We want the official tarballs to be made in a hermetic environment (i.e. not on a developer's workstation) and have a stable checksum, and GitHub releases alone would only give us the former as the automatic download links aren't guaranteed to be stable [1].
Thus, define a workflow that runs when a GitHub release is published, makes a tarball, an accompanying checksum file, and attaches both to that release as additional assets. This is also what GitHub recommends [1] if stability is desired. Note that this YAML file needs to be on the branch we're releasing from, and we currently don't release from master, so the file doesn't have any effect there. Yet, we want to keep a "canonical" version of the file on master and only cherry pick it (and any future changes) onto the stable branches. Plus, we may find a use for it on master in the future, too. [1] https://github.blog/open-source/git/update-on-the-future-stability-of-source-code-archives-and-hashes/ Fixes: #2702 You can view, comment on, or merge this pull request online at: https://github.com/rpm-software-management/rpm/pull/3576 -- Commit Summary -- * Generate release tarballs via GitHub Actions -- File Changes -- A .github/workflows/release.yml (48) -- Patch Links -- https://github.com/rpm-software-management/rpm/pull/3576.patch https://github.com/rpm-software-management/rpm/pull/3576.diff -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3576 You are receiving this because you are subscribed to this thread. Message ID: <rpm-software-management/rpm/pull/3...@github.com>
_______________________________________________ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
