Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

QA and release for 0.8.1 #1038

Open
72 of 76 tasks
almet opened this issue Dec 23, 2024 · 0 comments
Open
72 of 76 tasks

QA and release for 0.8.1 #1038

almet opened this issue Dec 23, 2024 · 0 comments

Comments

@almet
Copy link
Contributor

almet commented Dec 23, 2024

Release instructions

  • Create a new issue named QA and Release for version <VERSION>, to track the general progress.
  • Add new Linux platforms and remove obsolete ones -- (NOT NEEDED)
  • Bump the Python dependencies using poetry lock
  • Update version in pyproject.toml
  • Update share/version.txt
  • Update the "Version" field in install/linux/dangerzone.spec
  • Bump the Debian version by adding a new changelog entry in debian/changelog
  • Update screenshot in README.md, if necessary
  • CHANGELOG.md should be updated to include a list of all major changes since the last release
  • A draft release should be created. Copy the release notes text from the template at docs/templates/release-notes
  • Do the QA tasks

QA

  • Make sure that the tip of the 0.8.1 branch passes the CI tests.
  • Make sure that the Apple account has a valid application password and has
    agreed to the latest Apple terms (see macOS release
    section).
  • Create a test build in Windows and make sure it works:
    • Check if the suggested Python version is still supported.
    • Create a new development environment with Poetry.
    • Build the container image and ensure the development environment uses
      the new image.
    • Run the Dangerzone tests.
    • Build and run the Dangerzone .exe
    • Test some QA scenarios (see Scenarios below).
  • Create a test build in macOS (Intel CPU) and make sure it works:
    • Check if the suggested Python version is still supported.
    • Create a new development environment with Poetry.
    • Build the container image and ensure the development environment uses
      the new image.
    • Run the Dangerzone tests.
    • Create and run an app bundle.
    • Test some QA scenarios (see Scenarios below).
  • Create a test build in macOS (M1/2 CPU) and make sure it works:
    • Check if the suggested Python version is still supported.
    • Create a new development environment with Poetry.
    • Build the container image and ensure the development environment uses
      the new image.
    • Run the Dangerzone tests.
    • Create and run an app bundle.
    • Test some QA scenarios (see Scenarios below).
  • Create a test build in the most recent Ubuntu LTS platform (Ubuntu 24.04
    as of writing this) and make sure it works:
    • Create a new development environment with Poetry.
    • Build the container image and ensure the development environment uses
      the new image.
    • Run the Dangerzone tests.
    • Create a .deb package and install it system-wide.
    • Test some QA scenarios (see Scenarios below).
  • Create a test build in the most recent Fedora platform (Fedora 41 as of
    writing this) and make sure it works:
    • Create a new development environment with Poetry.
    • Build the container image and ensure the development environment uses
      the new image.
    • Run the Dangerzone tests.
    • Create an .rpm package and install it system-wide.
    • Test some QA scenarios (see Scenarios below).

Not doing Qubes QA, as it's not impacted.

Release

  • Create a PGP-signed git tag for the version, e.g., for dangerzone v0.1.0:

    git tag -s v0.1.0
    git push origin v0.1.0
    

    Note: release candidates are suffixed by -rcX.

macOS Release

Releasing and Signing

  • Verify and install the latest supported Python version from
    python.org (do not use the one from
    brew as it is known to cause issues)
    • In case of a new Python installation or minor version upgrade, e.g., from
      3.11 to 3.12 , reinstall Poetry with python3 -m pip install poetry
    • You can verify the correct Python version is used with poetry debug info
  • Verify and checkout the git tag for this release
  • Run poetry install --sync
  • On the silicon mac, build the container image:
    python3 ./install/common/build-image.py
    ```, and copy the `share/container.tar.gz` to the assets folder on `dangerzone-$VERSION-arm64.tar.gz`, along with the `share/image-id.txt` file.
    

Copy the container image to the assets folder on dangerzone-$VERSION-i686.tar.gz.

  • Run poetry run ./install/macos/build-app.py; this will make dist/Dangerzone.app
  • Make sure that the build application works with the containerd graph
    driver (see #933)
  • Run poetry run ./install/macos/build-app.py --only-codesign; this will make dist/Dangerzone.dmg
    • You need to run this command as the account that has access to the code signing certificate
    • You must run this command from the MacOS UI, from a terminal application.
  • Notarize it: xcrun notarytool submit --wait --apple-id "<email>" --keychain-profile "dz-notarytool-release-key" dist/Dangerzone.dmg
    • You need to change the <email> in the above command with the email
      associated with the Apple Developer ID.
    • This command assumes that you have created, and stored in the Keychain, an
      application password associated with your Apple Developer ID, which will be
      used specifically for notarytool.
  • Wait for it to get approved:
    • If it gets rejected, you should be able to see why with the same command
      (or use the log option for a more verbose JSON output)
    • You will also receive an update in your email.
  • After it's approved, staple the ticket: xcrun stapler staple dist/Dangerzone.dmg

I had to do it again for the mac m1 machine, as the first iteration of the produced .dmg didn't include the pymupdf binaries, and as a result, the produced .dmg and .app were not working.

Windows Release

Releasing and Signing

  • Verify and checkout the git tag for this release
  • Run poetry install --sync
  • Copy the container image into the VM

    [!IMPORTANT]
    Instead of running python .\install\windows\build-image.py in the VM, run the build image script on the host (making sure to build for linux/amd64). Copy share/container.tar.gz and share/image-id.txt from the host into the share folder in the VM.
    Also, don't forget to add the supplementary image ID (see
    #933) in
    share/image-id.txt)

  • Run poetry run .\install\windows\build-app.bat
  • When you're done you will have dist\Dangerzone.msi

Rename Dangerzone.msi to Dangerzone-$VERSION.msi.

Linux release

  • Debian / Ubuntu
  • Fedora
  • Qubes

Publishing the Release

  • Create an archive of the Dangerzone source in tar.gz format:

    • You can use the following command:

      export DZ_VERSION=$(cat share/version.txt)
      git archive --format=tar.gz -o dangerzone-${DZ_VERSION:?}.tar.gz --prefix=dangerzone/ v${DZ_VERSION:?}
      
  • Run container scan on the produced container images (some time may have passed since the artifacts were built)

    gunzip --keep -c ./share/container.tar.gz > /tmp/container.tar
    docker pull anchore/grype:latest
    docker run --rm -v /tmp/container.tar:/container.tar anchore/grype:latest /container.tar
    
  • Collect the assets in a single directory, calculate their SHA-256 hashes, and sign them.

    • You can use ./dev_scripts/sign-assets.py, if you want to automate this
      task.
  • Create a new draft release on GitHub and upload the macOS and Windows installers.

    • Copy the release notes text from the template at docs/templates/release-notes
    • You can use ./dev_scripts/upload-asset.py, if you want to upload an asset
      using an access token.
  • Upload the container-$VERSION-i686.tar.gz and container-$VERSION-arm64.tar.gz images that were created in the previous step

    Important: Make sure that it's the same container image as the ones that
    are shipped in other platforms (see our Pre-release section)

  • Upload the detached signatures (.asc) and checksum file.

  • Update the Dangerzone website to link to the new installers.

  • Update the brew cask release of Dangerzone with a PR like this one

  • Update version and download links in README.md

Post-release

  • Toot release announcement on our mastodon account @[email protected]
  • Extend the check_repos.yml CI test for the newly added platforms
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Todo
Development

No branches or pull requests

1 participant