-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
More automated release fixes #10621
More automated release fixes #10621
Conversation
Thanks for making a pull request to JupyterLab! To try out this branch on binder, follow this link: |
Hooray cryptographic assurance! Indeed, generating a |
Jupyter Releaser adds those for us ;). |
Hm, that's mighty... fancy. And not a file that one can go look at in the release outputs, much less reproduce with bog-standard tooling. |
Are you saying that you also want those hashes in a file somewhere? The nice thing about having them in the git history is that is the one immutable place to put them that ties them back to a source. In other words, I have relatively high confidence that the git history is authentic, and since the release hash is in the git history, I have relatively high confidence that the tgz on my disk that has that hash is identical to what was originally generated. Of course, we could equivalently have a directory of release hash files in the git repo. Is that what you are suggesting? |
We can backport this to 3.1.x, but I won't do any more automated 3.1.x releases until we have made a couple 4.0 alpha releases using releaser. |
I think we could have a releases directory in the repo, and in it are files named by release that contain the hashes. So for example, |
@meeseeksdev please backport to 3.1.x |
Co-authored-by: Steven Silvester <[email protected]>
References
Follow up to #10614
Code changes
Use the already-packaged files from the
npm build
phase to publish toverdaccio
, to ensure that theshasum
of the package is the same as the one that gets published tonpm
in thepublish
workflow. The rc0 release broke because the packages that were published toverdaccio
had agitHead
field in theirpackage.json
(added bylerna
) while the ones published tonpm
did not, causingyarn
to reject them based on checksum.User-facing changes
None
Backwards-incompatible changes
None