Skip to content

Build: Verify release using dist repo tarball #5719

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Build: Verify release using dist repo tarball #5719

wants to merge 5 commits into from

Conversation

@timmywil
Copy link
Member

@timmywil timmywil commented Nov 1, 2025
edited
Loading

Summary

  • Builds the tarball using the dist repo after running npm run release:dist from the build.
  • Pulls the blog URL from the dist repo README
  • Update the default Node in workflows to 24.x, which is now in LTS
  • Ensure all commits and tags are signed. This change was prompted when I noticed the tag on jquery/jquery for 4.0.0-rc.1 was not signed. We were already signing the tag for jquery-dist, and the team signs commits with global git config, but release-it does not sign tags by default.
  • If the tag does not yet exist in the dist repo (which can happen as a race condition during the release), it falls back to cloning the main branch. That should still work.

Fixes gh-5693

Checklist

@timmywil timmywil requested a review from mgol November 1, 2025 16:18
@timmywil timmywil changed the title Build: verify release using dist repo tarball Build: Verify release using dist repo tarball Nov 1, 2025
@timmywil
Copy link
Member Author

timmywil commented Nov 1, 2025

Ran reproducible builds workflow to test: https://github.com/jquery/jquery/actions/runs/19000703415/job/54267017128

No changes were needed on the 4.0.0-rc.1 tag itself, only with the script used to verify.

@timmywil
Release: Verify release using dist repo tarball
79662f7 
- get the blog URL from the dist repo README and use that to run
  release:dist
@timmywil
Release: explicitly sign all commits and tags
c6866c3
@timmywil timmywil mentioned this pull request Nov 1, 2025
Open
2 tasks
timmywil
timmywil commented Nov 2, 2025
View reviewed changes
mgol
mgol previously approved these changes Nov 7, 2025
View reviewed changes
Copy link
Member

@mgol mgol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't tested it (I assume you have), but code changes look good to me!

@mgol mgol added this to the 4.0.0 milestone Nov 7, 2025
@mgol mgol added the Build label Nov 7, 2025
@timmywil
Copy link
Member Author

timmywil commented Nov 10, 2025

@mgol I realized there could be a race condition. Because the dist tag is pushed after the main repo tag, it could run the workflow before the dist tag exists. I made it so it falls back to cloning the main branch. This should make it so verify works during a release whether the tag is there or not, but still support verifying previous releases (>= 4.0.0-rc.1).

@timmywil timmywil requested a review from mgol November 10, 2025 16:55
@mgol mgol dismissed their stale review November 10, 2025 17:55

More changes are coming so I'll dismiss my review for now.

mgol
mgol approved these changes Nov 12, 2025
View reviewed changes
Copy link
Member

@mgol mgol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mgol mgol mgol approved these changes

Assignees

No one assigned

Labels

Build

Milestone

4.0.0

Development

Successfully merging this pull request may close these issues.

Fix release verification

2 participants

@timmywil @mgol