-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
doc: use git-secure-tag
for release tags
#7603
Conversation
@indutny does this work with subkeys? |
@thealphanerd It supports |
It does not support |
Updated description, initial version was misleading. Sorry! |
I liked the idea before seeing the docs. Now that I see it is literally a drop in replacement with just a few extra keystrokes thrown in and still spits out a signed git tag in the end, I think I like it even more :-) |
Create a tag using the following command: | ||
|
||
``` | ||
$ git tag <vx.y.z> <commit-sha> -sm 'YYYY-MM-DD Node.js vx.y.z (Release Type) Release' | ||
$ git secure-tag <vx.y.z> <commit-sha> -s -m 'YYYY-MM-DD Node.js vx.y.z (Release Type) Release' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does -sm
work (doesn't need to change here, just interested if my keystroke memory will still apply)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, it actually works. I'll change it back.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pushed.
need to make sure we don't have any objectors in @nodejs/release lgtm |
Emphatic LGTM on this. |
Should we make a test release with it to ensure everything behaves as expected? Also, does this work properly with the verification in |
Yes, tools/release.sh is just checking that the key is signed by you, not how it was signed or what it contains so it should be fine. Full releases are the only ones that we normally sign and manually promote, the rest just happen automatically. Perhaps this PR can hold off until the next release, whichever branch that is, to see how it goes. |
@thealphanerd is going to do a v4 RC release. Does anyone have an objection to using git-secure-tag for it? |
iirc we aren't tagging RC releases these days, only proper releases with a manual promotion, I have no objections to using this in the next v4 though as long as it's understood that if something comes up that causes this to hold up the release (whatever that might be!) then it can be dropped |
Cool, thank you for the heads up! |
@rvagg should we land this PR? |
@indutny I think we were waiting to do a release with the tool first. looks like this PR needs a rebase |
@thealphanerd we just did a release without a tool, and it is not clear how release team will learn about tool if we won't land this first :) |
`git-secure-tag` recursively constructs an SHA-512 digest out of the git tree, and puts the hash from the tree's root into the tag annotation. This hash provides better integrity guarantees than the default SHA-1 merkle tree that git uses. Fix: nodejs#7579
that's fair. I was under the impression we were waiting for the LTS on this. @nodejs/release are we planning a v6 release for next week? Can we do make the tag with this tool? |
Rebased. |
where did we land on this? :-) |
We didn't, but I think we should. |
@@ -216,10 +216,16 @@ Once you have produced builds that you're happy with, create a new tag. By waiti | |||
|
|||
Tag summaries have a predictable format, look at a recent tag to see, `git tag -v v6.0.0`. The message should look something like `2016-04-26 Node.js v6.0.0 (Current) Release`. | |||
|
|||
Install `git-secure-tag` npm module: | |||
|
|||
```sh |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ack, thank you!
We have two LGTMs here, and general consensus. Going to land it in a bit if no objections will be mentioned. |
SGTM! |
LGTM |
Landed in 0f3f76c, thank you everyone! cc @nodejs/release |
`git-secure-tag` recursively constructs an SHA-512 digest out of the git tree, and puts the hash from the tree's root into the tag annotation. This hash provides better integrity guarantees than the default SHA-1 merkle tree that git uses. Fix: #7579 PR-URL: #7603 Reviewed-By: Rod Vagg <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Evan Lucas <[email protected]>
Post-land-LGTM -- I think this is a great addition. |
@@ -216,10 +216,16 @@ Once you have produced builds that you're happy with, create a new tag. By waiti | |||
|
|||
Tag summaries have a predictable format, look at a recent tag to see, `git tag -v v6.0.0`. The message should look something like `2016-04-26 Node.js v6.0.0 (Current) Release`. | |||
|
|||
Install `git-secure-tag` npm module: | |||
|
|||
```console |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use sh
to keep consistent with others?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is made in anticipation of other PR that will change the rest to console
.
Whoops, looks like we forgot to close this when it landed. |
`git-secure-tag` recursively constructs an SHA-512 digest out of the git tree, and puts the hash from the tree's root into the tag annotation. This hash provides better integrity guarantees than the default SHA-1 merkle tree that git uses. Fix: #7579 PR-URL: #7603 Reviewed-By: Rod Vagg <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Evan Lucas <[email protected]>
`git-secure-tag` recursively constructs an SHA-512 digest out of the git tree, and puts the hash from the tree's root into the tag annotation. This hash provides better integrity guarantees than the default SHA-1 merkle tree that git uses. Fix: #7579 PR-URL: #7603 Reviewed-By: Rod Vagg <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Evan Lucas <[email protected]>
`git-secure-tag` recursively constructs an SHA-512 digest out of the git tree, and puts the hash from the tree's root into the tag annotation. This hash provides better integrity guarantees than the default SHA-1 merkle tree that git uses. Fix: #7579 PR-URL: #7603 Reviewed-By: Rod Vagg <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Evan Lucas <[email protected]>
`git-secure-tag` recursively constructs an SHA-512 digest out of the git tree, and puts the hash from the tree's root into the tag annotation. This hash provides better integrity guarantees than the default SHA-1 merkle tree that git uses. Fix: #7579 PR-URL: #7603 Reviewed-By: Rod Vagg <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Evan Lucas <[email protected]>
`git-secure-tag` recursively constructs an SHA-512 digest out of the git tree, and puts the hash from the tree's root into the tag annotation. This hash provides better integrity guarantees than the default SHA-1 merkle tree that git uses. Fix: #7579 PR-URL: #7603 Reviewed-By: Rod Vagg <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Evan Lucas <[email protected]>
Checklist
make -j4 test
(UNIX), orvcbuild test nosign
(Windows) passesAffected core subsystem(s)
doc
Description of change
git-secure-tag
recursively constructs an SHA-512 digest out of thegit tree, and puts the hash from the tree's root into the tag
annotation. This hash provides better integrity guarantees than the
default SHA-1 merkle tree that git uses.
Fix: #7579