Skip to content

Update Release notes to use verification scripts#311

Open
jonnybot0 wants to merge 1 commit intoapache:masterfrom
jonnybot0:update-release-notes
Open

Update Release notes to use verification scripts#311
jonnybot0 wants to merge 1 commit intoapache:masterfrom
jonnybot0:update-release-notes

Conversation

@jonnybot0
Copy link
Copy Markdown
Contributor

@jonnybot0 jonnybot0 commented Mar 10, 2026

This adds a port of the release verification scripts that @cbmarcum created for Groovy (see https://lists.apache.org/thread/684b33z83fmycgm3sl2k4lh2dn668pf7) to Geb and updates the RELEASING.md files to match their use.

I have tested out the verification script (verify.sh) against the 8.0.1 release (see https://dist.apache.org/repos/dist/release/groovy/geb/8.0.1/) with this command: etc/bin/verify.sh release 8.0.1. I haven't rigorously tested fail states, though I can attest that the scripts do fail for non-existent releases in dev & release.

Part of the motivation here is to demonstrate to the ASF that we have a process for verifying releases as well as reproducible builds. With that, we should be able to setup a more automated release process, similar to what Grails has.

I would love for someone to test out the changes to the RELEASING.md docs in particular. I realize you may have to do a "dry run" of some of the steps, since you won't be running against a real release, but some validation that the new steps make sense to someone who isn't me would be appreciated. :)

@jonnybot0 jonnybot0 requested review from Copilot and sdelamo March 10, 2026 05:25
Copilot AI reviewed Mar 10, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds end-to-end release verification tooling under etc/bin/ and updates the release documentation to use these scripts, aiming to strengthen ASF release verification and reproducible-build evidence for Geb.

Changes:

  • Introduces bash scripts to download and verify release artifacts (checksums, GPG sigs, required files) and run RAT.
  • Adds a script to test build reproducibility by rebuilding jars twice and diffing SHA-256s.
  • Updates RELEASING.md to document the new verification steps and git-ignores reproducible build results.

Reviewed changes

Copilot reviewed 1 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
etc/bin/verify.sh Orchestrates KEYS download, artifact download, source verification, and RAT run.
etc/bin/download-release-artifacts.sh Downloads source zip + signature + checksum files from ASF dist.
etc/bin/verify-source-distribution.sh Verifies SHA-256 + GPG signature, unzips, checks required files.
etc/bin/test-reproducible-builds.sh Performs two clean jar builds and compares checksums, preserving diffs.
RELEASING.md Documents using the new verification scripts during staging/vote.
.gitignore Ignores etc/bin/results output from reproducible-build testing.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@cbmarcum cbmarcum self-requested a review March 14, 2026 17:24
@cbmarcum
Copy link
Copy Markdown
Contributor

cbmarcum commented Mar 14, 2026
edited
Loading

Hi @jonnybot0 , Thanks for your work on this! The scripts look good to me. I like all the comments you've added.
My only question is on the README.md step 15. The copilot review is assuming you are describing what the reproducible test script is doing and I thought you might mean the staging repository.

Also, does the success output of verify.sh step 2 and 3 coincide with this step 15?

Next steps for manual verification:
  1. Review the extracted source
  2. Run the reproducible build test:
       /Users/carl/dev-git/groovy-geb/etc/bin/test-reproducible-builds.sh
  3. Build the project from the extracted source and compare jar checksums

The build and tests failed due to groovy-lang.org being down. I reran them and all is good.

@jonnybot0
Update Release notes to use verification scripts
e0a261d 
Co-Authored-By: Carl Marcum <cmarcum@apache.org>
@jonnybot0 jonnybot0 force-pushed the update-release-notes branch from 5684ff9 to e0a261d Compare March 17, 2026 13:21
@jonnybot0
Copy link
Copy Markdown
Contributor Author

jonnybot0 commented Mar 17, 2026

Hey, @cbmarcum - thanks for your review. To answer these questions:

My only question is on the README.md step 15. The copilot review is assuming you are describing what the reproducible test script is doing and I thought you might mean the staging repository.

Also, does the success output of verify.sh step 2 and 3 coincide with this step 15?

Next steps for manual verification:
  1. Review the extracted source
  2. Run the reproducible build test:
       /Users/carl/dev-git/groovy-geb/etc/bin/test-reproducible-builds.sh
  3. Build the project from the extracted source and compare jar checksums

I've updated the README and the script comments to be a bit clearer on these two notes. You're right that the echo'd out tips in verify.sh correspond to step 15 in the RELEASING.md file.

cbmarcum
cbmarcum approved these changes Mar 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cbmarcum cbmarcum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good with the latest changes!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cbmarcum cbmarcum cbmarcum approved these changes

@sdelamo sdelamo Awaiting requested review from sdelamo

Assignees

@cbmarcum cbmarcum

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jonnybot0 @cbmarcum