Hi Robert, Thanks for working on this. I think it's valuable to have a script to verify RCs. I'm not sure whether a Github workflow helps. Verification tends to be more effective when done in each individual environment(Laptop, Cloud workspace, etc). That's how we spot more issues, esp. env-specific issues.
Yufei On Thu, Oct 23, 2025 at 6:29 AM Robert Stupp <[email protected]> wrote: > Hi all, > > Verifying a Polaris release is a pretty manual process that involves a > lot of individual steps. > > As I am a lazy guy and like automation for the tasks that can be > automated, I built a bash script to perform a lot of the release > verification steps, like > * Git commit/tag cross-verification > * Build Polaris > * Build Helm Chart > * Verify GPG signatures > * Verify checksums > * Compare the binary artifacts > > Many of the verifications also apply to the Apache Trusted Releases > effort, in particular getting to reproducible builds. > > The tool can be run directly from a terminal (no download necessary) > and requires a few parameters (version, RC number, Git commit, Nexus > staging repo ID). Please note that the `bash/curl` command mentioned > on the new web page doesn't work yet as the PR is not merged yet. > > More detailed information is available in the PR, which also adds a > new page to the Polaris website on "how to verify a release". > > We could also create a GitHub workflow for the script, if that's > convenient for committers (aka those who can run GH workflows). > > PR: https://github.com/apache/polaris/pull/2824 > Direct link to the new website page: > > https://github.com/snazy/polaris/blob/release-verification/site/content/release-verify.md > > Robert >
