Add 5 seconds HTTP timeout constant and use it for requests to
GitHub. Setting timeout is recommended by requests docs and flagged
by latest pylint:
```
W3101: Missing timeout argument for method 'requests.get' can cause
your program to hang indefinitely (missing-timeout)
```
https://requests.readthedocs.io/en/latest/user/quickstart/#timeouts
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
It seems --no-deps does not work as it used to (and actually installs
all build dependencies). This is very bad because verify_release also
uses "--no-binary :all:" leading to actually _building_ all build
dependencies from source.
Use "--no-binary tuf" instead: build dependencies will still be
installed (into a working environment) but at least they won't be built
from source.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Add option to sign locally built release artifacts with gpg,
if they match the downloaded artifacts from GitHub, PyPI.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Prior to #1946 the verify_release script was successful if both PyPI
and GitHub release artifacts matched the local build.
Now, if the `--skip-pypi` option is provided, the script can also
be successful if only the GitHub release artifacts match the local
build.
This commit splits the final success message in two separate
success messages, one for PyPI and one for GitHub.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Make a new (local) git clone to build from. This ensures uncommitted
files do not affect the build.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Add '--skip-pypi' flag to 'verify_release' script to allow for
pre-release checks, when the automatic build job has uploaded the
build assets to GitHub and is awaiting review/approval in order to
upload it to PyPI eventually.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Enable tox to lint 'verify_release' script and fix:
- whitespace
- unused import (we only import here to see if the module is
available for use in a subprocess)
- unfound import (same as unused import)
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
This is mostly useful for build module as it's not imported otherwise:
we explicitly call "python -m build" so everything works like in a
real release build.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Use a hard-coded list of artifacts that we expect to find in a
release. Specifically check that each of those files matches
the corresponding file in locally built release.
Also add two missing annotations.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
We are interested in what pip thinks is the current tuf version: make
that explicit in method naming and comments.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
verify-release
* Builds a release from current commit
* Notifies if git describe does not match built version
* Notifies if built version is not the latest GitHub or PyPI version
* Asserts that the GitHub and PyPI release artifacts match the built
release artifacts
This should be useful after release as any developer (or a CI job) can
easily verify that the release matches the sources in git.
Note that the last checks currently fail as the 1.0 build was not
reproducible. They should succeed after next release.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
