From fbd30d94fa1a77ca2049edad41fffa446e5c6f1b Mon Sep 17 00:00:00 2001
From: Baptiste Mispelon <baptiste.mispelon@torchbox.com>
Date: Wed, 11 Jun 2025 22:38:58 +0200
Subject: [PATCH] WIP: Add confirm-release workflow

---
 .github/scripts/confirm-release.sh    | 57 +++++++++++++++++++++++++++
 .github/workflows/confirm-release.yml | 24 +++++++++++
 2 files changed, 81 insertions(+)
 create mode 100755 .github/scripts/confirm-release.sh
 create mode 100644 .github/workflows/confirm-release.yml

diff --git a/.github/scripts/confirm-release.sh b/.github/scripts/confirm-release.sh
new file mode 100755
index 0000000000..d214953931
--- /dev/null
+++ b/.github/scripts/confirm-release.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+
+set -e
+
+CHECKSUM_FILE="Django-${VERSION}.checksum.txt"
+MEDIA_URL_PREFIX="https://media.djangoproject.com"
+RELEASE_URL_PREFIX="https://www.djangoproject.com/m/releases/"
+DOWNLOAD_PREFIX="https://www.djangoproject.com/download"
+
+if [[ ! "${VERSION}" =~ ^[0-9]+\.[0-9]+(\.[0-9]+|a[0-9]+|b[0-9]+|rc[0-9]+)?$ ]] ; then
+    echo "Not a valid version"
+fi
+
+rm -rf "${VERSION}"
+mkdir "${VERSION}"
+cd "${VERSION}"
+
+function cleanup {
+    cd ..
+    rm -rf "${VERSION}"
+}
+trap cleanup EXIT
+
+echo "Download checksum file ..."
+curl --fail --output "$CHECKSUM_FILE" "${MEDIA_URL_PREFIX}/pgp/${CHECKSUM_FILE}"
+
+echo "Verify checksum file ..."
+if [ -n "${GPG_KEY}" ] ; then
+    gpg --recv-keys "${GPG_KEY}"
+fi
+gpg --verify "${CHECKSUM_FILE}"
+
+echo "Finding release artifacts ..."
+mapfile -t RELEASE_ARTIFACTS < <(grep "${DOWNLOAD_PREFIX}" "${CHECKSUM_FILE}")
+
+echo "Found these release artifacts: "
+for ARTIFACT_URL in "${RELEASE_ARTIFACTS[@]}" ; do
+    echo "- $ARTIFACT_URL"
+done
+
+echo "Downloading artifacts ..."
+for ARTIFACT_URL in "${RELEASE_ARTIFACTS[@]}" ; do
+    ARTIFACT_ACTUAL_URL=$(curl  --head --write-out '%{redirect_url}' --output /dev/null --silent "${ARTIFACT_URL}")
+    curl --location --fail --output "$(basename "${ARTIFACT_ACTUAL_URL}")" "${ARTIFACT_ACTUAL_URL}"
+
+done
+
+echo "Verifying artifact hashes ..."
+# The `2> /dev/null` moves notes like "sha256sum: WARNING: 60 lines are improperly formatted"
+# to /dev/null. That's fine because the return code of the script is still set on error and a
+# wrong checksum will still show up as `FAILED`
+echo "- MD5 checksums"
+md5sum --check "${CHECKSUM_FILE}" 2> /dev/null
+echo "- SHA1 checksums"
+sha1sum --check "${CHECKSUM_FILE}" 2> /dev/null
+echo "- SHA256 checksums"
+sha256sum --check "${CHECKSUM_FILE}" 2> /dev/null
diff --git a/.github/workflows/confirm-release.yml b/.github/workflows/confirm-release.yml
new file mode 100644
index 0000000000..d9ed4f8cd2
--- /dev/null
+++ b/.github/workflows/confirm-release.yml
@@ -0,0 +1,24 @@
+name: Confirm Release
+
+on:
+    workflow_dispatch:
+        inputs:
+            version:
+                required: true
+                description: The Django version to verify. Should be in the format `major.minor`, `major.minor.patch`, `major.minor((a|b|rc)prerelease)` e.g. 4.2, 4.2.3, 4.2a1
+            environment:
+                type: environment
+
+jobs:
+    confirm-release:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Check out the repository
+              uses: actions/checkout@v4
+
+            - name: Run confirm-release script
+              run: ./confirm-release.sh
+              working-directory: ./.github/scripts
+              env:
+                  VERSION: ${{ inputs.version }}
+                  GPG_KEY: ${{ vars.GPG_FINGERPRINT }}