wu-sheng opened a new pull request, #133:
URL: https://github.com/apache/skywalking-nodejs/pull/133

   ## What
   
   Adds release automation for skywalking-nodejs, adapted from the mature 
toolkit in `apache/skywalking-horizon-ui` and fitted to this repo's 
single-package npm layout (git submodule for the protobufs, source-tarball-only 
Apache artifact, npm as a convenience).
   
   - **`scripts/release.sh`** (`npm run release`) — the release-candidate half:
     GPG/preflight checks → version detect → LICENSE/NOTICE + license-eye → 
**fresh recursive clone** → build & sign the source release via the existing 
`release-src` → **verify tarball contents + signature** → push the tag → upload 
the RC to `dist/dev/.../node-js/<v>` → print the `[VOTE]` email.
   - **`scripts/release-finalize.sh`** (`npm run release:finalize`) — the 
post-vote half:
     `svn mv` dev→release (retiring the strictly-older previous release) → 
publish the GitHub release with auto-generated notes (re-verifying the voted 
bytes) → optional npm publish.
   - **`package.json`**: wires the two scripts; pins the GPG signer end-to-end 
via `SW_GPG_KEY` (`gpg -u`) so the tarball is signed by the validated key; 
excludes `.claude` from the source tarball.
   - **`docs/How-to-release.md`**: adds an "Automated release" section pointing 
at the scripts, and fixes stale references (CHANGELOG.md is a stub → GitHub 
Release notes; `.md5` → `.sha512`; dead `make license` → license-eye + `npm run 
lint`).
   
   ## Safety design
   
   These scripts perform irreversible ASF actions, so they were adversarially 
red-teamed (multi-agent: ASF-policy / bash-portability / repo-fit / 
irreversibility) and the findings fixed:
   
   - The git tag is pushed **only after** the artifacts are built, signed and 
self-verified — a build failure never leaves a public, immutable release tag 
behind.
   - Every `read` is guarded (no silent `set -e` abort on a non-TTY); `git 
ls-remote` failure can't be mistaken for "tag absent".
   - The signer gate is real (validated `@apache.org` key == the key that 
signs).
   - The previous-release `svn rm` only ever targets a **strictly-older** 
version and requires typing the version to confirm.
   - npm publish is optional and triple-gated (already-published guard → 
confirm → `--dry-run` → confirm), built from a fresh clone of the tag.
   
   Verified locally: `bash -n` clean on both scripts, valid `package.json`, the 
`SW_GPG_KEY` expansion is backward-compatible, the source tarball excludes 
`.claude` (keeps `dist/` license texts), and the no-TTY guards fail loudly.
   
   Run on a single-user trusted host (svn takes the password on argv — 
documented in-script, same as the horizon-ui reference).
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to