Add artifact checksum verification to release procedures

emlun · emlun · commit accb8496b418 · 2025-04-30T02:50:41.000+02:00
diff --git a/build.gradle b/build.gradle
@@ -41,12 +41,16 @@ dependencies {
 }
 
 allprojects {
-  ext.snapshotSuffix = "<count>.g<sha>-SNAPSHOT<dirty>"
-  ext.dirtyMarker = "-DIRTY"
-
-  apply plugin: 'com.cinnober.gradle.semver-git'
   apply plugin: 'idea'
 
+  if (System.env.VERSION) {
+    it.version = System.env.VERSION
+  } else {
+    ext.snapshotSuffix = "<count>.g<sha>-SNAPSHOT<dirty>"
+    ext.dirtyMarker = "-DIRTY"
+    apply plugin: 'com.cinnober.gradle.semver-git'
+  }
+
   idea.module {
     downloadJavadoc = true
     downloadSources = true
diff --git a/doc/releasing.md b/doc/releasing.md
@@ -45,39 +45,55 @@ Release candidate versions
     Check that this version is available in GitHub Actions. Commit this change,
     if any.
 
- 5. Tag the head commit with an `X.Y.Z-RCN` tag:
+ 5. Push the branch to GitHub.
+
+    If the pre-release makes significant changes to the project README, such
+    that the README does not accurately reflect the latest non-pre-release
+    version, push the changes on a separate release branch:
 
     ```
-    $ git tag -a -s 1.4.0-RC1 -m "Pre-release 1.4.0-RC1"
+    $ git checkout -b release-1.4.0
+    $ git push origin release-1.4.0
     ```
 
-    No tag body needed.
+    If the README still accurately reflects the latest non-pre-release version,
+    you can simply push to main instead:
 
- 6. Publish to Sonatype Nexus:
+    ```
+    $ git push origin main
+    ```
+
+ 6. Wait for the ["build" workflow][workflow-build] to finish.
+    Download the `artifact-checksums-java17-temurin` artifact,
+    unpack it and verify that the artifact checksums match artifacts built locally:
 
     ```
-    $ ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository
+    $ unzip artifact-checksums-java17-temurin.zip
+    $ VERSION=0.1.0-SNAPSHOT ./gradlew primaryPublishJar
+    $ sha256sum -c java-webauthn-server-artifacts.sha256sum
     ```
 
- 7. Push to GitHub.
+ 7. Tag the head commit with an `X.Y.Z-RCN` tag:
 
-    If the pre-release makes significant changes to the project README, such
-    that the README does not accurately reflect the latest non-pre-release
-    version, push the changes on a separate release branch:
+    ```
+    $ git tag -a -s 1.4.0-RC1 -m "Pre-release 1.4.0-RC1"
+    ```
+
+    No tag body needed.
+
+ 8. Publish to Sonatype Nexus:
 
     ```
-    $ git checkout -b release-1.4.0
-    $ git push origin release-1.4.0 1.4.0-RC1
+    $ ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository
     ```
 
-    If the README still accurately reflects the latest non-pre-release version,
-    you can simply push to main instead:
+ 9. Push the tag to GitHub:
 
     ```
-    $ git push origin main 1.4.0-RC1
+    $ git push origin 1.4.0-RC1
     ```
 
- 8. Make GitHub release.
+10. Make GitHub release.
 
     - Use the new tag as the release tag.
     - Check the pre-release checkbox.
@@ -87,7 +103,7 @@ Release candidate versions
     - Note the JDK version shown by `java -version` in step 3.
       For example: `openjdk version "17.0.7" 2023-04-18`.
 
- 9. Check that the ["Reproducible binary" workflow][workflow-release] runs and succeeds.
+11. Check that the ["Reproducible binary" workflow][workflow-release] runs and succeeds.
 
 
 Release versions
@@ -168,27 +184,43 @@ Release versions
     $ ./gradlew clean check
     ```
 
-10. Tag the merge commit with an `X.Y.Z` tag:
+10. Push the branch to GitHub:
+
+    ```
+    $ git push origin main
+    ```
+
+11. Wait for the ["build" workflow][workflow-build] to finish.
+    Download the `artifact-checksums-java17-temurin` artifact,
+    unpack it and verify that the artifact checksums match artifacts built locally:
+
+    ```
+    $ unzip artifact-checksums-java17-temurin.zip
+    $ VERSION=0.1.0-SNAPSHOT ./gradlew primaryPublishJar
+    $ sha256sum -c java-webauthn-server-artifacts.sha256sum
+    ```
+
+12. Tag the merge commit with an `X.Y.Z` tag:
 
     ```
     $ git tag -a -s 1.4.0 -m "Release 1.4.0"
     ```
 
     No tag body needed since that's included in the commit.
 
-11. Publish to Sonatype Nexus:
+12. Publish to Sonatype Nexus:
 
     ```
     $ ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository
     ```
 
-12. Push to GitHub:
+13. Push the tag to GitHub:
 
     ```
-    $ git push origin main 1.4.0
+    $ git push origin 1.4.0
     ```
 
-13. Make GitHub release.
+14. Make GitHub release.
 
     - Use the new tag as the release tag.
     - Copy the release notes from `NEWS` into the GitHub release notes; reformat
@@ -197,8 +229,9 @@ Release versions
     - Note the JDK version shown by `java -version` in step 6.
       For example: `openjdk version "17.0.7" 2023-04-18`.
 
-14. Check that the ["Reproducible binary" workflow][workflow-release] runs and succeeds.
+15. Check that the ["Reproducible binary" workflow][workflow-release] runs and succeeds.
 
 
+[workflow-build]: https://github.com/Yubico/java-webauthn-server/actions/workflows/build.yml
 [workflow-release]: https://github.com/Yubico/java-webauthn-server/actions/workflows/release-verify-signatures.yml
 [workflow-release-src]: https://github.com/Yubico/java-webauthn-server/blob/main/.github/workflows/release-verify-signatures.yml#L42
