dirent.name.replace( rjquery, `jquery-${ version }` ), + cdnContents: dirent.name.endsWith( ".map" ) ? + + // The CDN has versioned filenames in the maps + convertMapToVersioned( contents, version ) : + contents + }; + } ) ); // Get checksum of the tarball @@ -166,20 +213,6 @@ async function downloadFile( url, dest ) { return finished( stream ); } -async function diffFiles( a, b ) { - const diff = Diff.diffLines( a, b ); - - diff.forEach( ( part ) => { - if ( part.added ) { - console.log( chalk.green( part.value ) ); - } else if ( part.removed ) { - console.log( chalk.red( part.value ) ); - } else { - console.log( part.value ); - } - } ); -} - async function getLatestVersion() { const { stdout: sha } = await exec( "git rev-list --tags --max-count=1" ); const { stdout: tag } = await exec( `git describe --tags ${ sha.trim() }` ); @@ -198,4 +231,13 @@ async function sumTarball( filepath ) { return shasum( unzipped ); } +function convertMapToVersioned( contents, version ) { + const map = JSON.parse( contents ); + return JSON.stringify( { + ...map, + file: map.file.replace( rjquery, `jquery-${ version }` ), + sources: map.sources.map( ( source ) => source.replace( rjquery, `jquery-${ version }` ) ) + } ); +} + verifyRelease(); diff --git a/build/tasks/build.js b/build/tasks/build.js index 1a3ed1d82..d05f7daf0 100644 --- a/build/tasks/build.js +++ b/build/tasks/build.js @@ -148,7 +148,10 @@ async function getLastModifiedDate() { async function writeCompiled( { code, dir, filename, version } ) { // Use the last modified date so builds are reproducible - const date = await getLastModifiedDate(); + const date = process.env.RELEASE_DATE ? + new Date( process.env.RELEASE_DATE ) : + await getLastModifiedDate(); + const compiledContents = code // Embed Version diff --git a/package.json b/package.json index 36bc85462..9f29c124e 100644 --- a/package.json +++ b/package.json @@ -61,8 +61,7 @@ "qunit-fixture": "node build/tasks/qunit-fixture.js", "release": "release-it", "release:cdn": "node build/release/cdn.js", - "release:changelog": "node build/release/changelog.js", - "release:clean": "rimraf tmp --glob changelog.{md,html} contributors.html", + "release:clean": "rimraf tmp changelog.html contributors.html", "release:dist": "node build/release/dist.js", "release:verify": "node build/release/verify.js", "start": "node -e \"(async () => { const { buildDefaultFiles } = await import('./build/tasks/build.js'); buildDefaultFiles({ watch: true }) })()\"", -- 2.39.5