From f499f69259e8c06af52f25d189ea3bd0a662c9a3 Mon Sep 17 00:00:00 2001 From: Nick Floyd Date: Mon, 13 Jun 2022 16:16:46 -0500 Subject: [PATCH 1/4] Adds details on how to run a manual file integrity check --- RELEASE.md | 49 ++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 40 insertions(+), 9 deletions(-) diff --git a/RELEASE.md b/RELEASE.md index 0503947d1..10c2ab40a 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -2,16 +2,47 @@ 1. Create a list of all the changes since the prior release 1. Compare the latest release to master using https://github.com/octokit/octokit.rb/compare/`${latest}`...master - 1. Open the linked pull requests from all the `Merge pull request #...` commits - 1. For all non-documentation PRs, copy title (including pull request number) into markdown list items - 1. (optional, but nice) Sort into logical buckets, like "support for additional endpoints", "enhancements", "bugfixes" - 1. Reorganize to put the pull request number at the start of the line -1. Ensure there are no breaking changes _(if there are breaking changes you'll need to create a release branch without those changes or bump the major version)_ -1. Update the version + 2. Open the linked pull requests from all the `Merge pull request #...` commits + 3. For all non-documentation PRs, copy title (including pull request number) into markdown list items + 4. (optional, but nice) Sort into logical buckets, like "support for additional endpoints", "enhancements", "bugfixes" + 5. Reorganize to put the pull request number at the start of the line +2. Ensure there are no breaking changes _(if there are breaking changes you'll need to create a release branch without those changes or bump the major version)_ +3. Update the version 1. Update the constant in `lib/octokit/version.rb` - 1. Commit and push directly to master -1. Run the `script/release` script to cut a release -1. Draft a new release at https://github.com/octokit/octokit.rb/releases/new containing the curated changelog + 2. Run the "File integrity check" + 3. Commit the version change and push directly to master +4. Run the `script/release` script to cut a release +5. Draft a new release at https://github.com/octokit/octokit.rb/releases/new containing the curated changelog + +---- + +## File integrity check + +(Given octokit.rb is currently shipped "manually") + +Because different environments behave differently, it is recommended that the integrity and file permissions of the files packed in the gem are verified. This is to help prevent things like releasing world writeable files in the gem. As we get things a little more automated, this will become unnecessary. + +Until then, it is recommended that if you are preparing a release you run the following prior to releasing the gem: + +From the root of octokit.rb + +``` +> gem build *.gemspec +``` + +Use the version from the build in the next commands + +``` +> tar -x -f octokit-#.##.#.gem +> tar -t -v --numeric-owner -f data.tar.gz |head -n 10 +``` + +The files in the output should have the following permessions set: +`-rw-r--r--` + +(optional) Once verified, you can run `git clean -dfx` to clean things up before packing + +---- ## Prerequisites From 3da85b1e8994ec3eaf2cd5928a312264c41fe2a7 Mon Sep 17 00:00:00 2001 From: Nick Floyd Date: Tue, 14 Jun 2022 08:36:11 -0500 Subject: [PATCH 2/4] moves the check to a separate step --- RELEASE.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/RELEASE.md b/RELEASE.md index 10c2ab40a..6c6c95f69 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -9,10 +9,10 @@ 2. Ensure there are no breaking changes _(if there are breaking changes you'll need to create a release branch without those changes or bump the major version)_ 3. Update the version 1. Update the constant in `lib/octokit/version.rb` - 2. Run the "File integrity check" - 3. Commit the version change and push directly to master -4. Run the `script/release` script to cut a release -5. Draft a new release at https://github.com/octokit/octokit.rb/releases/new containing the curated changelog + 2. Commit the version change and push directly to master +4. Run the "File integrity check" +5. Run the `script/release` script to cut a release +6. Draft a new release at https://github.com/octokit/octokit.rb/releases/new containing the curated changelog ---- From c9a2e525c7e47650281f7433c09f6584f2d56cbb Mon Sep 17 00:00:00 2001 From: Nick Floyd Date: Tue, 14 Jun 2022 15:48:36 -0500 Subject: [PATCH 3/4] reworks the scripts to be more durable / predictable / informational when executed --- RELEASE.md | 32 ++--------------------------- script/package | 13 +++++++++++- script/release | 55 +++++++++++++++++++++++++++++++++++++++++--------- 3 files changed, 60 insertions(+), 40 deletions(-) diff --git a/RELEASE.md b/RELEASE.md index 6c6c95f69..8034a178c 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -10,40 +10,12 @@ 3. Update the version 1. Update the constant in `lib/octokit/version.rb` 2. Commit the version change and push directly to master -4. Run the "File integrity check" -5. Run the `script/release` script to cut a release +4. (Optional) Run `script/release` with no parameters to execute a dry run of a release +5. Run the `script/release -r` script to cut a release (this will run `script/validate` to perform the permission check) 6. Draft a new release at https://github.com/octokit/octokit.rb/releases/new containing the curated changelog ---- -## File integrity check - -(Given octokit.rb is currently shipped "manually") - -Because different environments behave differently, it is recommended that the integrity and file permissions of the files packed in the gem are verified. This is to help prevent things like releasing world writeable files in the gem. As we get things a little more automated, this will become unnecessary. - -Until then, it is recommended that if you are preparing a release you run the following prior to releasing the gem: - -From the root of octokit.rb - -``` -> gem build *.gemspec -``` - -Use the version from the build in the next commands - -``` -> tar -x -f octokit-#.##.#.gem -> tar -t -v --numeric-owner -f data.tar.gz |head -n 10 -``` - -The files in the output should have the following permessions set: -`-rw-r--r--` - -(optional) Once verified, you can run `git clean -dfx` to clean things up before packing - ----- - ## Prerequisites In order to create a release, you will need to be an owner of the octokit gem on Rubygems. diff --git a/script/package b/script/package index 926f4891b..7a9b50c6c 100755 --- a/script/package +++ b/script/package @@ -4,4 +4,15 @@ mkdir -p pkg gem build *.gemspec -mv *.gem pkg + +./script/validate || rm *.gem + +echo "*** Packing and moving the octokit gem ***" +if [ -f *.gem ]; then + mv *.gem pkg + echo -e '☑ success' +else + echo -e '☒ failure' + exit 1 +fi + diff --git a/script/release b/script/release index 6dcd8cb3f..b6421f9eb 100755 --- a/script/release +++ b/script/release @@ -5,12 +5,49 @@ set -e -version="$(script/package | grep Version: | awk '{print $2}')" -[ -n "$version" ] || exit 1 - -echo $version -git commit --allow-empty -a -m "Release $version" -git tag "v$version" -git push origin -git push origin "v$version" -gem push pkg/*-${version}.gem +usage() { + echo "Usage: $0 [-r] Tags and releases/publishes octokit" 1>&2; exit 1; +} + +while [ $# -gt 0 ] +do + case $1 in + '-r') + r=true + ;; + '-h') + usage + ;; + *) + echo "No valid parameter passed in, performing a dry run..."; + ;; + esac + shift +done + +if [ -z "${r}" ]; then + ./script/package + echo "*** Dry run: octokit was not tagged or released ***" + echo -e '☑ success' +else + + # We execite the script separately to get logging and proper exit conditions + ./script/package + + # We need to pull the version from the actual file that is about to be published + file=$(ls pkg/*.gem| head -1) + version=$(echo $file | sed -e 's/.*octokit-\(.*\).gem.*/\1/') + + [ -n "$version" ] || exit 1 + + echo "*** Tagging and publishing $version of octokit ***" + + git commit --allow-empty -a -m "Release $version" + git tag "v$version" + git push origin + git push origin "v$version" + gem push pkg/*-${version}.gem + echo -e '☑ success' +fi + + From 121fafcb4fb68a2dde6665f2cf44f2bb695e3df1 Mon Sep 17 00:00:00 2001 From: Nick Floyd Date: Tue, 14 Jun 2022 15:52:53 -0500 Subject: [PATCH 4/4] adds the validator script --- script/validate | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100755 script/validate diff --git a/script/validate b/script/validate new file mode 100755 index 000000000..4bec0edb4 --- /dev/null +++ b/script/validate @@ -0,0 +1,44 @@ +#!/usr/bin/env bash +# Usage: script/gem +# Validates the packed gem to determine if file permissions are correct. + +<<'###SCRIPT_COMMENT' +Purpose: +(Given octokit.rb is currently shipped "manually") + +Because different environments behave differently, it is recommended that the integrity and file permissions of the files packed in the gem are verified. +This is to help prevent things like releasing world writeable files in the gem. The simple check below looks at each file contained in the packed gem and +verifies that the files are only owner writeable. + +Requirements: +This script expects that script/package, script/release or 'gem build *.gemspec' have been run + +###SCRIPT_COMMENT + + +FILE=$(ls *.gem| head -1) + +echo "*** Validating file permissions in the octokit gem ***" + +if [ ! -f "$FILE" ]; then + echo "$FILE does not exist. Please run script/package, script/release or 'gem build *.gemspec' to generate the gem to be validated" + echo -e '☒ failure' + exit 1 +fi + +tar -xf "${FILE}" + +# naive check to quickly see if any files in the gem are set to the wrong permissions +for f in $(tar --numeric-owner -tvf data.tar.gz ) +do + if [ $f == "-rw-rw-rw-" ]; then + echo "World writeable files (-rw-rw-rw- | 666) detected in the gem. Please repack and make sure that all files in the gem are owner read write ( -rw-r--r-- | 644 )" + echo -e '☒ failure' + rm -f checksums.yaml.gz data.tar.gz metadata.gz + exit 1 + fi +done + +# Check clean up +echo -e '☑ success' +rm -f checksums.yaml.gz data.tar.gz metadata.gz \ No newline at end of file