electron/script/release/release.ts

#!/usr/bin/env node

import { BlobServiceClient } from '@azure/storage-blob';
import { Octokit } from '@octokit/rest';
import * as chalk from 'chalk';
import got from 'got';
import { gte } from 'semver';
import { track as trackTemp } from 'temp';

import { execSync, ExecSyncOptions } from 'node:child_process';
import { statSync, createReadStream, writeFileSync, close } from 'node:fs';
import { join } from 'node:path';

import { getUrlHash } from './get-url-hash';
import { createGitHubTokenStrategy } from './github-token';
import { ELECTRON_ORG, ELECTRON_REPO, ElectronReleaseRepo, NIGHTLY_REPO } from './types';
import { getElectronVersion } from '../lib/get-version';
import { ELECTRON_DIR } from '../lib/utils';

const temp = trackTemp();

const pass = chalk.green('✓');
const fail = chalk.red('✗');

const pkgVersion = `v${getElectronVersion()}`;

function getRepo (): ElectronReleaseRepo {
  return pkgVersion.indexOf('nightly') > 0 ? NIGHTLY_REPO : ELECTRON_REPO;
}

const targetRepo = getRepo();
let failureCount = 0;

const octokit = new Octokit({
  authStrategy: createGitHubTokenStrategy(targetRepo)
});

async function getDraftRelease (
  version?: string,
  skipValidation: boolean = false
) {
  const releaseInfo = await octokit.repos.listReleases({
    owner: ELECTRON_ORG,
    repo: targetRepo
  });

  const versionToCheck = version || pkgVersion;
  const drafts = releaseInfo.data.filter((release) => {
    return release.tag_name === versionToCheck && release.draft === true;
  });

  const draft = drafts[0];
  if (!skipValidation) {
    failureCount = 0;
    check(drafts.length === 1, 'one draft exists', true);
    if (versionToCheck.includes('beta')) {
      check(draft.prerelease, 'draft is a prerelease');
    }
    check(
      !!draft.body &&
        draft.body.length > 50 &&
        !draft.body.includes('(placeholder)'),
      'draft has release notes'
    );
    check(failureCount === 0, 'Draft release looks good to go.', true);
  }
  return draft;
}

type MinimalRelease = {
  id: number;
  tag_name: string;
  draft: boolean;
  prerelease: boolean;
  assets: {
    name: string;
    browser_download_url: string;
    id: number;
  }[];
};

async function validateReleaseAssets (
  release: MinimalRelease,
  validatingRelease: boolean = false
) {
  const requiredAssets = assetsForVersion(
    release.tag_name,
    validatingRelease
  ).sort();
  const extantAssets = release.assets.map((asset) => asset.name).sort();
  const downloadUrls = release.assets
    .map((asset) => ({ url: asset.browser_download_url, file: asset.name }))
    .sort((a, b) => a.file.localeCompare(b.file));

  failureCount = 0;
  for (const asset of requiredAssets) {
    check(extantAssets.includes(asset), asset);
  }
  check(
    failureCount === 0,
    'All required GitHub assets exist for release',
    true
  );

  if (!validatingRelease || !release.draft) {
    if (release.draft) {
      await verifyDraftGitHubReleaseAssets(release);
    } else {
      await verifyShasumsForRemoteFiles(downloadUrls).catch((err) => {
        console.error(`${fail} error verifyingShasums`, err);
      });
    }
    const azRemoteFiles = azRemoteFilesForVersion(release.tag_name);
    await verifyShasumsForRemoteFiles(azRemoteFiles, true);
  }
}

function check (condition: boolean, statement: string, exitIfFail = false) {
  if (condition) {
    console.log(`${pass} ${statement}`);
  } else {
    failureCount++;
    console.error(`${fail} ${statement}`);
    if (exitIfFail) process.exit(1);
  }
}

function assetsForVersion (version: string, validatingRelease: boolean) {
  const patterns = [
    `chromedriver-${version}-darwin-x64.zip`,
    `chromedriver-${version}-darwin-arm64.zip`,
    `chromedriver-${version}-linux-arm64.zip`,
    `chromedriver-${version}-linux-armv7l.zip`,
    `chromedriver-${version}-linux-x64.zip`,
    `chromedriver-${version}-mas-x64.zip`,
    `chromedriver-${version}-mas-arm64.zip`,
    `chromedriver-${version}-win32-ia32.zip`,
    `chromedriver-${version}-win32-x64.zip`,
    `chromedriver-${version}-win32-arm64.zip`,
    `electron-${version}-darwin-x64-dsym.zip`,
    `electron-${version}-darwin-x64-dsym-snapshot.zip`,
    `electron-${version}-darwin-x64-symbols.zip`,
    `electron-${version}-darwin-x64.zip`,
    `electron-${version}-darwin-arm64-dsym.zip`,
    `electron-${version}-darwin-arm64-dsym-snapshot.zip`,
    `electron-${version}-darwin-arm64-symbols.zip`,
    `electron-${version}-darwin-arm64.zip`,
    `electron-${version}-linux-arm64-symbols.zip`,
    `electron-${version}-linux-arm64.zip`,
    `electron-${version}-linux-armv7l-symbols.zip`,
    `electron-${version}-linux-armv7l.zip`,
    `electron-${version}-linux-x64-debug.zip`,
    `electron-${version}-linux-x64-symbols.zip`,
    `electron-${version}-linux-x64.zip`,
    `electron-${version}-mas-x64-dsym.zip`,
    `electron-${version}-mas-x64-dsym-snapshot.zip`,
    `electron-${version}-mas-x64-symbols.zip`,
    `electron-${version}-mas-x64.zip`,
    `electron-${version}-mas-arm64-dsym.zip`,
    `electron-${version}-mas-arm64-dsym-snapshot.zip`,
    `electron-${version}-mas-arm64-symbols.zip`,
    `electron-${version}-mas-arm64.zip`,
    `electron-${version}-win32-ia32-pdb.zip`,
    `electron-${version}-win32-ia32-symbols.zip`,
    `electron-${version}-win32-ia32.zip`,
    `electron-${version}-win32-x64-pdb.zip`,
    `electron-${version}-win32-x64-symbols.zip`,
    `electron-${version}-win32-x64.zip`,
    `electron-${version}-win32-arm64-pdb.zip`,
    `electron-${version}-win32-arm64-symbols.zip`,
    `electron-${version}-win32-arm64.zip`,
    'electron-api.json',
    'electron.d.ts',
    'hunspell_dictionaries.zip',
    'libcxx_headers.zip',
    'libcxxabi_headers.zip',
    `libcxx-objects-${version}-linux-arm64.zip`,
    `libcxx-objects-${version}-linux-armv7l.zip`,
    `libcxx-objects-${version}-linux-x64.zip`,
    `ffmpeg-${version}-darwin-x64.zip`,
    `ffmpeg-${version}-darwin-arm64.zip`,
    `ffmpeg-${version}-linux-arm64.zip`,
    `ffmpeg-${version}-linux-armv7l.zip`,
    `ffmpeg-${version}-linux-x64.zip`,
    `ffmpeg-${version}-mas-x64.zip`,
    `ffmpeg-${version}-mas-arm64.zip`,
    `ffmpeg-${version}-win32-ia32.zip`,
    `ffmpeg-${version}-win32-x64.zip`,
    `ffmpeg-${version}-win32-arm64.zip`,
    `mksnapshot-${version}-darwin-x64.zip`,
    `mksnapshot-${version}-darwin-arm64.zip`,
    `mksnapshot-${version}-linux-arm64-x64.zip`,
    `mksnapshot-${version}-linux-armv7l-x64.zip`,
    `mksnapshot-${version}-linux-x64.zip`,
    `mksnapshot-${version}-mas-x64.zip`,
    `mksnapshot-${version}-mas-arm64.zip`,
    `mksnapshot-${version}-win32-ia32.zip`,
    `mksnapshot-${version}-win32-x64.zip`,
    `mksnapshot-${version}-win32-arm64-x64.zip`,
    `electron-${version}-win32-ia32-toolchain-profile.zip`,
    `electron-${version}-win32-x64-toolchain-profile.zip`,
    `electron-${version}-win32-arm64-toolchain-profile.zip`
  ];
  if (!validatingRelease) {
    patterns.push('SHASUMS256.txt');
  }
  return patterns;
}

const cloudStoreFilePaths = (version: string) => [
  `iojs-${version}-headers.tar.gz`,
  `iojs-${version}.tar.gz`,
  `node-${version}.tar.gz`,
  'node.lib',
  'x64/node.lib',
  'win-x64/iojs.lib',
  'win-x86/iojs.lib',
  'win-arm64/iojs.lib',
  'win-x64/node.lib',
  'win-x86/node.lib',
  'win-arm64/node.lib',
  'arm64/node.lib',
  'SHASUMS.txt',
  'SHASUMS256.txt'
];

function azRemoteFilesForVersion (version: string) {
  const azCDN = 'https://artifacts.electronjs.org/headers/';
  const versionPrefix = `${azCDN}dist/${version}/`;
  return cloudStoreFilePaths(version).map((filePath) => ({
    file: filePath,
    url: `${versionPrefix}${filePath}`
  }));
}

function runScript (scriptName: string, scriptArgs: string[], cwd?: string) {
  const scriptCommand = `${scriptName} ${scriptArgs.join(' ')}`;
  const scriptOptions: ExecSyncOptions = {
    encoding: 'utf-8'
  };
  if (cwd) scriptOptions.cwd = cwd;
  try {
    return execSync(scriptCommand, scriptOptions);
  } catch (err) {
    console.error(`${fail} Error running ${scriptName}`, err);
    process.exit(1);
  }
}

function uploadNodeShasums () {
  console.log('Uploading Node SHASUMS file to artifacts.electronjs.org.');
  const scriptPath = join(
    ELECTRON_DIR,
    'script',
    'release',
    'uploaders',
    'upload-node-checksums.py'
  );
  runScript(scriptPath, ['-v', pkgVersion]);
  console.log(
    `${pass} Done uploading Node SHASUMS file to artifacts.electronjs.org.`
  );
}

function uploadIndexJson () {
  console.log('Uploading index.json to artifacts.electronjs.org.');
  const scriptPath = join(
    ELECTRON_DIR,
    'script',
    'release',
    'uploaders',
    'upload-index-json.py'
  );
  runScript(scriptPath, [pkgVersion]);
  console.log(`${pass} Done uploading index.json to artifacts.electronjs.org.`);
}

async function mergeShasums (pkgVersion: string) {
  // Download individual checksum files for Electron zip files from artifact storage,
  // concatenate them, and upload to GitHub.

  const connectionString = process.env.ELECTRON_ARTIFACTS_BLOB_STORAGE;
  if (!connectionString) {
    throw new Error(
      'Please set the $ELECTRON_ARTIFACTS_BLOB_STORAGE environment variable'
    );
  }

  const blobServiceClient =
    BlobServiceClient.fromConnectionString(connectionString);
  const containerClient = blobServiceClient.getContainerClient(
    'checksums-scratchpad'
  );
  const blobsIter = containerClient.listBlobsFlat({
    prefix: `${pkgVersion}/`
  });
  const shasums = [];
  for await (const blob of blobsIter) {
    if (blob.name.endsWith('.sha256sum')) {
      const blobClient = containerClient.getBlockBlobClient(blob.name);
      const response = await blobClient.downloadToBuffer();
      shasums.push(response.toString('ascii').trim());
    }
  }
  return shasums.join('\n');
}

async function createReleaseShasums (release: MinimalRelease) {
  const fileName = 'SHASUMS256.txt';
  const existingAssets = release.assets.filter(
    (asset) => asset.name === fileName
  );
  if (existingAssets.length > 0) {
    console.log(
      `${fileName} already exists on GitHub; deleting before creating new file.`
    );
    await octokit.repos
      .deleteReleaseAsset({
        owner: ELECTRON_ORG,
        repo: targetRepo,
        asset_id: existingAssets[0].id
      })
      .catch((err) => {
        console.error(`${fail} Error deleting ${fileName} on GitHub:`, err);
        process.exit(1);
      });
  }
  console.log(`Creating and uploading the release ${fileName}.`);
  const checksums = await mergeShasums(pkgVersion);

  console.log(`${pass} Generated release SHASUMS.`);
  const filePath = await saveShaSumFile(checksums, fileName);

  console.log(`${pass} Created ${fileName} file.`);
  await uploadShasumFile(filePath, fileName, release.id);

  console.log(`${pass} Successfully uploaded ${fileName} to GitHub.`);
}

async function uploadShasumFile (
  filePath: string,
  fileName: string,
  releaseId: number
) {
  const uploadUrl = `https://uploads.github.com/repos/electron/${targetRepo}/releases/${releaseId}/assets{?name,label}`;
  return octokit.repos
    .uploadReleaseAsset({
      url: uploadUrl,
      headers: {
        'content-type': 'text/plain',
        'content-length': statSync(filePath).size
      },
      data: createReadStream(filePath),
      name: fileName
    } as any)
    .catch((err) => {
      console.error(`${fail} Error uploading ${filePath} to GitHub:`, err);
      process.exit(1);
    });
}

function saveShaSumFile (checksums: string, fileName: string) {
  return new Promise<string>((resolve) => {
    temp.open(fileName, (err, info) => {
      if (err) {
        console.error(`${fail} Could not create ${fileName} file`);
        process.exit(1);
      } else {
        writeFileSync(info.fd, checksums);
        close(info.fd, (err) => {
          if (err) {
            console.error(`${fail} Could close ${fileName} file`);
            process.exit(1);
          }
          resolve(info.path);
        });
      }
    });
  });
}

async function publishRelease (release: MinimalRelease) {
  let makeLatest = false;
  if (!release.prerelease) {
    const currentLatest = await octokit.repos.getLatestRelease({
      owner: ELECTRON_ORG,
      repo: targetRepo
    });

    makeLatest = gte(release.tag_name, currentLatest.data.tag_name);
  }

  return octokit.repos
    .updateRelease({
      owner: ELECTRON_ORG,
      repo: targetRepo,
      release_id: release.id,
      tag_name: release.tag_name,
      draft: false,
      make_latest: makeLatest ? 'true' : 'false'
    })
    .catch((err) => {
      console.error(`${fail} Error publishing release:`, err);
      process.exit(1);
    });
}

export async function validateRelease () {
  console.log(`Validating release ${pkgVersion}`);
  const release = await getDraftRelease(pkgVersion);
  await validateReleaseAssets(release, true);
}

export async function makeRelease () {
  let draftRelease = await getDraftRelease();
  uploadNodeShasums();
  await createReleaseShasums(draftRelease);

  // Fetch latest version of release before verifying
  draftRelease = await getDraftRelease(pkgVersion, true);
  await validateReleaseAssets(draftRelease);
  // index.json goes live once uploaded so do these uploads as
  // late as possible to reduce the chances it contains a release
  // which fails to publish. It has to be done before the final
  // publish to ensure there aren't published releases not contained
  // in index.json, which causes other problems in downstream projects
  uploadIndexJson();
  await publishRelease(draftRelease);
  console.log(
    `${pass} SUCCESS!!! Release has been published. Please run ` +
      '"npm run publish-to-npm" to publish release to npm.'
  );
}

const SHASUM_256_FILENAME = 'SHASUMS256.txt';
const SHASUM_1_FILENAME = 'SHASUMS.txt';

async function verifyDraftGitHubReleaseAssets (release: MinimalRelease) {
  console.log('Fetching authenticated GitHub artifact URLs to verify shasums');

  const remoteFilesToHash = await Promise.all(
    release.assets.map(async (asset) => {
      const requestOptions = octokit.repos.getReleaseAsset.endpoint({
        owner: ELECTRON_ORG,
        repo: targetRepo,
        asset_id: asset.id,
        headers: {
          Accept: 'application/octet-stream'
        }
      });

      const { url, headers } = requestOptions;
      headers.authorization = `token ${
        ((await octokit.auth()) as { token: string }).token
      }`;

      const response = await got(url, {
        followRedirect: false,
        method: 'HEAD',
        headers: headers as any,
        throwHttpErrors: false
      });

      if (response.statusCode !== 302 && response.statusCode !== 301) {
        console.error('Failed to HEAD github asset: ' + url);
        throw new Error(
          "Unexpected status HEAD'ing github asset: " + response.statusCode
        );
      }

      return { url: response.headers.location!, file: asset.name };
    })
  ).catch((err) => {
    console.error(`${fail} Error downloading files from GitHub`, err);
    process.exit(1);
  });

  await verifyShasumsForRemoteFiles(remoteFilesToHash);
}

async function getShaSumMappingFromUrl (
  shaSumFileUrl: string,
  fileNamePrefix: string
) {
  const response = await got(shaSumFileUrl, {
    throwHttpErrors: false
  });

  if (response.statusCode !== 200) {
    console.error('Failed to fetch SHASUM mapping: ' + shaSumFileUrl);
    console.error('Bad SHASUM mapping response: ' + response.body.trim());
    throw new Error(
      'Unexpected status fetching SHASUM mapping: ' + response.statusCode
    );
  }

  const raw = response.body;
  return raw
    .split('\n')
    .map((line) => line.trim())
    .filter(Boolean)
    .reduce((map, line) => {
      const [sha, file] = line.replace('  ', ' ').split(' ');
      map[file.slice(fileNamePrefix.length)] = sha;
      return map;
    }, Object.create(null) as Record<string, string>);
}

type HashedFile = HashableFile & {
  hash: string;
};

type HashableFile = {
  file: string;
  url: string;
};

async function validateFileHashesAgainstShaSumMapping (
  remoteFilesWithHashes: HashedFile[],
  mapping: Record<string, string>
) {
  for (const remoteFileWithHash of remoteFilesWithHashes) {
    check(
      remoteFileWithHash.hash === mapping[remoteFileWithHash.file],
      `Release asset ${remoteFileWithHash.file} should have hash of ${
        mapping[remoteFileWithHash.file]
      } but found ${remoteFileWithHash.hash}`,
      true
    );
  }
}

async function verifyShasumsForRemoteFiles (
  remoteFilesToHash: HashableFile[],
  filesAreNodeJSArtifacts = false
) {
  console.log(
    `Generating SHAs for ${remoteFilesToHash.length} files to verify shasums`
  );

  // Only used for node.js artifact uploads
  const shaSum1File = remoteFilesToHash.find(
    ({ file }) => file === SHASUM_1_FILENAME
  )!;
  // Used for both node.js artifact uploads and normal electron artifacts
  const shaSum256File = remoteFilesToHash.find(
    ({ file }) => file === SHASUM_256_FILENAME
  )!;
  remoteFilesToHash = remoteFilesToHash.filter(
    ({ file }) => file !== SHASUM_1_FILENAME && file !== SHASUM_256_FILENAME
  );

  const remoteFilesWithHashes = await Promise.all(
    remoteFilesToHash.map(async (file) => {
      return {
        hash: await getUrlHash(file.url, 'sha256'),
        ...file
      };
    })
  );

  await validateFileHashesAgainstShaSumMapping(
    remoteFilesWithHashes,
    await getShaSumMappingFromUrl(
      shaSum256File.url,
      filesAreNodeJSArtifacts ? '' : '*'
    )
  );

  if (filesAreNodeJSArtifacts) {
    const remoteFilesWithSha1Hashes = await Promise.all(
      remoteFilesToHash.map(async (file) => {
        return {
          hash: await getUrlHash(file.url, 'sha1'),
          ...file
        };
      })
    );

    await validateFileHashesAgainstShaSumMapping(
      remoteFilesWithSha1Hashes,
      await getShaSumMappingFromUrl(
        shaSum1File.url,
        filesAreNodeJSArtifacts ? '' : '*'
      )
    );
  }
}