Automate signing and uploading stack bindists to Github release (#5409)

Adds to Github Actions workflow, and removes from `release.hs`.

Author: borsboom

.github/workflows/integration-tests.yml

@@ -7,6 +7,8 @@ on:
       - master
       - stable
       - rc/**
+    tags:
+      - '**'
   schedule:
   - cron: "0 0 * * *"
   workflow_dispatch:
@@ -69,7 +71,101 @@ jobs:
         name: Build bindist
         run: stack etc/scripts/release.hs build ${{ matrix.release-args }}
 
-      - uses: actions/upload-artifact@v2
+      - name: Upload bindist
+        uses: actions/upload-artifact@v2
         with:
           name: ${{ runner.os }}
           path: _release/stack-*
+
+  github-release:
+    name: Create Github release
+    needs: integration-tests
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Download Linux artifact
+        uses: actions/download-artifact@v2
+        with:
+          name: Linux
+          path: _release
+      - name: Download macOS artifact
+        uses: actions/download-artifact@v2
+        with:
+          name: macOS
+          path: _release
+      - name: Download Windows artifact
+        uses: actions/download-artifact@v2
+        with:
+          name: Windows
+          path: _release
+      - shell: bash
+        name: Hash and sign assets
+        env:
+          RELEASE_SIGNING_KEY: ${{ secrets.RELEASE_SIGNING_KEY }}
+        run: |
+          set -e
+          echo "$RELEASE_SIGNING_KEY"|gpg --import
+          cd _release
+          for asset in *; do
+            shasum -a 256 "$asset" >"$asset.sha256"
+            gpg --digest-algo=sha512 --detach-sig --armor -u 0x575159689BEFB442 "$asset"
+          done
+      - name: Set Github ref variables
+        id: github_ref_vars
+        run: |
+          echo ::set-output name=SOURCE_TAG::${GITHUB_REF#refs/tags/}
+      - name: Create Github release (final)
+        if: "!startsWith(github.ref, 'refs/tags/rc/')"
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          body: |
+            See https://haskellstack.org/ for installation and upgrade instructions.
+
+            **Changes since v[INSERT PREVIOUS VERSION]:**
+
+            [INSERT CHANGELOG]
+
+            **Thanks to all our contributors for this release:**
+
+            [INSERT CONTRIBUTORS]
+          draft: true
+          prerelease: false
+      - name: Create Github release (release candidate)
+        if: "startsWith(github.ref, 'refs/tags/rc/')"
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          body: |
+            [APPEND ` (release candidate)` TO RELEASE NAME]
+            **Changes since v[INSERT PREVIOUS VERSION]:**
+
+            [INSERT CHANGELOG]
+          draft: true
+          prerelease: true
+      - name: Upload assets to Github release (final)
+        if: "!startsWith(github.ref, 'refs/tags/rc/')"
+        uses: xresloader/upload-to-github-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          file: "_release/*"
+          tag_name: ${{ steps.github_ref_vars.outputs.SOURCE_TAG }}
+          draft: true
+          prerelease: false
+          overwrite: true
+      - name: Upload assets to Github release (release candidate)
+        if: "startsWith(github.ref, 'refs/tags/rc/')"
+        uses: xresloader/upload-to-github-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          file: "_release/*"
+          tag_name: ${{ steps.github_ref_vars.outputs.SOURCE_TAG }}
+          draft: true
+          prerelease: true
+          overwrite: true

etc/scripts/README.md

@@ -3,8 +3,7 @@ release.hs
 
 This tool automates some aspects of releasing a new version of Stack. It
 currently handles some tasks that need to be performed on each platform:
-building the release, running some pre-release checks, and uploading binaries to
-a Github release.
+building the release, running integration tests, and other pre-release checks.
 
 See [Checklist](../../doc/maintainers/releases.md) of
 additional manual release steps.
@@ -17,23 +16,6 @@ These must be installed in the PATH to use the release tool:
 - stack
 - git (for Windows, [msysgit](https://msysgit.github.io) is recommended).
 
-To create a signed binary package, you need:
-
-- GPG installed and in the PATH (included with
-  [msysgit](https://msysgit.github.io) on Windows)
-- `[email protected]` secret key in GPG keyring. You may also use the
-  environment variable `STACK_RELEASE_GPG_KEY`, which should be
-  set to the hexadecimal (0xLONG) identifier of the GPG key.
-
-To upload a binary to a Github release, you also need:
-
-- A [Github authorization token](https://github.com/settings/tokens) with
-  `public_repo` scope.
-- Set `GITHUB_AUTH_TOKEN` environment variable to the authorization token.
-- A [Github release](https://github.com/commercialhaskell/stack/releases)
-  (probably as a draft) with a tag for the stack package's version (e.g.
-  `vX.Y.Z`).
-
 Invocation
 ----------
 
@@ -46,28 +28,13 @@ The tool must be run in the root of the working tree.
 The release tool is shake-based, so all standard shake options apply. In
 addition, the following options are accepted:
 
-* `--gpg-key`: override GPG key used to sign the distribution packages. By
-  default the `[email protected]` key is used.
-* `--github-auth-token`: override the Github authorization token.
-* `--github-release-tag`: overrides the Github Release tag that binaries are
 * `--allow-dirty`: by default, the `check` rule aborts if the working tree is
   dirty, but this will allow it to continue.
   uploaded to.
 
-You may also use the following environment variables in order to use a custom
-GPG key:
-* `STACK_RELEASE_GPG_KEY` should be set to the hexadecimal identifier (0xLONG) of the
-  GPG key
-
 ### Targets
 
-* `release`: check, build, and upload.
+* `release`: check and build.
 * `check`: run pre-release checks.
 * `build`: build and sign the binary distribution.
-* `upload`: upload the binary distribution to the Github release.
-* `build-<distro>-<ver>`: build package for Linux distribution.
-* `upload-<distro>-<ver>`: upload package for Linux distribution to private package repository.
 * `clean`: delete the build artifacts.
-
-`<distro>` can have one of these values: `ubuntu`, `debian`, `centos`, `fedora`.  
-`<ver>` is the version of the distribution (e.g., `14.04` for Ubuntu).