feat: add release automation script#1992
Open
TerryHowe wants to merge 12 commits intooras-project:mainfrom
Open
feat: add release automation script#1992TerryHowe wants to merge 12 commits intooras-project:mainfrom
TerryHowe wants to merge 12 commits intooras-project:mainfrom
Conversation
Signed-off-by: Terry Howe <terrylhowe@gmail.com>
TerryHowe
requested review from
Wwwsylvia,
sabre1041,
sajayantony and
shizhMSFT
as code owners
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1992 +/- ##
==========================================
+ Coverage 87.18% 87.21% +0.03%
==========================================
Files 143 143
Lines 5539 5539
==========================================
+ Hits 4829 4831 +2
+ Misses 423 421 -2
Partials 287 287 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new scripts/release.sh automation script to codify the ORAS CLI release process into repeatable phases, and exposes those phases via make targets for convenience.
Changes:
- Added
scripts/release.shimplementingprep,tag,validate, andpublishrelease phases (with--dry-runsupport). - Added Makefile targets (
release-prep,release-tag,release-validate,release-publish) to invoke the script.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 9 comments.
| File | Description |
|---|---|
scripts/release.sh |
New bash script that automates version bump PR creation, tagging, CI/artifact validation, and publishing/signing steps. |
Makefile |
Adds convenience targets to run the release script phases via make. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
- Extract check_prerequisites() as shared function called from both do_prep and do_tag, ensuring GPG/gh/remote are validated before tagging - Add dirty working tree guard in do_prep before creating branch - Add portable checksum verification: prefer sha256sum over shasum with fallback and fatal error if neither is available - Use make SHELL=/bin/bash sign to avoid POSIX brace glob issue - Fix .asc upload to avoid glob expansion in dry-run mode - Fix snap workflow: use release-snap.yml with required version and isStable fields, pass --ref for correct trigger Signed-off-by: Terry Howe <terrylhowe@gmail.com>
Signed-off-by: Terry Howe <terrylhowe@gmail.com>
sabre1041
requested changes
Mar 19, 2026
Contributor
sabre1041
left a comment
sabre1041
left a comment
There was a problem hiding this comment.
Overall looks really good. one small comment
- Replace make fetch-dist with gh release download in validate phase so artifact fetching works against draft releases (curl on the public /releases/download/ URL returns 404 for drafts) - Add ORAS_REPO variable to Makefile so the repo is not hardcoded - Add gh CLI prerequisite check to fetch-dist target with install URL Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Terry Howe <terrylhowe@gmail.com>
- Replace make sign with a direct gpg loop covering all artifact types
including .zip (make sign only covered *.{gz,txt})
- Fail immediately if any gpg signing fails instead of swallowing errors
- Scope verify and upload globs to oras_<version>_* to avoid picking up
leftover files from prior releases
- Add --clobber to gh release upload so publish is safely retryable
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Terry Howe <terrylhowe@gmail.com>
Bash arithmetic (( expr )) exits with code 1 when the expression evaluates to 0. Post-increment (( n++ )) returns the old value, so the first increment from 0 to 1 silently kills the script under set -euo pipefail. Use $(( n + 1 )) assignment instead. Affected: attempt counter in validate and sig_count in publish. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Terry Howe <terrylhowe@gmail.com>
gpg consumes stdin during signing, leaving confirm's read at EOF which silently treats the response as empty (N) and aborts. Reading from /dev/tty ensures interactive prompts always reach the terminal. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Terry Howe <terrylhowe@gmail.com>
- Remove all confirm() calls and the confirm function itself; the script now runs non-interactively without pausing for user input - Replace the branch warning in prep with a hard failure: the current branch must be 'main' or 'release-X.Y' where X.Y matches the major.minor of the version being released (e.g. v1.3.2 requires main or release-1.3) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Terry Howe <terrylhowe@gmail.com>
validate and publish now read the version from internal/version/version.go when no version argument is supplied, so running just 'scripts/release.sh validate' or 'scripts/release.sh publish' works from the release branch without repeating the version string. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Terry Howe <terrylhowe@gmail.com>
When running prep from 'main', the version's major.minor must match MAIN_RELEASE_VERSION (default 2.0). This prevents accidentally cutting a 1.x patch release from main. Override with ORAS_MAIN_RELEASE_VERSION when the next main-branch series changes. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Terry Howe <terrylhowe@gmail.com>
…N from validate/publish make targets - Remove redundant *Changelog:* line from the publish Slack announcement (it was the same URL as *Release:*) - Drop $(VERSION) from release-validate and release-publish Makefile targets since the script now reads the version from version.go Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Terry Howe <terrylhowe@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
scripts/release.sh, a bash release automation script that codifies the manual steps from https://oras.land/community/release-process into four repeatable phases.Phases
prep <version>- Validates semver format, checksgh/gpgprerequisites, updatesinternal/version/version.go(sets Version, clears BuildMetadata), creates branchchore/release-v<version>, commits, pushes, creates a PR titled "bump: tag and release ORAS CLI v<version>" targetingmain(or the release branch for patches), and prints the commit SHA with a Slack vote template.tag <version> <sha>- Validates that the commit at the given SHA contains the correct version and cleared BuildMetadata, creates a signed git tagv<version>, pushes the tag, and creates a release branch (e.g.release-X.Y) for new minor versions (patch==0, no pre-release suffix).validate <version>- Polls therelease-ghcrandrelease-githubGitHub Actions workflows until they complete, runsmake fetch-distto download artifacts, verifies checksums withshasum, and tests thelinux/amd64binary reports the expected version.publish <version>- Runsmake signto GPG-sign artifacts, verifies all GPG signatures, uploads.ascfiles to the GitHub release, appends signing key verification instructions to release notes, publishes the release (--draft=false), triggers the snap workflow, cleans up_dist/, and prints a post-release Slack template.Features
--dry-runflag for safe testingORAS_REMOTEenv var to configure the upstream remote (default:upstream)Makefile Targets
Also adds convenience Makefile targets:
release-prep,release-tag,release-validate,release-publish.Test plan
scripts/release.sh --helpto verify usage outputscripts/release.sh --dry-run prep 1.3.0to verify prep phase logicscripts/release.sh --dry-run tag 1.3.0 abc1234to verify tag phase logicscripts/release.sh --dry-run validate 1.3.0to verify validate phase logicscripts/release.sh --dry-run publish 1.3.0to verify publish phase logicmake helpshows the new release targets