Add publishing integrity check after releasing (#4045)

Co-authored-by: Francisco <fg@frang.io>
2 years ago · 4e8aa43a90
parent 6d18435098
commit 4e8aa43a90
4 changed files with 47 additions and 1 deletions
--- a/.github/workflows/release-cycle.yml
+++ b/.github/workflows/release-cycle.yml
@ -142,6 +142,11 @@ jobs:
        run: bash scripts/release/workflow/pack.sh
        env:
          PRERELEASE: ${{ needs.state.outputs.is_prerelease }}
+      - name: Upload tarball artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{ github.ref_name }}
+          path: ${{ steps.pack.outputs.tarball }}
      - name: Tag
        run: npx changeset tag
      - name: Publish
@ -158,6 +163,26 @@ jobs:
          PRERELEASE: ${{ needs.state.outputs.is_prerelease }}
        with:
          script: await require('./scripts/release/workflow/github-release.js')({ github, context })
+    outputs:
+      tarball_name: ${{ steps.pack.outputs.tarball_name }}
+
+  integrity_check:
+    needs: publish
+    name: Tarball Integrity Check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Download tarball artifact
+        id: artifact
+        # Replace with actions/upload-artifact@v3 when
+        # https://github.com/actions/download-artifact/pull/194 gets released
+        uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b
+        with:
+          name: ${{ github.ref_name }}
+      - name: Check integrity
+        run: bash scripts/release/workflow/integrity-check.sh
+        env:
+          TARBALL: ${{ steps.artifact.outputs.download-path }}/${{ needs.publish.outputs.tarball_name }}

  merge:
    needs: state
--- a/scripts/release/workflow/integrity-check.sh
+++ b/scripts/release/workflow/integrity-check.sh
@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+CHECKSUMS="$RUNNER_TEMP/checksums.txt"
+
+# Extract tarball content into a tmp directory
+tar xf "$TARBALL" -C "$RUNNER_TEMP"
+
+# Move to extracted directory
+cd "$RUNNER_TEMP/package"
+
+# Checksum all Solidity files
+find . -type f -name "*.sol" | xargs shasum > "$CHECKSUMS"
+
+# Back to directory with git contents
+cd "$GITHUB_WORKSPACE/contracts"
+
+# Check against tarball contents
+shasum -c "$CHECKSUMS"
--- a/scripts/release/workflow/pack.sh
+++ b/scripts/release/workflow/pack.sh
@ -20,6 +20,7 @@ dist_tag() {

 cd contracts
 TARBALL="$(npm pack | tee /dev/stderr | tail -1)"
+echo "tarball_name=$TARBALL" >> $GITHUB_OUTPUT
 echo "tarball=$(pwd)/$TARBALL" >> $GITHUB_OUTPUT
 echo "tag=$(dist_tag)" >> $GITHUB_OUTPUT
 cd ..
--- a/scripts/release/workflow/publish.sh
+++ b/scripts/release/workflow/publish.sh
@ -15,6 +15,6 @@ delete_tag() {

 if [ "$TAG" = tmp ]; then
  delete_tag "$TAG"
-elif ["$TAG" = latest ]; then
+elif [ "$TAG" = latest ]; then
  delete_tag next
 fi