24fd1e9bdc
The user's local node configuration directory usually contains a copy of examples/shell.nix. 1. Move the shell implementation from shell.nix to nix-bitcoin/helper/makeShell.nix Because the shell is no longer defined locally in the user's config directory, we can now ship new shell features via nix-bitcoin updates. 2. Simplify examples/nix-bitcoin-release.nix nix-bitcoin-release.nix, as generated via `fetch-release`, now contains a simple fetchTarball statement which can be directly imported. This allows us to get rid of the extra `nix-bitcoin-unpacked` derivation which adds a dependency on the user's local nixpkgs. To keep `fetch-release` as simple as possible for easy auditing, we just fetch and verify a `nar-hash.txt` file that is now uploaded via `push-release.sh`. A migration guide for updating the user's local `shell.nix` is automatically printed when the user starts a new shell after updating nix-bitcoin. This is achieved by throwing an error in `generate-secrets`, which is called on shell startup. This commit is required to deploy the new extensible `generate-secrets` mechanism introduced in the next commit.
92 lines
2.6 KiB
Bash
Executable File
92 lines
2.6 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
REPO=fort-nix/nix-bitcoin
|
|
BRANCH=master
|
|
OAUTH_TOKEN=
|
|
DRY_RUN=
|
|
TAG_NAME=
|
|
|
|
for arg in "$@"; do
|
|
case $arg in
|
|
--dry-run|-n)
|
|
DRY_RUN=1
|
|
;;
|
|
*)
|
|
TAG_NAME="$arg"
|
|
;;
|
|
esac
|
|
done
|
|
|
|
if [[ ! $TAG_NAME ]]; then
|
|
echo "$0 [--dry-run|-n] <tag_name>"
|
|
exit
|
|
fi
|
|
if [[ $DRY_RUN ]]; then
|
|
echo "Dry run"
|
|
else
|
|
OAUTH_TOKEN=$(pass show nix-bitcoin/github/oauth-token)
|
|
if [[ ! $OAUTH_TOKEN ]]; then
|
|
echo "Please set OAUTH_TOKEN variable"
|
|
fi
|
|
fi
|
|
|
|
RESPONSE=$(curl https://api.github.com/repos/$REPO/releases/latest 2> /dev/null)
|
|
echo "Latest release" $(echo $RESPONSE | jq -r '.tag_name' | tail -c +2)
|
|
|
|
if [[ ! $DRY_RUN ]]; then
|
|
while true; do
|
|
read -p "Create release $TAG_NAME? [yn] " yn
|
|
case $yn in
|
|
[Yy]* ) break;;
|
|
[Nn]* ) exit;;
|
|
* ) echo "Please answer y or n.";;
|
|
esac
|
|
done
|
|
fi
|
|
|
|
TMPDIR=$(mktemp -d)
|
|
if [[ ! $DRY_RUN ]]; then trap "rm -rf $TMPDIR" EXIT; fi
|
|
ARCHIVE_NAME=nix-bitcoin-$TAG_NAME.tar.gz
|
|
ARCHIVE=$TMPDIR/$ARCHIVE_NAME
|
|
|
|
# Need to be in the repositories root directory for archiving
|
|
(cd $(git rev-parse --show-toplevel); git archive --format=tar.gz -o $ARCHIVE $BRANCH)
|
|
|
|
SHA256SUMS=$TMPDIR/SHA256SUMS.txt
|
|
# Want to use relative path with sha256sums because it'll output the first
|
|
# argument
|
|
(cd $TMPDIR; sha256sum $ARCHIVE_NAME > $SHA256SUMS)
|
|
gpg -o $SHA256SUMS.asc -a --detach-sig $SHA256SUMS
|
|
|
|
cd $TMPDIR
|
|
nix hash to-sri --type sha256 $(nix-prefetch-url --unpack file://$ARCHIVE 2> /dev/null) > nar-hash.txt
|
|
gpg -o nar-hash.txt.asc -a --detach-sig nar-hash.txt
|
|
|
|
if [[ $DRY_RUN ]]; then
|
|
echo "Created v$TAG_NAME in $TMPDIR"
|
|
exit 0
|
|
fi
|
|
|
|
POST_DATA="{ \"tag_name\": \"v$TAG_NAME\", \"name\": \"nix-bitcoin-$TAG_NAME\", \"body\": \"nix-bitcoin-$TAG_NAME\", \"target_comitish\": \"$BRANCH\" }"
|
|
RESPONSE=$(curl -H "Authorization: token $OAUTH_TOKEN" -d "$POST_DATA" https://api.github.com/repos/$REPO/releases 2> /dev/null)
|
|
ID=$(echo $RESPONSE | jq -r '.id')
|
|
if [[ $ID == null ]]; then
|
|
echo "Failed to create release with $POST_DATA"
|
|
exit 1
|
|
fi
|
|
|
|
post_asset() {
|
|
GH_ASSET="https://uploads.github.com/repos/$REPO/releases/$ID/assets?name="
|
|
curl -H "Authorization: token $OAUTH_TOKEN" --data-binary "@$1" -H "Content-Type: application/octet-stream" \
|
|
$GH_ASSET/$(basename $1) &> /dev/null
|
|
}
|
|
post_asset nar-hash.txt
|
|
post_asset nar-hash.txt.asc
|
|
# Post additional assets for backwards compatibility.
|
|
# This allows older nix-bitcoin installations to upgrade via `fetch-release`.
|
|
post_asset $ARCHIVE
|
|
post_asset $SHA256SUMS
|
|
post_asset $SHA256SUMS.asc
|
|
echo "Successfully created" $(echo $POST_DATA | jq -r .tag_name)
|