feat(tools): add verify_release.py to validate release assets + SHA256SUMS#19
Merged
Merged
Conversation
…6SUMS Both SDKs download platform bundles from a GitHub Release and verify them against SHA256SUMS, but nothing checked that a published release is internally consistent — a missing asset or a checksum mismatch only surfaced when a user's pip/npm install failed. Add tools/verify_release.py <tag> (stdlib only): - Fetches the release via the GitHub API (GITHUB_TOKEN raises the rate limit; a missing tag exits non-zero with a clear message). - Asserts every required platform asset is present and named exactly as the SDK tables expect. The expected names are imported from the Python SDK's _ASSETS, and the Node ASSETS table is parsed and checked to agree, so the two installers can't drift. linux-x64 is required today; win-x64 and mac-* are verified only once published. - Parses SHA256SUMS and verifies each listed hash against the asset: by default against the asset's API digest plus a size/state sanity check, and with --full by downloading and re-hashing each asset. Flags an asset with no checksum entry and a SHA256SUMS line naming no real asset. - Exits non-zero with a per-check report on any problem. Add tools/tests/test_verify_release.py: evaluate() is pure (release dict + SHA256SUMS body in, Report out), so every failure mode — missing required asset, missing SHA256SUMS, wrong hash, orphan checksum line, failed sanity, --full re-hash mismatch, mismatched SDK tables — is covered offline. Picked up by the existing pytest tools/tests CI step. Add a release-triggered workflow (.github/workflows/verify-release.yml, also workflow_dispatch) so a broken release fails loudly, and document the tool in CONTRIBUTING.md. Verified against the current v151.0.7908.0 (passes; correctly skips the unpublished mac assets) and on a nonexistent tag (exits non-zero). Closes tiliondev#14
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Both SDKs download platform bundles from a GitHub Release and verify them against
SHA256SUMS(sdk/python/tilion_fortress/__init__.py,sdk/node/index.js), but nothing checked that a published release is internally consistent. A missing asset or a checksum mismatch only surfaced when a user'spip/npminstall failed. This adds a checker that turns that into a loud, early failure.tools/verify_release.py <tag>(stdlib only)GITHUB_TOKENraises the rate limit; a missing tag exits non-zero with a clear message._ASSETS, and the NodeASSETStable is parsed and checked to agree — so the two installers can't drift.linux-x64is required today;win-x64/mac-*are verified only once published.SHA256SUMSand checks each hash against the asset — by default against the asset's API digest plus a size/state sanity check, and with--fullby downloading and re-hashing each asset. Also flags an asset with no checksum entry and aSHA256SUMSline that names no real asset.Tests —
tools/tests/test_verify_release.pyevaluate()is pure (release dict +SHA256SUMSbody in,Reportout), so every failure mode is covered offline: missing required asset, missingSHA256SUMS, wrong hash (API digest), asset with no checksum line, orphan checksum line, failed size/state sanity,--fullre-hash match and mismatch, and mismatched SDK tables. Picked up automatically by the existingpytest tools/testsCI step.CI —
.github/workflows/verify-release.ymlRuns the checker when a release is
published(and viaworkflow_dispatchagainst any tag), so a broken release fails loudly.Docs
Documented in
CONTRIBUTING.md.Verification
Run against the live release and a bad tag:
pytest tools/tests -q→ 27 passed (14 existing + 13 new).Closes #14