Add release artifact verification step#1066
Merged
Merged
Conversation
efiacor
requested review from
kispaljr,
liamfallon and
mozesl-nokia
as code owners
dosubot
Bot
added
the
size:L
✅ Deploy Preview for kpt-porch ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a post-GoReleaser verification guardrail to ensure GitHub Releases actually contain the expected porchctl/blueprint artifacts and that downloaded artifacts match checksums.txt, failing the release workflow when assets are missing or invalid.
Changes:
- Added
scripts/verify-release-artifacts.shto list expected release assets, download them, and validate SHA256 checksums. - Wired the verification script into
.github/workflows/release.yamlto run after the GoReleaser step.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| scripts/verify-release-artifacts.sh | New script to validate release asset presence and checksum correctness. |
| .github/workflows/release.yaml | Adds a “Verify release artifacts” step after GoReleaser. |
Contributor
|
Can you have a look at the Github comments? |
Add a post-goreleaser step that verifies all expected artifacts are published to the GitHub release and validates their checksums. This catches silent goreleaser failures that previously resulted in empty release pages. The verification script: - Checks all expected assets are present (porchctl binaries, blueprint, checksums.txt) - Downloads artifacts and validates SHA256 checksums - Supports retry logic for release propagation delays - Works on both Linux (CI) and macOS (local dev) Signed-off-by: Fiachra Corcoran <fiachra.corcoran@est.tech>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Fiachra Corcoran <fiachra.corcoran@est.tech>
- Stop suppressing stderr in gh retry loop so auth/API errors are visible - Fail on missing files in checksums.txt instead of skipping - Verify all expected assets have entries in checksums.txt Signed-off-by: Fiachra Corcoran <fiachra.corcoran@est.tech>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Fiachra Corcoran <fiachra.corcoran@est.tech>
- Fix requirements comment to reference GH_TOKEN (matches workflow) - Stop capturing stderr into ASSETS variable (let it pass through) - Let checksums.txt download fail fast instead of suppressing errors - Use portable mktemp template for macOS compatibility Signed-off-by: Fiachra Corcoran <fiachra.corcoran@est.tech>
Signed-off-by: Fiachra Corcoran <fiachra.corcoran@est.tech>
Signed-off-by: Fiachra Corcoran <fiachra.corcoran@est.tech>
|
mozesl-nokia
approved these changes
Jun 24, 2026
liamfallon
approved these changes
Jun 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
scripts/verify-release-artifacts.shgh, checks all expected artifacts are present, downloads them, and validates SHA256 checksums againstchecksums.txt. Fails the workflow on any missing artifact or checksum mismatch.Type of Change
Checklist
Testing Instructions (Optional)
./scripts/verify-release-artifacts.sh v1.5.11workflow_dispatchon a test tag to validate end-to-endAdditional Notes (Optional)
AI Disclosure
If so, please describe how: