Split publishing of metadata from 4-make-release

hulthe · hulthe · commit a7d91a1251f2 · 2025-03-14T15:53:43.000+01:00
diff --git a/desktop/scripts/release/4-make-release b/desktop/scripts/release/4-make-release
@@ -2,21 +2,16 @@
 
 # This script downloads the build artifacts along with the signatures, verifies the signatures and
 # creates a GitHub draft release. This should be run after `3-verify-build`.
-# This will also publish new version metadata
 
 set -eu
 
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 cd "$SCRIPT_DIR"
 
-if [ $# -lt 3 ]; then
+if [ $# -ne 1 ]; then
     echo "Please provide the following arguments:"
     echo "    $(basename "$0") \\"
-    echo "        <product version> \\"
-    echo "        <build server SSH destination> \\"
-    echo "        <metadata server SSH destination>"
-    echo ""
-    echo "Note that the metadata server SSH destination is part of the rsync command executed on the build server and will be checked against the SSH config of build@\$buildserver_host."
+    echo "        <product version>"
     exit 1
 fi
 
@@ -31,80 +26,13 @@ if ! gh auth status > /dev/null; then
 fi
 
 PRODUCT_VERSION=$1
-BUILDSERVER_HOST=$2
-CDN_HOST=$3
 
 ARTIFACT_DIR="./artifacts"
 URL_BASE="https://releases.mullvad.net/desktop/releases"
 
 rm -rf $ARTIFACT_DIR
 mkdir -p $ARTIFACT_DIR
 
-function download_and_verify {
-    # Find GnuPG command to use. Prefer gpg2
-    gpg_cmd=$(command -v gpg2 || command -v gpg)
-
-    for ext in .exe _arm64.exe _x64.exe _amd64.deb _arm64.deb _x86_64.rpm _aarch64.rpm .pkg; do
-        pkg_filename="MullvadVPN-${PRODUCT_VERSION}${ext}"
-        pkg_path="$ARTIFACT_DIR/$pkg_filename"
-        url="$URL_BASE/$PRODUCT_VERSION/$pkg_filename"
-        echo ">>> Downloading $pkg_filename - $url"
-        curl -o "$pkg_path" --progress-bar --fail "$url"
-        curl -o "$pkg_path.asc" --progress-bar --fail "$url.asc"
-
-        echo ""
-        echo ">>> Verifying integrity of $pkg_filename"
-        if ! $gpg_cmd --verify "$pkg_path.asc" "$pkg_path"; then
-            echo ""
-            echo "!!! INTEGRITY CHECKING FAILED !!!"
-            rm "$pkg_path" "$pkg_path.asc"
-            exit 1
-        fi
-        echo ""
-        echo "GOOD SIGNATURE FOR $pkg_filename"
-        echo ""
-    done
-}
-
-function publish_metadata {
-    local platforms
-    platforms=(windows macos linux)
-    local signed_dir="signed/"
-
-    rm -rf currently_published/
-
-    echo ">>> Fetching current version metadata"
-    meta pull --assume-yes "${platforms[@]}"
-    echo ""
-
-    echo ">>> Backing up released data"
-    cp -r $signed_dir currently_published/
-    echo ""
-
-    echo ">>> Replacing work/ directory with latest published data"
-    cp -rf signed/ work/
-    echo ""
-
-    echo ">>> Adding new release $$PRODUCT_VERSION (rollout = 1)"
-    meta add-release "$PRODUCT_VERSION" "${platforms[@]}"
-    echo ""
-
-    echo ">>> Signing $PRODUCT_VERSION metadata"
-    meta sign "${platforms[@]}"
-    echo ""
-
-    echo ">>> Verifying signed metadata"
-    meta verify "${platforms[@]}"
-    echo ""
-
-    echo ">>> New metadata including $$PRODUCT_VERSION"
-    git --no-pager diff --no-index -- currently_published/ $signed_dir || true
-    echo ""
-
-    read -rp "Press enter to upload if the diff looks good "
-    ./publish-metadata-to-api $signed_dir "$BUILDSERVER_HOST" "$CDN_HOST"
-}
-
 function publish_release {
     echo ">>> Downloading changelog"
     local changelog_path
@@ -158,7 +86,5 @@ function publish_release {
     echo "The above URL contains the text \"untagged\", but don't worry it is tagged properly and everything will look correct once it's published."
 }
 
-download_and_verify
-# TODO: Uncomment before releasing installer downloader
-# publish_metadata
+./download-release-artifacts "$PRODUCT_VERSION"
 publish_release
diff --git a/desktop/scripts/release/5-update-and-publish-metadata b/desktop/scripts/release/5-update-and-publish-metadata
@@ -0,0 +1,86 @@
+#!/usr/bin/env bash
+
+# This script downloads the build artifacts along with the signatures, verifies the signatures and
+# publishes new version metadata to Mullvads API. This should be run after `4-make-release`.
+
+set -eu
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+cd "$SCRIPT_DIR"
+
+if [ $# -ne 3 ]; then
+    echo "Please provide the following arguments:"
+    echo "    $(basename "$0") \\"
+    echo "        <product version> \\"
+    echo "        <build server SSH destination> \\"
+    echo "        <metadata server SSH destination>"
+    echo ""
+    echo "Note that the metadata server SSH destination is part of the rsync command executed on the build server and will be checked against the SSH config of build@\$buildserver_host."
+    exit 1
+fi
+
+# Duplicated from /scripts/utils/gh-ready-check
+if ! command -v gh > /dev/null; then
+    echo "gh (GitHub CLI) is required to run this script"
+    exit 1
+fi
+if ! gh auth status > /dev/null; then
+    echo "Authentication through gh (GitHub CLI) is required to run this script"
+    exit 1
+fi
+
+PRODUCT_VERSION=$1
+BUILDSERVER_HOST=$2
+METADATA_SERVER_HOST=$3
+
+ARTIFACT_DIR="./artifacts"
+
+function publish_metadata {
+    local platforms
+    platforms=(windows macos linux)
+    local signed_dir="signed/"
+
+    rm -rf currently_published/
+
+    echo ">>> Fetching current version metadata"
+    meta pull --assume-yes "${platforms[@]}"
+    echo ""
+
+    echo ">>> Backing up released data"
+    cp -r $signed_dir currently_published/
+    echo ""
+
+    echo ">>> Replacing work/ directory with latest published data"
+    cp -rf signed/ work/
+    echo ""
+
+    # TODO: is the double-$$ intended?
+    # TODO: consider passing ARTIFACT_DIR as an argument
+    echo ">>> Adding new release $$PRODUCT_VERSION (rollout = 1)"
+    meta add-release "$PRODUCT_VERSION" "${platforms[@]}" 1
+    echo ""
+
+    echo ">>> Signing $PRODUCT_VERSION metadata"
+    meta sign "${platforms[@]}"
+    echo ""
+
+    echo ">>> Verifying signed metadata"
+    meta verify "${platforms[@]}"
+    echo ""
+
+    echo ">>> New metadata including $$PRODUCT_VERSION"
+    git --no-pager diff --no-index -- currently_published/ $signed_dir || true
+    echo ""
+
+    read -rp "Press enter to upload if the diff looks good "
+    ./publish-metadata-to-api $signed_dir "$BUILDSERVER_HOST" "$METADATA_SERVER_HOST"
+}
+
+function remove-release-artifacts {
+    echo ">>> Cleaning up $ARTIFACT_DIR"
+    rm -r "$ARTIFACT_DIR"
+}
+
+./download-release-artifacts "$PRODUCT_VERSION"
+publish_metadata
+remove-release-artifacts
diff --git a/desktop/scripts/release/download-release-artifacts b/desktop/scripts/release/download-release-artifacts
@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+
+# This script downloads the build artifacts along with the signatures, and verifies them.
+
+set -eu
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+cd "$SCRIPT_DIR"
+
+if [ $# -ne 1 ]; then
+    echo "Please provide the following arguments:"
+    echo "    $(basename "$0") \\"
+    echo "        <product version>"
+    exit 1
+fi
+
+PRODUCT_VERSION=$1
+
+ARTIFACT_DIR="./artifacts"
+URL_BASE="https://releases.mullvad.net/desktop/releases"
+
+mkdir -p $ARTIFACT_DIR
+
+function download_and_verify {
+    # Find GnuPG command to use. Prefer gpg2
+    gpg_cmd=$(command -v gpg2 || command -v gpg)
+
+    for ext in .exe _arm64.exe _x64.exe _amd64.deb _arm64.deb _x86_64.rpm _aarch64.rpm .pkg; do
+        pkg_filename="MullvadVPN-${PRODUCT_VERSION}${ext}"
+        pkg_path="$ARTIFACT_DIR/$pkg_filename"
+        url="$URL_BASE/$PRODUCT_VERSION/$pkg_filename"
+
+        if [ -f "$pkg_path" ]; then
+            echo ">>> Using existing file: $pkg_filename"
+        else
+            echo ">>> Downloading $pkg_filename - $url"
+            curl -o "$pkg_path" --progress-bar --fail "$url"
+        fi
+
+        if [ -f "$pkg_path.asc" ]; then
+            echo ">>> Using existing file: $pkg_filename.asc"
+        else
+            echo ">>> Downloading $pkg_filename.asc - $url.asc"
+            curl -o "$pkg_path.asc" --progress-bar --fail "$url.asc"
+        fi
+
+        echo ""
+        echo ">>> Verifying integrity of $pkg_filename"
+        if ! $gpg_cmd --verify "$pkg_path.asc" "$pkg_path"; then
+            echo ""
+            echo "!!! INTEGRITY CHECKING FAILED !!!"
+            rm "$pkg_path" "$pkg_path.asc"
+            exit 1
+        fi
+        echo ""
+        echo "GOOD SIGNATURE FOR $pkg_filename"
+        echo ""
+    done
+}
+
+download_and_verify
