Skip to content

Assorted release maintenance #1891

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jtobin wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Assorted release maintenance #1891

jtobin wants to merge 7 commits into from

Conversation

@jtobin
Copy link
Member

@jtobin jtobin commented Dec 2, 2025

Closes #1874, #1877.

See the individual commits for more details, but the TLDR version:

  • Adds installation checks (à la the existing GNU tar check) to scripts/release.sh for other required utilities.
  • Adjusts the CI release workflow to build with docker-release (see commentary in [feature]: unify release build methods #1877 for rationale).
  • Updates and modernizes the release docs (docs/release.md).
  • Makes scripts/verify-install.sh work on our official Docker images (i.e., going forward).

@jtobin jtobin requested review from Roasbeef and ffranr December 2, 2025 12:00
@gemini-code-assist
Copy link

gemini-code-assist bot commented Dec 2, 2025

Summary of Changes

Hello @jtobin, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on improving the reliability, security, and user experience of the project's release process. It introduces robust dependency checks in release scripts, enhances the verifiability of official Docker images by embedding necessary tools, and modernizes the release documentation to provide clearer guidance. These changes collectively streamline the release pipeline and empower users with better tools for verifying software integrity.

Highlights

  • Enhanced Release Script Robustness: Added comprehensive checks for essential utilities such as zip, shasum/sha256sum, GNU grep, and gtar within the release scripts. This prevents build failures due to missing dependencies and ensures a more reliable release process.
  • Improved Docker Image Verification: The official Docker images now include the verify-install.sh script and PGP keys. This enhancement allows users to directly verify the integrity of binaries within the container, bolstering trust and security in the distributed images.
  • Modernized Release Documentation: The docs/release.md file has undergone a significant overhaul. It now provides clearer, more concise, and up-to-date instructions for building, verifying, and attesting releases, with a stronger emphasis on Docker-based build processes.
  • CI Workflow Alignment: The Continuous Integration (CI) release workflow has been adjusted to consistently utilize docker-release, ensuring that the automated build process mirrors the recommended manual build steps and maintains consistency.
Ignored Files
  • Ignored by pattern: .github/workflows/** (1)
    • .github/workflows/release.yaml
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Dec 2, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces several valuable improvements to the release process, including adding dependency checks to the release scripts and significantly updating the release documentation for better clarity. The changes make the release process more robust and user-friendly. However, I've identified a critical issue in scripts/release.sh where the new logic for handling checksum commands will cause the script to fail on certain systems due to incorrect variable quoting. I've provided detailed comments and suggestions to resolve this.

@jtobin jtobin force-pushed the release-maintenance branch from a25fc54 to 5728c95 Compare December 2, 2025 12:18
jtobin added 2 commits December 2, 2025 16:18
@jtobin
scripts: add utility installation checks
9d99820 
We rely on a few utilities in our release toolchain scripts that may
be missing in not-terribly-uncommon situations.

get-git-tag-name.sh implicitly requires GNU grep due to the use of
Perl-compatible regular expressions (-P, in particular due to the \K
assertion, which has no extended regexp equivalent in BSD grep). We now
check that the user is running the required grep variant.

zip(1) commonly, and Perl somewhat less commonly, may be missing on
Linux, so checks are added to scripts/release.sh to confirm their
presence as well. If shasum is not present, we check for coreutils and,
if it's available, swap in sha256sum instead.
@jtobin
.github: use docker build in release workflow
81f787a 
The release workflow previously called 'make release' to produce the
release artifacts. This commit changes the workflow to first build our
helper Docker image and then use it to produce the release artifacts,
ensuring they're constructed in a consistent environment that can be
easily reproduced outside of CI.

Building the Docker image here adds on perhaps 2-3 minutes to the
workflow, but release workflows are performed very infrequently (only
on a v* tag push) . Note also that this eliminates a location where Go
toolchain version state needs to be tracked.
@jtobin jtobin self-assigned this Dec 2, 2025
@jtobin jtobin linked an issue Dec 2, 2025 that may be closed by this pull request
[feature]: unify release build methods #1877
Open
@coveralls
Copy link

coveralls commented Dec 2, 2025
edited
Loading

Pull Request Test Coverage Report for Build 20024021332

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • 367 unchanged lines in 12 files lost coverage.
  • Overall coverage increased (+0.02%) to 56.63%
Files with Coverage Reduction New Missed Lines %
asset/group_key.go 2 72.15%
rfqmsg/records.go 2 70.8%
tapgarden/custodian.go 2 76.65%
itest/assertions.go 3 87.42%
tapchannel/aux_leaf_signer.go 3 43.53%
tapgarden/planter.go 3 80.3%
universe/archive.go 3 81.28%
tapgarden/caretaker.go 4 76.63%
tapdb/multiverse.go 6 80.16%
tapdb/universe.go 6 80.58%
Totals Coverage Status
Change from base Build 19823124678: 0.02%
Covered Lines: 64859
Relevant Lines: 114532
💛 - Coveralls

@jtobin jtobin force-pushed the release-maintenance branch from 5728c95 to f568e46 Compare December 3, 2025 06:09
jtobin added 3 commits December 3, 2025 10:10
@jtobin
docs/release: update copy
b920f60 
Modernizes the text of this document, primarily by:

* Recommending the use of 'make docker-release' for builds,
* Pointing at the 'Assets' section of GitHub releases, and
* Fleshing out the section on signing a manifest.
@jtobin
Dockerfile: copy keys and verify-install.sh
435df25 
These were missing from the constructed image, so a recommended
verification method in our docs didn't work. Now

  $ docker run --rm --entrypoint="" \
      "$IMAGE" /verify-install.sh "$TAG"

will run the verification script on the binaries in the image, as
expected.
@jtobin
build: pin base docker image by sha256 digest
f568e46 
Since 81f787a, this image is used
to build release artifacts, so pinning it by digest is good paranoia
practice.
@jtobin jtobin mentioned this pull request Dec 3, 2025
Closed
Roasbeef
Roasbeef reviewed Dec 3, 2025
View reviewed changes
docs/release.md
$ git clone https://github.com/lightninglabs/taproot-assets.git
$ cd taproot-assets
$ git checkout "$TAG"
$ make docker-release tag="$TAG"
Copy link
Member

@Roasbeef Roasbeef Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should be able to speed up the docker-release (at least on mac) using a similar technique as my recent PR to speed up linting.

docs/release.md
the desired archive(s) containing the release binaries from the
Taproot Assets [Releases page][ghrelease] on GitHub.

4. Recompute the SHA256 hash of each artifact with e.g. `shasum -a 256
Copy link
Member

@Roasbeef Roasbeef Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On the lnd side, we've recently started to use commands like this that wrap everything all into one:

wget https://dl.google.com/go/go1.24.9.linux-amd64.tar.gz

echo "5b7899591c2dd6e9da1809fde4a2fad842c45d3f6b9deb235ba82216e31e34a6  go1.24.9.linux-amd64.tar.gz" | sha256sum --check

jtobin added 2 commits December 8, 2025 13:58
@jtobin
make: remove -it flag from docker
6f8ad5e 
We don't need an interactive environment, so there's no need for this
flag.
@jtobin
make: fix docker warnings
653b6b7 
These fixes stop Docker from warning about the deprecated MAINTAINER
instruction and legacy key/value format.
@jtobin
Copy link
Member Author

jtobin commented Dec 8, 2025

I've since tested CI with the changes here and can confirm that everything works (no disk issues, etc.). A stripped-down log for the release workflow can be seen here, demonstrating that the image builds, and that the release artifacts are produced as expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Roasbeef Roasbeef Roasbeef left review comments

@ffranr ffranr Awaiting requested review from ffranr

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

@jtobin jtobin

Labels

no-changelog

Projects

Taproot-Assets Project Board
Status: 🆕 New

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[feature]: unify release build methods [bug]: release verification differs between environments

3 participants

@jtobin @coveralls @Roasbeef