wu-sheng opened a new pull request, #133:
URL: https://github.com/apache/skywalking-nodejs/pull/133
## What
Adds release automation for skywalking-nodejs, adapted from the mature
toolkit in `apache/skywalking-horizon-ui` and fitted to this repo's
single-package npm layout (git submodule for the protobufs, source-tarball-only
Apache artifact, npm as a convenience).
- **`scripts/release.sh`** (`npm run release`) — the release-candidate half:
GPG/preflight checks → version detect → LICENSE/NOTICE + license-eye →
**fresh recursive clone** → build & sign the source release via the existing
`release-src` → **verify tarball contents + signature** → push the tag → upload
the RC to `dist/dev/.../node-js/<v>` → print the `[VOTE]` email.
- **`scripts/release-finalize.sh`** (`npm run release:finalize`) — the
post-vote half:
`svn mv` dev→release (retiring the strictly-older previous release) →
publish the GitHub release with auto-generated notes (re-verifying the voted
bytes) → optional npm publish.
- **`package.json`**: wires the two scripts; pins the GPG signer end-to-end
via `SW_GPG_KEY` (`gpg -u`) so the tarball is signed by the validated key;
excludes `.claude` from the source tarball.
- **`docs/How-to-release.md`**: adds an "Automated release" section pointing
at the scripts, and fixes stale references (CHANGELOG.md is a stub → GitHub
Release notes; `.md5` → `.sha512`; dead `make license` → license-eye + `npm run
lint`).
## Safety design
These scripts perform irreversible ASF actions, so they were adversarially
red-teamed (multi-agent: ASF-policy / bash-portability / repo-fit /
irreversibility) and the findings fixed:
- The git tag is pushed **only after** the artifacts are built, signed and
self-verified — a build failure never leaves a public, immutable release tag
behind.
- Every `read` is guarded (no silent `set -e` abort on a non-TTY); `git
ls-remote` failure can't be mistaken for "tag absent".
- The signer gate is real (validated `@apache.org` key == the key that
signs).
- The previous-release `svn rm` only ever targets a **strictly-older**
version and requires typing the version to confirm.
- npm publish is optional and triple-gated (already-published guard →
confirm → `--dry-run` → confirm), built from a fresh clone of the tag.
Verified locally: `bash -n` clean on both scripts, valid `package.json`, the
`SW_GPG_KEY` expansion is backward-compatible, the source tarball excludes
`.claude` (keeps `dist/` license texts), and the no-TTY guards fail loudly.
Run on a single-user trusted host (svn takes the password on argv —
documented in-script, same as the horizon-ui reference).
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]