stevedlawrence commented on code in PR #20:
URL:
https://github.com/apache/daffodil-infrastructure/pull/20#discussion_r2519383078
##########
actions/release-candidate/dist/main/index.js:
##########
@@ -31908,27 +31921,38 @@ async function run() {
// triggered from a tag, so we fetch it manually so we
can verify its tag
await exec("git", ["fetch", "origin", "--deepen=1",
`+${ github.context.ref }:${ github.context.ref }`]);
- // make sure the tag is signed by a committer in the
KEYS file, this
- // command fails if the tag does not verify.
- await exec("git", ["tag", "--verify", release_version]);
+ if (do_publish) {
+ // if publishing, tags must be signed with a
committers key, download and import committer
+ // keys for verification
+ let committer_keys = "";
+ await exec("curl",
[`https://downloads.apache.org/${tlp_dir}/KEYS`], {
+ silent: true,
+ listeners: {
+ stdout: (data) => {
+ committer_keys +=
data.toString();
+ }
+ }
+ });
+ await exec("gpg", ["--batch", "--import"], {
+ input: Buffer.from(committer_keys)
+ });
+
+ // make sure the tag is signed by a committer
in the KEYS file, this
+ // command fails if the tag does not verify.
+ await exec("git", ["tag", "--verify",
release_version]);
+ }
Review Comment:
On second thought, this might not really be possible, since in order to
verify a tag you need the tag name. If it isnt tagged then there isnt a tag
name to verify. I think scenario where is_tagged is false but do_publish is
true is pretty unlikely to happen. And also if is_tagged is false then the
release version is created with an `-rc0` suffix, so it's would be clear things
are wrong and the release can be discarded. So I think this comment can be
ignored.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
