Add build/release/ci scripts

Author: shesek

.travis.yml

@@ -0,0 +1,40 @@
+env: [ CARGO_TERM_COLOR=always ]
+cache:
+  directories: [ $HOME/docker-cache ]
+jobs:
+  include:
+    # Prepare docker images as a separate step to avoid hitting Travis's time limit
+    - stage: Prepare
+      name: Prepare build env
+      script: >
+        git submodule update --init --recursive &&
+        docker build -t bwt-builder - < libbwt/bwt/scripts/builder.Dockerfile &&
+        docker build -t bwt-builder-osx - < libbwt/bwt/scripts/builder-osx.Dockerfile &&
+
+        rm -rf ~/docker-cache && mkdir ~/docker-cache &&
+        docker save bwt-builder bwt-builder-osx | gzip -2 > ~/docker-cache/images.tar.gz
+
+
+    - stage: Reproducible builds
+      name: Reproducible builds
+      script:
+      - >
+        git submodule update --init --recursive &&
+        gzip -d < ~/docker-cache/images.tar.gz | docker load &&
+        echo -e tr''avis_fo''ld:start:build\\nBuilding... &&
+
+        echo Building libbwt... &&
+        docker run -u `id -u` -v `pwd`/libbwt:/usr/src/libbwt -w /usr/src/libbwt \
+                   --entrypoint scripts/build.sh bwt-builder &&
+        docker run -u `id -u` -v `pwd`/libbwt:/usr/src/libbwt -w /usr/src/libbwt \
+                   --entrypoint scripts/build.sh bwt-builder-osx &&
+
+        echo Packaging libbwt-nodejs... &&
+        docker run -u `id -u` -v `pwd`:/usr/src/libbwt-nodejs -w /usr/src/libbwt-nodejs \
+                   -e LIBBWT_DIST=/usr/src/libbwt-nodejs/libbwt/dist \
+                   --entrypoint scripts/build.sh node:14 &&
+        echo tr''avis_fol''d:end:build
+      - >
+        echo '-----BEGIN SHA256SUM-----' &&
+        (cd dist && sha256sum *.tgz | sort) &&
+        echo

scripts/build.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+set -xeo pipefail
+
+[ -f libbwt/Cargo.toml ] || (echo >&2 "Missing libbwt submodule, run 'git submodule update --init --recursive'" && exit 1)
+
+version=$(grep -E '^version =' libbwt/Cargo.toml | cut -d'"' -f2)
+
+echo Building libbwt-nodejs v$version
+
+if [ -z "$LIBBWT_DIST" ] || [ ! -d "$LIBBWT_DIST" ]; then
+  echo >&2 LIBBWT_DIST is missing
+  exit 1
+fi
+
+mkdir -p dist && rm -rf dist/*
+
+# Update SHA256SUMS
+(cd $LIBBWT_DIST && sha256sum *.tar.gz) | sort > SHA256SUMS
+
+# Update version
+npm version --allow-same-version --no-git-tag-version $version
+
+# Prepare package
+npm pack
+mv libbwt-$version.tgz dist/libbwt-nodejs-$version.tgz

scripts/release-footer.md

@@ -0,0 +1,28 @@
+
+------------
+
+### Verifying signatures
+
+The releases are signed by Nadav Ivgi (@shesek). The public key can be verified on the [PGP WoT](http://keys.gnupg.net/pks/lookup?op=vindex&fingerprint=on&search=0x81F6104CD0F150FC), [github](https://api.github.com/users/shesek/gpg_keys), [twitter](https://twitter.com/shesek), [keybase](https://keybase.io/nadav), [hacker news](https://news.ycombinator.com/user?id=nadaviv) and [this video presentation](https://youtu.be/SXJaN2T3M10?t=4) (bottom of slide).
+
+```bash
+# Download
+$ wget https://github.com/bwt-dev/libbwt-nodejs/releases/download/vVERSION/libbwt-nodejs-VERSION.tgz
+
+# Fetch public key
+$ gpg --keyserver keyserver.ubuntu.com --recv-keys FCF19B67866562F08A43AAD681F6104CD0F150FC
+
+# Verify signature
+$ wget -qO - https://github.com/bwt-dev/libbwt-nodejs/releases/download/vVERSION/SHA256SUMS.asc \
+  | gpg --decrypt - | sha256sum -c -
+```
+
+The signature verification should show `Good signature from "Nadav Ivgi <[email protected]>" ... Primary key fingerprint: FCF1 9B67 ...` and `libbwt-nodejs-VERSION.tgz: OK`.
+
+### Reproducible builds
+
+The builds are fully reproducible.
+
+You can verify the checksums against the vVERSION builds on Travis CI: https://travis-ci.org/github/bwt-dev/libbwt-nodejs/builds/TRAVIS_JOB
+
+See [more details here](https://github.com/bwt-dev/libbwt-nodejs#reproducible-builds).

scripts/release.sh

@@ -0,0 +1,84 @@
+#!/bin/bash
+set -xeo pipefail
+shopt -s expand_aliases
+
+gh_repo=bwt-dev/libbwt-nodejs
+node_image=node:14
+
+git diff-index --quiet HEAD || (echo >&2 git working directory is dirty && exit 1)
+
+[ -n "$BWT_BASE" ] || (echo >&2 BWT_BASE is required && exit 1)
+[ -n "$LIBBWT_COMMIT" ] || (echo >&2 LIBBWT_COMMIT is required && exit 1)
+
+(cd libbwt && git fetch local && git reset --hard $LIBBWT_COMMIT)
+
+version=$(grep -E '^version =' libbwt/Cargo.toml | cut -d'"' -f2)
+
+echo -e "Releasing libbwt-nodejs v$version\n"
+
+# Prepare unreleased changelog
+changelog=$(sed -nr '/^## (Unreleased|'$version' )/{n;:a;n;/^## /q;p;ba}' CHANGELOG.md)
+changelog="- Update to [bwt v$version](https://github.com/bwt-dev/bwt/releases/tag/v$version)"$'\n'$changelog
+grep '## Unreleased' CHANGELOG.md > /dev/null \
+  && sed -i "s/^## Unreleased/## $version - $(date +%Y-%m-%d)/" CHANGELOG.md
+
+# Update version number in README
+sed -i -r "s~libbwt-nodejs-[0-9a-z.-]+\.~libbwt-nodejs-$version.~g; s~/(download|tag)/v[0-9a-z.-]+~/\1/v$version~;" README.md
+
+# Build
+if [ -z "$SKIP_BUILD" ]; then
+  echo Building...
+  rm -rf dist/*
+
+  docker run -it --rm -u `id -u` -v $(pwd):/usr/src/libbwt-nodejs -w /usr/src/libbwt-nodejs \
+    -v $BWT_BASE/libbwt/dist:/usr/src/libbwt-dist -e LIBBWT_DIST=/usr/src/libbwt-dist \
+    $node_image ./scripts/build.sh
+
+  rm -rf dist/*/ # remove subdirectories, keep files only
+fi
+
+# Sign
+gpg --clearsign --digest-algo sha256 SHA256SUMS > SHA256SUMS.asc
+
+# Git tag and push
+if [ -z "$SKIP_GIT" ]; then
+  git add {package,npm-shrinkwrap}.json {CHANGELOG,README}.md SHA256SUMS SHA256SUMS.asc libbwt
+  git commit -S -m v$version
+  git tag --sign -m "$changelog" v$version
+  git branch -f latest HEAD
+  git push gh master latest
+  git push gh --tags
+fi
+
+if [ -z "$SKIP_NPM" ]; then
+  echo Publishing to npm...
+  npm publish file:dist/libbwt-nodejs-$version.tgz
+fi
+
+# Upload distribution files to GitHub releases
+if [[ -z "$SKIP_UPLOAD" && -n "$GH_TOKEN" ]]; then
+  echo Uploading to github...
+  gh_auth="Authorization: token $GH_TOKEN"
+  gh_base=https://api.github.com/repos/$gh_repo
+
+  sleep 3 # allow some time for the job to show up on travis
+  travis_job=$(curl -s "https://api.travis-ci.org/v3/repo/${gh_repo/\//%2F}/branch/v$version" | jq -r '.last_build.id // ""')
+
+  release_text="### Changelog"$'\n'$'\n'$changelog$'\n'$'\n'$(sed "s/VERSION/$version/g; s/TRAVIS_JOB/$travis_job/g;" scripts/release-footer.md)
+  release_opt=$(jq -n --arg version v$version --arg text "$release_text" \
+    '{ tag_name: $version, name: $version, body: $text, draft:true }')
+  gh_release=$(curl -sf -H "$gh_auth" $gh_base/releases/tags/v$version \
+           || curl -sf -H "$gh_auth" -d "$release_opt" $gh_base/releases)
+  gh_upload=$(echo "$gh_release" | jq -r .upload_url | sed -e 's/{?name,label}//')
+
+  for file in SHA256SUMS.asc dist/*; do
+    echo ">> Uploading $file"
+
+    curl -f --progress-bar -H "$gh_auth" -H "Content-Type: application/octet-stream" \
+         --data-binary @"$file" "$gh_upload?name=$(basename "$file")" | (grep -v browser_download_url || true)
+  done
+
+  # mark release as public once everything is ready
+  curl -sf -H "$gh_auth" -X PATCH "$gh_base/releases/$(echo "$gh_release" | jq -r .id)" \
+    -d '{"draft":false}' > /dev/null
+fi