PHPC-1584: Sign releases #1544
PHPC-1584: Sign releases #1544
Conversation
| continue-on-error: true | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| build-windows: | ||
| name: "Create Windows package" | ||
| runs-on: windows-2022 | ||
| runs-on: windows-latest |
There was a problem hiding this comment.
Using windows-latest is necessary to be able to share the cached build artifacts.
|
|
||
| - name: "Upload artifact" | ||
| - name: "Upload artifacts" |
There was a problem hiding this comment.
I realize these steps predate the PR, but can you remind me why we use both actions/upload-artifact and gh release upload? The former attaches the package and signature files to the action, while the latter attaches them to a GitHub release. Are both needed?
The only prior art that comes to mind was how we handle Windows DLLs by temporarily storing them on an action (from the build step) and having the release action transfer them to the GitHub release.
There was a problem hiding this comment.
Since this workflow is enabled for every tag, I wanted to upload the artifacts to the build as well in case we push a tag manually (e.g. for a pre-release) where there is no draft release yet. In that case, we'd still be able to download the artifacts manually and upload them to the release manually. I'm happy to remove this once we've covered every possible angle of the release process.
|
Updated the PR to address feedback. Note: successfully releasing will depend on mongodb-labs/drivers-github-tools#3 being merged. |
| CONTRIBUTING.md | ||
| LICENSE | ||
| README.md | ||
| THIRD_PARTY_NOTICES |
There was a problem hiding this comment.
This list of filenames is duplicated in the zip command below. Is it worth trying to use a single variable for these, or would that be difficult given the with.path context here?
There was a problem hiding this comment.
In the examples for the upload-artifact action, I didn't see filenames being space separated. Since I wanted to get rid of this artifact upload once we're sure that we've covered all possible releases (including pre-releases), I'm happy to remove this upload, which solves the problem.
PHPC-1584
This PR adds release signing to the previously added automated release process. The following actions are signed using the PHP team's GPG key
For the PECL package, the detached signature is attached as a release artifact. For Windows packages, the detached signature file is contained in the zip archive that also contains the DLL, as we only sign the DLL file. Instructions to verify the integrity of the releases have been added to the readme file.
This PR also fixes a minor issue where the message added to the GitHub release didn't properly show how to install the library using PECL.