ci: Ensure all version references are up-to-date prior to release (#447)

* Create references.sh

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* WIP: check docs in pre-submits

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Clean up

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Fix based on comments

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Add instructions to RELEASE.md

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Check references match version in PR body

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

---------

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Co-authored-by: laurentsimon <[email protected]>

Author: pnacht

.github/workflows/pre-submit.actions.yml

@@ -39,3 +39,24 @@ jobs:
         with:
           name: dist
           path: dist/
+
+  check-docs:
+    runs-on: ubuntu-latest
+    if: ${{ contains(github.event.pull_request.body, '#label:release') }}
+    env:
+      BODY: ${{ github.event.pull_request.body }}
+    steps:
+      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+
+      - name: Check documentation is up-to-date
+        run: |
+          RELEASE_TAG=$(
+            echo "$BODY" | \
+            grep -oE '^[[:blank:]]*#label:release[[:blank:]]+v?[0-9]+\.[0-9]+\.[0-9]+' | \
+            sed -E 's/.*([0-9]+\.[0-9]+\.[0-9])/\1/'
+          )
+          if [[ -z "$RELEASE_TAG" ]]; then
+              echo "Invalid release PR body. Must include `#label:release vX.Y.Z"
+              exit 1
+          fi
+          RELEASE_TAG="${RELEASE_TAG}" ./.github/workflows/scripts/pre-release/references.sh

.github/workflows/scripts/pre-release/references.sh

@@ -0,0 +1,85 @@
+#!/bin/bash
+
+# Verify that all references point to the same version
+
+set -euo pipefail
+
+function get_first_nonblank_line() {
+    while read line; do
+        [[ "$line" =~ [^[:blank:]] ]] && break
+    done < "$1"
+    echo "$line"
+}
+
+###
+### SHA256SUM.md
+###
+
+line=$(get_first_nonblank_line SHA256SUM.md)
+
+# Ensure both visible text and link point to the same release
+version_txt="$(sed -E "s~.*\[v(.*)\].*~\1~" <<< "$line")"
+version_lnk="$(sed -E "s~.*/v(.*)\)$~\1~" <<< "$line")"
+
+if [[ "$version_txt" != "$version_lnk" ]]; then
+    mark_txt="$(head -c ${#version_txt} < /dev/zero | tr '\0' '^')"
+    mark_lnk="$(head -c ${#version_lnk} < /dev/zero | tr '\0' '^')"
+
+    marks="${line/"$version_txt"/"$mark_txt"}"
+    marks="${marks/"$version_lnk"/"$mark_lnk"}"
+    marks="$(sed 's/[^^]/ /g' <<< "$marks")"
+
+    echo "SHA256SUM.md: Visible text and linked URL do not match:"
+    echo "$line"
+    echo "$marks"
+
+    exit 1
+fi
+
+# Ensure version matches what's declared in the PR body
+if [[ "$version_txt" != "$RELEASE_TAG" ]]; then
+    echo "SHA256SUM.md version doesn't match version declared in PR body"
+    echo "PR body: #label:release v$RELEASE_TAG"
+    echo "SHA256SUM.md: v$version_txt"
+
+    exit 1
+fi
+
+###
+### go.mod
+###
+
+# Get major version from go.mod
+major_version_go_mod="$(get_first_nonblank_line go.mod | sed -E 's~.*/v(.*)~\1~')"
+
+# Get major version declared in PR body
+major_version="$(sed -E 's/(.+)\..+\..+/\1/' <<< "$RELEASE_TAG")"
+
+# Ensure major version from SHA256SUM.md matches go.mod's
+if [[ "$major_version_go_mod" != "$major_version" ]]; then
+    echo "go.mod version doesn't match version declared in PR body:"
+    echo "PR body: v$major_version (v$RELEASE_TAG)"
+    echo "go.mod:  v$major_version_go_mod"
+
+    exit 1
+fi
+
+###
+### README.md
+###
+
+# Select all version numbers following a reference to slsa-verifier that are different
+# from the version defined in SHA256SUM.md
+results=$(
+    grep -Pon ".*?slsa-verifier.*?\d+\.\d+\.\d+" README.md |
+    grep -v "$RELEASE_TAG$" |
+    sed -E 's/(.*)/  \1/' || true
+)
+
+if [[ "$results" != "" ]]; then
+    echo "README.md version doesn't match version declared in PR body:"
+    echo "PR body: #label:release v$RELEASE_TAG"
+    echo "README.md:"
+    echo "$results"
+    exit 1
+fi

RELEASE.md

@@ -116,10 +116,11 @@ $ sha256sum slsa-verifier-linux-amd64
 $ sed -i "s/v1.0.0/v1.1.1/g" ./README.md
 ```
 
-4. Send a pull request with the changes. In the description, explain the steps to verify the hash update, i.e., reviewers shoud LGTM only if the provenance verification succeeds
-and the hash in the pull request matches the one computed on the binary. You can use [#slsa-framework/slsa-github-generator#113](https://github.com/slsa-framework/slsa-github-generator/pull/113) as example.
+4. Send a pull request with the changes. In the description:
+   - add the string `#label:release vX.Y.Z` on its own line;
+   - explain the steps to verify the hash update, i.e., reviewers shoud LGTM only if the provenance verification succeeds and the hash in the pull request matches the one computed on the binary. You can use [#slsa-framework/slsa-github-generator#113](https://github.com/slsa-framework/slsa-github-generator/pull/113) as an example.
 
-5. Replace all version / commit references to the slsa-verifier repo with references to the newly released version [e2e.installer-action.yml](https://github.com/slsa-framework/example-package/blob/main/.github/workflows/e2e.installer-action.yml). Each reference has the comment `# UPDATE ON RELEASE`.
+5. Update all version / commit references to the `slsa-verifier` repo in [`example-package`'s e2e.installer-action.yml](https://github.com/slsa-framework/example-package/blob/main/.github/workflows/e2e.installer-action.yml). Each reference has the comment `# UPDATE ON RELEASE`.
 
 ## Update builders