Sign .js release files in addition to .tar.gz files

References yarnpkg/yarn#2728 References nodejs/docker-node#243
Daniel15 · Feb 21, 2017 · 82ab6b8 · 82ab6b8
1 parent 3127db8
commit 82ab6b8
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 30 deletions.
diff --git a/nightly/api/sign_releases.php b/nightly/api/sign_releases.php
@@ -25,38 +25,40 @@
   Config::REPO_NAME
 );
 
-$releases_to_sign = [];
+$files_to_sign = [];
 $promises = [];
 foreach ($releases as $release) {
-  $tarball = null;
-  $has_sig = false;
+  $files_in_release = [];
+  $signed_files = [];
+
   foreach ($release->assets as $asset) {
-    if (Str::endsWith($asset->name, '.tar.gz')) {
-      $tarball = $asset;
-    } else if (Str::endsWith($asset->name, '.tar.gz.asc')) {
-      $has_sig = true;
-      break;
+    if (preg_match(Config::SIGN_FILE_TYPES, $asset->name)) {
+      $files_in_release[] = $asset;
+    } else if (Str::endsWith($asset->name, '.asc')) {
+      $signed_files[str_replace('.asc', '', $asset->name)] = true;
     }
   }
-  if ($has_sig || !$tarball) {
-    // This release's tarball already has a signature, skip it
-    continue;
-  }
 
-  $download_path = tempnam(sys_get_temp_dir(), '');
-  $download_handle = fopen($download_path, 'w');
-  $releases_to_sign[] = [
-    'tarball' => $tarball,
-    'download_handle' => $download_handle,
-    'download_path' => $download_path,
-    'release' => $release,
-  ];
-  $promises[] = $client->getAsync($tarball->browser_download_url, [
-    'sink' => $download_handle,
-  ]);
+  foreach ($files_in_release as $asset) {
+    if (array_key_exists($asset->name, $signed_files)) {
+      // File is already signed
+      continue;
+    }
+    $download_path = tempnam(sys_get_temp_dir(), '');
+    $download_handle = fopen($download_path, 'w');
+    $files_to_sign[] = [
+      'asset' => $asset,
+      'download_handle' => $download_handle,
+      'download_path' => $download_path,
+      'release' => $release,
+    ];
+    $promises[] = $client->getAsync($asset->browser_download_url, [
+      'sink' => $download_handle,
+    ]);
+  }
 }
 
-if (count($releases_to_sign) === 0) {
+if (count($files_to_sign) === 0) {
   api_response('All releases have already been signed!');
 }
 
@@ -66,13 +68,13 @@
 $output = "Signed:\n";
 $promises = [];
 $uri = new \Rize\UriTemplate\UriTemplate();
-foreach ($releases_to_sign as $release) {
-  $signature = GPG::sign($release['download_path'], Config::GPG_RELEASE);
-  unlink($release['download_path']);
+foreach ($files_to_sign as $file) {
+  $signature = GPG::sign($file['download_path'], Config::GPG_RELEASE);
+  unlink($file['download_path']);
 
   $upload_url = $uri->expand(
-    $release['release']->upload_url,
-    ['name' => $release['tarball']->name.'.asc']
+    $file['release']->upload_url,
+    ['name' => $file['asset']->name.'.asc']
   );
   $promises[] = $client->postAsync($upload_url, [
     'body' => $signature,
@@ -81,7 +83,7 @@
       'Content-Type' => 'application/pgp-signature',
     ],
   ]);
-  $output .= $release['release']->tag_name.': '.$release['tarball']->name."\n";
+  $output .= $file['release']->tag_name.': '.$file['asset']->name."\n";
 }
 
 // Upload all the signature files in parallel

diff --git a/nightly/lib/config.php b/nightly/lib/config.php
@@ -7,7 +7,11 @@ class Config {
   const BRANCH = 'master';
   const RELEASE_TAG_FORMAT = '/v[0-9]+(\.[0-9]+)*/';
 
+  // Auth token for sign_releases endpoint
   const SIGN_AUTH_TOKEN = 'CHANGEME';
+  // File types that should be GPG signed as part of GitHub releases
+  const SIGN_FILE_TYPES = '/\.(tar\.gz|js)$/';
+
   const GITHUB_TOKEN = 'CHANGEME';
   const CIRCLECI_TOKEN = 'CHANGEME';