From 938120f05ec45d2f4b4f523cf3772ad0d8165a46 Mon Sep 17 00:00:00 2001 From: Allie Crevier Date: Thu, 2 Jun 2022 15:02:26 -0700 Subject: [PATCH] add more details and reorganize test plan Signed-off-by: Allie Crevier --- .github/pull_request_template.md | 33 ++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 0c40bf0..de2261c 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,11 +1,28 @@ -### -Name of package: +## Description +Package being released: `securedrop-workstation-dom0-config x.y.z` +Package tag: https://github.com/freedomofpress/securedrop-workstation/releases/tag/x.y.z +Build logs: https://github.com/freedomofpress/build-logs/commit/1234 +Prod signing key used to sign package and tag: https://github.com/freedomofpress/securedrop-workstation-prod-rpm-packages-lfs/blob/HEAD/pubkeys/prod.key -### Test plan +Release tracking issue: https://github.com/freedomofpress/securedrop-workstation/issues/1234 -- [ ] Tag in securedrop-workstation repository is correct: https://github.com/freedomofpress/securedrop-workstation/releases/tag/x.y.z -- [ ] Build logs are included: https://github.com/freedomofpress/build-logs/commit/1234 -- [ ] CI is passing, the rpm is properly signed with the prod key -- [ ] Manually verify that the rpm is properly signed with the prod key by running `rpm -qi ` and copy pasting the Signature KEY ID into `gpg -k ` -- [ ] Unsigned RPM after running `rpm --delsign` (in Debian Stable) on the signed RPM results in the checksum found in the build logs +## Checklist for PR owner + +- [ ] Links in this PR template have been updated as required +- [ ] https://github.com/freedomofpress/securedrop-workstation-prod-rpm-packages-lfs/blob/HEAD/pubkeys/prod.key points to the correct prod signing key + +### Checklist for reviewer +- [ ] CI is passing +- [ ] The build logs show that the tag is verified and signed with the prod signing key +- [ ] The build logs show that the tag is checked out and used to build the RPM +- [ ] The tag in the build logs is the correct tag: https://github.com/freedomofpress/securedrop-workstation/releases/tag/x.y.z +- [ ] The commits being released are what you expect (see https://github.com/freedomofpress/securedrop-workstation/compare/a.b.c...x.y.z) +- [ ] The build logs show that the RPM is signed with the prod signing key + > * Download the signed RPM from this PR + > * Run `rpm qi ` to get the KEY ID + > * Run `gpg -k ` to verify that it matches the prod signing key (make sure you have the prod signing key referenced in the PR description in your GPG keyring) +- [ ] The Unsigned RPM checksum matches what's in the build logs + > * Download the signed RPM from this PR (if you haven't already) + > * Run `rpm --delsign ` to remove the signature + > * Run `sha256sum ` and compare