diff --git a/scripts/ci/build.sh b/scripts/ci/build.sh index 4bcfa560096017..3ece8257960bd0 100755 --- a/scripts/ci/build.sh +++ b/scripts/ci/build.sh @@ -33,10 +33,9 @@ if ! command -v gsutil &>/dev/null; then echo "See https://cloud.google.com/sdk/downloads for instructions." exit 1 fi -if ! command -v github-release &>/dev/null; then - echo "Required tool 'github-release' not found. Download it from here:" - echo "https://github.com/c4milo/github-release/releases" - echo "Just extract the archive and put the binary on your PATH." +if ! command -v gh &>/dev/null; then + echo "Required tool 'gh' (GitHub CLI) not found. Please install it:" + echo "See https://cli.github.com/ for instructions." exit 1 fi if ! command -v debsign &>/dev/null; then @@ -136,8 +135,8 @@ _Security_: All our binaries are signed with our ' } -# Deploy a github release using a third party tool: -# https://github.com/c4milo/github-release +# Deploy a github release using the official GitHub CLI (gh): +# https://cli.github.com/ # This methods expects the following arguments: # $1..$n files generated by package_build (should not contains the README file) # Please set GITHUB_TOKEN to talk to the Github API. @@ -150,13 +149,55 @@ function release_to_github() { local release_branch=$(get_release_branch) if [ -n "${release_name}" ]; then - local github_token="$(gsutil cat gs://bazel-trusted-encrypted-secrets/github-trusted-token.enc | \ + local github_token + github_token="$(gsutil cat gs://bazel-trusted-encrypted-secrets/github-trusted-token.enc | \ gcloud kms decrypt --project bazel-public --location global --keyring buildkite --key github-trusted-token --ciphertext-file - --plaintext-file -)" - if [ -z "${rc}" ]; then - GITHUB_TOKEN="${github_token}" github-release "bazelbuild/bazel" "${release_name}" "" "$(get_release_page)" "${artifact_dir}/*" + + local latest_flag="true" + local prerelease_flag="" + local tag_to_deploy="${release_name}" + + if [ -n "${rc}" ]; then + tag_to_deploy="${full_release_name}" + prerelease_flag="--prerelease" + latest_flag="false" else - GITHUB_TOKEN="${github_token}" github-release -prerelease "bazelbuild/bazel" "${full_release_name}" "${release_branch}" "$(get_release_page)" "${artifact_dir}/*" + echo "+++ Checking if ${release_name} should be marked as Latest" + # Query the current GitHub "latest" release to compare versions. + local current_latest_tag + if current_latest_tag=$(GH_TOKEN="${github_token}" gh release view --repo "bazelbuild/bazel" --json tagName --jq .tagName 2>/dev/null); then + if [[ -n "${current_latest_tag}" ]]; then + local highest + highest=$(printf '%s\n%s' "${current_latest_tag}" "${release_name}" | sort -V | tail -n 1) + if [[ "${release_name}" != "${highest}" ]]; then + echo "+++ Version ${release_name} is older than ${current_latest_tag}. Will NOT mark as latest." + latest_flag="false" + fi + fi + else + echo "+++ Warning: Could not determine current latest release tag. Will NOT mark as latest to be safe." + latest_flag="false" + fi fi + + # Use a subshell so that the EXIT trap for temp file cleanup does not + # affect the outer script's traps. + ( + notes_file="$(mktemp)" + trap 'rm -f "$notes_file"' EXIT + get_release_page > "$notes_file" + + echo "+++ Deploying to GitHub (Tag: ${tag_to_deploy}, Latest: ${latest_flag})" + + GH_TOKEN="${github_token}" gh release create "${tag_to_deploy}" \ + "${artifact_dir}"/* \ + --repo "bazelbuild/bazel" \ + --target "${release_branch}" \ + --title "${tag_to_deploy}" \ + --notes-file "$notes_file" \ + ${prerelease_flag} \ + --latest="${latest_flag}" + ) fi } @@ -457,4 +498,3 @@ function deploy_release() { cp "${artifact_dir}"/* "${gcs_working_dir}" release_to_gcs "${gcs_working_dir}" } -