From fbb5b0c8d473e5ac4dab097a2e3b6ba9d3ac66be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Nison?= Date: Tue, 10 Sep 2024 19:10:27 +0200 Subject: [PATCH 1/5] Implements signed releases --- scripts/release/01-release-tags.sh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/scripts/release/01-release-tags.sh b/scripts/release/01-release-tags.sh index 3274a78ece5f..3418df2601be 100755 --- a/scripts/release/01-release-tags.sh +++ b/scripts/release/01-release-tags.sh @@ -12,7 +12,6 @@ fi export BABEL_CACHE_PATH=$(mktemp -d)/cache.json mkdir -p "$(dirname "$BABEL_CACHE_PATH")" - CURRENT_COMMIT=$(git rev-parse HEAD) PRERELEASE=0 @@ -68,6 +67,15 @@ yarn workspaces foreach \ --verbose --all --topological --no-private "${UPDATE_ARGUMENTS[@]}" \ run update-local +# Generate the signature +openssl dgst -sha1 -sign /tmp/yarn.key \ + -out "$REPO_DIR"/packages/berry-cli/bin/berry.js.sign \ + "$REPO_DIR"/packages/berry-cli/bin/berry.js + +# Let's also copy the public key +cp /tmp/yarn.pem \ + "$REPO_DIR"/packages/berry-cli/bin/berry.pem + # The v1 still uses the "berry.js" file path when using "policies set-version" cp "$REPO_DIR"/packages/yarnpkg-cli/bin/yarn.js \ "$REPO_DIR"/packages/berry-cli/bin/berry.js From 4a71d75fc033b8429cdaeb5cd553af8e2d9a874b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Nison?= Date: Tue, 10 Sep 2024 19:11:05 +0200 Subject: [PATCH 2/5] Update 01-release-tags.sh --- scripts/release/01-release-tags.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/release/01-release-tags.sh b/scripts/release/01-release-tags.sh index 3418df2601be..b22ee6263744 100755 --- a/scripts/release/01-release-tags.sh +++ b/scripts/release/01-release-tags.sh @@ -12,6 +12,7 @@ fi export BABEL_CACHE_PATH=$(mktemp -d)/cache.json mkdir -p "$(dirname "$BABEL_CACHE_PATH")" + CURRENT_COMMIT=$(git rev-parse HEAD) PRERELEASE=0 From 8b28e2a92c1c6838ddd4a0bfbb782415109845f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Nison?= Date: Tue, 10 Sep 2024 19:20:29 +0200 Subject: [PATCH 3/5] Pulls secrets for the release --- .github/workflows/release-branch.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 1454a167a260..7e5a1743ac09 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -44,6 +44,11 @@ jobs: echo "yarnPath: '$TMPBIN/yarn.js'" >> .yarnrc.yml git update-index --skip-worktree -- .yarnrc.yml + - name: 'Store the secrets' + run: | + printf "${{secrets.SIGN_PRIVATE_KEY}}" > /tmp/yarn.key + printf "${{secrets.SIGN_PUBLIC_KEY}}" > /tmp/yarn.pem + - name: 'Generate the release commits' run: | git config user.name "Yarn Bot" From fff413ca8213ea10db6e42ea58a79678fa178a87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Nison?= Date: Tue, 10 Sep 2024 19:30:32 +0200 Subject: [PATCH 4/5] wip --- scripts/release/01-release-tags.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/scripts/release/01-release-tags.sh b/scripts/release/01-release-tags.sh index b22ee6263744..43c17a7eeb41 100755 --- a/scripts/release/01-release-tags.sh +++ b/scripts/release/01-release-tags.sh @@ -69,11 +69,16 @@ yarn workspaces foreach \ run update-local # Generate the signature -openssl dgst -sha1 -sign /tmp/yarn.key \ +openssl dgst -sha256 -sign /tmp/yarn.key \ -out "$REPO_DIR"/packages/berry-cli/bin/berry.js.sign \ "$REPO_DIR"/packages/berry-cli/bin/berry.js -# Let's also copy the public key +# Let's be sure the public & private keys are correctly setup +openssl dgst -sha256 -verify /tmp/yarn.pem \ + -signature "$REPO_DIR"/packages/berry-cli/bin/berry.js.sign \ + "$REPO_DIR"/packages/berry-cli/bin/berry.js + +# We can copy the public key into the release folder cp /tmp/yarn.pem \ "$REPO_DIR"/packages/berry-cli/bin/berry.pem From 15a2f9ac82686fa035422fd6dd25acea9296100d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Nison?= Date: Tue, 10 Sep 2024 19:32:31 +0200 Subject: [PATCH 5/5] versions --- .yarn/versions/manual-1.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .yarn/versions/manual-1.yml diff --git a/.yarn/versions/manual-1.yml b/.yarn/versions/manual-1.yml new file mode 100644 index 000000000000..f52a2e42c9b6 --- /dev/null +++ b/.yarn/versions/manual-1.yml @@ -0,0 +1,2 @@ +releases: + "@yarnpkg/cli": patch