Skip to content

feat(tools): add verify_release.py to validate release assets + SHA256SUMS#19

Merged
abtonmoy merged 1 commit into
tiliondev:mainfrom
abtonmoy:feat/verify-release
Jul 4, 2026
Merged

feat(tools): add verify_release.py to validate release assets + SHA256SUMS#19
abtonmoy merged 1 commit into
tiliondev:mainfrom
abtonmoy:feat/verify-release

Conversation

@abtonmoy

@abtonmoy abtonmoy commented Jul 4, 2026

Copy link
Copy Markdown
Member

Summary

Both SDKs download platform bundles from a GitHub Release and verify them against SHA256SUMS (sdk/python/tilion_fortress/__init__.py, sdk/node/index.js), but nothing checked that a published release is internally consistent. A missing asset or a checksum mismatch only surfaced when a user's pip/npm install failed. This adds a checker that turns that into a loud, early failure.

tools/verify_release.py <tag> (stdlib only)

  • Fetches the release via the GitHub API. GITHUB_TOKEN raises the rate limit; a missing tag exits non-zero with a clear message.
  • Asserts every required asset is present and named exactly as the SDK tables expect. Expected names are imported from the Python SDK's _ASSETS, and the Node ASSETS table is parsed and checked to agree — so the two installers can't drift. linux-x64 is required today; win-x64 / mac-* are verified only once published.
  • Verifies checksums. Parses SHA256SUMS and checks each hash against the asset — by default against the asset's API digest plus a size/state sanity check, and with --full by downloading and re-hashing each asset. Also flags an asset with no checksum entry and a SHA256SUMS line that names no real asset.
  • Exits non-zero with a per-check report on any problem.

Tests — tools/tests/test_verify_release.py

evaluate() is pure (release dict + SHA256SUMS body in, Report out), so every failure mode is covered offline: missing required asset, missing SHA256SUMS, wrong hash (API digest), asset with no checksum line, orphan checksum line, failed size/state sanity, --full re-hash match and mismatch, and mismatched SDK tables. Picked up automatically by the existing pytest tools/tests CI step.

CI — .github/workflows/verify-release.yml

Runs the checker when a release is published (and via workflow_dispatch against any tag), so a broken release fails loudly.

Docs

Documented in CONTRIBUTING.md.

Verification

Run against the live release and a bad tag:

$ python tools/verify_release.py v151.0.7908.0
  [PASS] SDK asset tables agree (python == node)
  [PASS] SHA256SUMS present
  [PASS] asset present / sane / checksummed / sha256 (API digest): tilion-fortress-linux-x64.tar.gz
  [SKIP] asset present: tilion-fortress-mac-arm64.tar.gz - optional mac-arm64 asset not published yet
  [SKIP] asset present: tilion-fortress-mac-x64.tar.gz - optional mac-x64 asset not published yet
  [PASS] asset present / sane / checksummed / sha256 (API digest): tilion-fortress-win-x64.zip
  [PASS] no orphan SHA256SUMS entries
OK: release v151.0.7908.0 is consistent

$ python tools/verify_release.py v0.0.0-does-not-exist ; echo $?
error: release v0.0.0-does-not-exist not found in tiliondev/fortress
1

pytest tools/tests -q → 27 passed (14 existing + 13 new).

Closes #14

…6SUMS

Both SDKs download platform bundles from a GitHub Release and verify them
against SHA256SUMS, but nothing checked that a published release is
internally consistent — a missing asset or a checksum mismatch only
surfaced when a user's pip/npm install failed.

Add tools/verify_release.py <tag> (stdlib only):

- Fetches the release via the GitHub API (GITHUB_TOKEN raises the rate
  limit; a missing tag exits non-zero with a clear message).
- Asserts every required platform asset is present and named exactly as
  the SDK tables expect. The expected names are imported from the Python
  SDK's _ASSETS, and the Node ASSETS table is parsed and checked to agree,
  so the two installers can't drift. linux-x64 is required today; win-x64
  and mac-* are verified only once published.
- Parses SHA256SUMS and verifies each listed hash against the asset: by
  default against the asset's API digest plus a size/state sanity check,
  and with --full by downloading and re-hashing each asset. Flags an asset
  with no checksum entry and a SHA256SUMS line naming no real asset.
- Exits non-zero with a per-check report on any problem.

Add tools/tests/test_verify_release.py: evaluate() is pure (release dict +
SHA256SUMS body in, Report out), so every failure mode — missing required
asset, missing SHA256SUMS, wrong hash, orphan checksum line, failed sanity,
--full re-hash mismatch, mismatched SDK tables — is covered offline. Picked
up by the existing pytest tools/tests CI step.

Add a release-triggered workflow (.github/workflows/verify-release.yml,
also workflow_dispatch) so a broken release fails loudly, and document the
tool in CONTRIBUTING.md.

Verified against the current v151.0.7908.0 (passes; correctly skips the
unpublished mac assets) and on a nonexistent tag (exits non-zero).

Closes tiliondev#14
@abtonmoy abtonmoy merged commit 591beab into tiliondev:main Jul 4, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(tools): add verify_release.py to validate release assets + SHA256SUMS

1 participant