From 7bb7fd359aaf694e991e044632c1593b4eb4f8fc Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Wed, 4 Oct 2023 14:26:20 -0500 Subject: [PATCH 1/4] Check commit SHA after checking out repository --- windows-release/azure-pipelines.yml | 5 +++++ windows-release/checkout.yml | 8 ++++++++ 2 files changed, 13 insertions(+) diff --git a/windows-release/azure-pipelines.yml b/windows-release/azure-pipelines.yml index 94e89b0f..78828fed 100644 --- a/windows-release/azure-pipelines.yml +++ b/windows-release/azure-pipelines.yml @@ -19,6 +19,10 @@ parameters: displayName: "Git tag" type: string default: main +- name: SourceCommit + displayName: "Git commit (empty to disable commit SHA check)" + type: string + default: '' - name: DoPublish displayName: "Publish release" type: boolean @@ -90,6 +94,7 @@ variables: ${{ else }}: GitRemote: ${{ parameters.GitRemote_Other }} SourceTag: ${{ parameters.SourceTag }} + SourceCommit: ${{ parameters.SourceCommit }} ${{ if ne(parameters.SigningCertificate, 'Unsigned') }}: SigningCertificate: ${{ parameters.SigningCertificate }} SigningDescription: ${{ parameters.SigningDescription }} diff --git a/windows-release/checkout.yml b/windows-release/checkout.yml index d42d55ff..e552e9b6 100644 --- a/windows-release/checkout.yml +++ b/windows-release/checkout.yml @@ -19,3 +19,11 @@ steps: - script: git clone --progress -v --depth ${{ parameters.depth }} --branch $(Build.SourceBranchName) --single-branch $(Build.Repository.Uri) . displayName: 'git clone' condition: and(succeeded(), and(not(variables['GitRemote']), not(variables['SourceTag']))) + +- powershell: | + $checkout_commit = (git rev-parse HEAD) + if ($checkout_commit -ne $GitCommit) { + throw "Expected git commit '$(GitCommit)' didn't match tagged commit '$(checkout_commit)'" + } + displayName: "Verify CPython commit matches tag" + condition: and(succeeded(), and(variables['GitCommit'])) From 3ce0ff9c804057a1754711ab7b7924defe73e3a2 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Wed, 4 Oct 2023 16:05:52 -0500 Subject: [PATCH 2/4] Address review comments --- windows-release/azure-pipelines.yml | 9 ++++++--- windows-release/checkout.yml | 6 +++--- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/windows-release/azure-pipelines.yml b/windows-release/azure-pipelines.yml index 78828fed..f06dbc01 100644 --- a/windows-release/azure-pipelines.yml +++ b/windows-release/azure-pipelines.yml @@ -20,9 +20,9 @@ parameters: type: string default: main - name: SourceCommit - displayName: "Git commit (empty to disable commit SHA check)" + displayName: "Git commit ('empty' to disable commit SHA check)" type: string - default: '' + default: 'empty' - name: DoPublish displayName: "Publish release" type: boolean @@ -94,7 +94,10 @@ variables: ${{ else }}: GitRemote: ${{ parameters.GitRemote_Other }} SourceTag: ${{ parameters.SourceTag }} - SourceCommit: ${{ parameters.SourceCommit }} + ${{ if ne(parameters.SourceCommit, 'empty') }}: + SourceCommit: ${{ parameters.SourceCommit }} + ${{ else }}: + SourceCommit: '' ${{ if ne(parameters.SigningCertificate, 'Unsigned') }}: SigningCertificate: ${{ parameters.SigningCertificate }} SigningDescription: ${{ parameters.SigningDescription }} diff --git a/windows-release/checkout.yml b/windows-release/checkout.yml index e552e9b6..9e7d3359 100644 --- a/windows-release/checkout.yml +++ b/windows-release/checkout.yml @@ -22,8 +22,8 @@ steps: - powershell: | $checkout_commit = (git rev-parse HEAD) - if ($checkout_commit -ne $GitCommit) { - throw "Expected git commit '$(GitCommit)' didn't match tagged commit '$(checkout_commit)'" + if ($checkout_commit -ne SourceCommit) { + throw "Expected git commit '$(SourceCommit)' didn't match tagged commit '$(checkout_commit)'" } displayName: "Verify CPython commit matches tag" - condition: and(succeeded(), and(variables['GitCommit'])) + condition: and(succeeded(), variables['SourceCommit']) From 1f7c142465829467a8d2aa67d492298bd555a0e3 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Wed, 4 Oct 2023 16:20:17 -0500 Subject: [PATCH 3/4] Properly escape the SourceCommit value Co-authored-by: Steve Dower --- windows-release/checkout.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows-release/checkout.yml b/windows-release/checkout.yml index 9e7d3359..ae9e9f73 100644 --- a/windows-release/checkout.yml +++ b/windows-release/checkout.yml @@ -22,7 +22,7 @@ steps: - powershell: | $checkout_commit = (git rev-parse HEAD) - if ($checkout_commit -ne SourceCommit) { + if ($checkout_commit -ne '$(SourceCommit)') { throw "Expected git commit '$(SourceCommit)' didn't match tagged commit '$(checkout_commit)'" } displayName: "Verify CPython commit matches tag" From d7cafa0fb555700dfead9df58a5ffbd87302ba0f Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Wed, 4 Oct 2023 16:37:34 -0500 Subject: [PATCH 4/4] Last fix (tm) --- windows-release/checkout.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows-release/checkout.yml b/windows-release/checkout.yml index ae9e9f73..897d1af8 100644 --- a/windows-release/checkout.yml +++ b/windows-release/checkout.yml @@ -23,7 +23,7 @@ steps: - powershell: | $checkout_commit = (git rev-parse HEAD) if ($checkout_commit -ne '$(SourceCommit)') { - throw "Expected git commit '$(SourceCommit)' didn't match tagged commit '$(checkout_commit)'" + throw "Expected git commit '$(SourceCommit)' didn't match tagged commit '$checkout_commit'" } displayName: "Verify CPython commit matches tag" condition: and(succeeded(), variables['SourceCommit']) pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy