swappy/script/sign-post-release

#!/bin/bash

set -e

declare -r git_root=$(git rev-parse --show-toplevel)
declare -r app_name="swappy"
declare -r release_folder="$git_root/release"

declare version=""

die() {
  echo "$*" 1>&2
  exit 1
}

init() {
  command -v gh >/dev/null 2>&1 || { echo >&2 "github cli tool required: pacman -S github-cli"; exit 1; }

  mkdir -p $release_folder
}

get_release_version() {
  version=$(git describe | sed 's/^v//')
  echo "found latest version: $version"
}

build_archives_from_source() {
  echo "building source archives..."
  cd $git_root
  git archive -o "$release_folder/local-$app_name-$version.tar.gz" --format tar.gz --prefix "$app_name-$version/" "v$version"
}


download_source_for_release() {
  echo "downloading source assets..."
  cd $release_folder
  curl --location --output github-$app_name-$version.tar.gz https://github.com/jtheoof/$app_name/archive/v$version.tar.gz
}

verify_sha256_checksums() {
  echo "verifying signatures..."
  cd $release_folder
  sha256sum local-$app_name-$version.tar.gz | awk '{ print $1 }' > local-$app_name-$version.tar.gz.sha256

  # sha256sum --check will exit if the checksums do not match
  echo "$(cat local-$app_name-$version.tar.gz.sha256) github-$app_name-$version.tar.gz" | sha256sum --check
}

sign_release_source() {
  echo "signing source assets..."
  cd $release_folder
  gpg --output $app_name-$version.tar.gz.sig --detach-sign github-$app_name-$version.tar.gz
}

upload_signed_assets_to_release() {
  echo "uploading signatures to github release..."
  cd $release_folder
  gh release upload v$version $app_name-$version.tar.gz.sig  --clobber
}


main() {
  init
  get_release_version

  if [ -z "$version" ]
  then
    die "version not found, is the git tag valid?"  
  fi

  build_archives_from_source
  download_source_for_release
  verify_sha256_checksums
  sign_release_source
  upload_signed_assets_to_release
}

main "$@"