Elgato_dark/python-tuf
1
0
Fork 0
mirror of https://github.com/theupdateframework/python-tuf synced 2026-05-24 10:08:28 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
python-tuf/docs/RELEASE.md
Jussi Kukkonen 53bacdf7e3 build: Add verify-release script 
verify-release
* Builds a release from current commit
* Notifies if git describe does not match built version
* Notifies if built version is not the latest GitHub or PyPI version
* Asserts that the GitHub and PyPI release artifacts match the built
  release artifacts

This should be useful after release as any developer (or a CI job) can
easily verify that the release matches the sources in git.

Note that the last checks currently fail as the 1.0 build was not
reproducible. They should succeed after next release.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-03-22 14:47:17 +02:00

2.4 KiB
Raw Blame History

Release process

  • Ensure you have a backup of all working files and then remove files not tracked by git git clean -xdf. NOTE: this will delete all files in the tuf tree that aren't tracked by git
  • Ensure docs/CHANGELOG.md contains a one-line summary of each notable change since the prior release
  • Update tuf/__init__.py to the new version number "A.B.C"
  • Test packaging, uploading to Test PyPI and installing from a virtual environment (ensure commands invoking python below are using Python 3)
    • Remove existing dist build dirs
    • Create source dist and wheel python3 -m build
    • Sign source dist gpg --detach-sign -a dist/tuf-A.B.C.tar.gz
    • Sign wheel gpg --detach-sign -a dist/tuf-A.B.C-py3-none-any.whl
    • Upload to test PyPI twine upload --repository testpypi dist/*
    • Verify the uploaded package at https://test.pypi.org/project/tuf/: Note that installing packages with pip using test.pypi.org is potentially dangerous (as dependencies may be squatted): download the file and install the local file instead.
  • Create a PR with updated CHANGELOG.md and version bumps
  • Once the PR is merged, pull the updated develop branch locally
  • Create a signed tag matching the updated version number on the merge commit git tag --sign vA.B.C -m "vA.B.C"
    • Push the tag to GitHub git push origin vA.B.C
  • Create a new release on GitHub, copying the CHANGELOG.md entries for the release
  • Create a package for the formal release (ensure commands invoking python below are using Python 3)
    • Remove existing dist build dirs
    • Create source dist and wheel python3 -m build
    • Sign source dist gpg --detach-sign -a dist/tuf-A.B.C.tar.gz
    • Sign wheel gpg --detach-sign -a dist/tuf-A.B.C-py3-none-any.whl
    • Upload to PyPI twine upload dist/*
    • Verify the package at https://pypi.org/project/tuf/ and by installing with pip
  • Attach both signed dists and their detached signatures to the release on GitHub
  • verify_release should be used to make sure the release artifacts match the git sources, preferably by another developer on a different machine.
  • Announce the release on #tuf on CNCF Slack
  • Ensure POUF 1, for the reference implementation, is up-to-date