letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add verify-release-ancestry.sh (#8268) 

And run it from the release workflow.
This commit is contained in:
Jacob Hoffman-Andrews 2025-06-23 17:22:47 -07:00 committed by GitHub
parent ddc4c8683b
commit cd02caea99
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/release.yml vendored
View File

@ -24,6 +24,10 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
persist-credentials: false persist-credentials: false
fetch-depth: '0' # Needed for verify-release-ancestry.sh to see origin/main
- name: Verify release ancestry
run: ./tools/verify-release-ancestry.sh "$GITHUB_SHA"
- name: Build .deb - name: Build .deb
id: build id: build

21
tools/verify-release-ancestry.sh Executable file
View File

@ -0,0 +1,21 @@
#!/usr/bin/env bash
#
# Usage: verify-release-ancestry.sh <commit hash>
#
# Exits zero if the provided commit is either an ancestor of main or equal to a
# hotfix branch (release-branch-*). Exits 1 otherwise.
#
set -u
if git merge-base --is-ancestor "$1" origin/main ; then
echo "'$1' is an ancestor of main"
exit 0
elif git for-each-ref --points-at="$1" "refs/remotes/origin/release-branch-*" | grep -q "^$1.commit.refs/remotes/origin/release-branch-" ; then
echo "'$1' is equal to the tip of a hotfix branch (release-branch-*)"
exit 0
else
echo
echo "Commit '$1' is neither an ancestor of main nor equal to a hotfix branch (release-branch-*)"
echo
exit 1
fi