From 30f07e741a220eebc244175ab0d8b7aa7bd7b57a Mon Sep 17 00:00:00 2001
From: Jessica Wagantall <jwagantall@linuxfoundation.org>
Date: Tue, 15 Oct 2019 16:31:04 -0700
Subject: [PATCH] Verify maven release versions

Add a verification step to maven self releases
to make sure the version being defined in the
releases file matches the actual version produced
by the maven-stage job that created the release
candidate.

This is to prevent releases being pushed in Nexus
with a version different from what the developer
intended in the releases file.

Issue: RELENG-2356
Change-Id: I0555ee782f608e04d10dda5112c283783bfc2a91
Signed-off-by: Jessica Wagantall <jwagantall@linuxfoundation.org>
---
 .../releases-verify-version-match-b36e6c7d6fb7333e.yaml     |  8 ++++++++
 shell/release-job.sh                                        | 13 +++++++++++++
 2 files changed, 21 insertions(+)
 create mode 100644 releasenotes/notes/releases-verify-version-match-b36e6c7d6fb7333e.yaml

diff --git a/releasenotes/notes/releases-verify-version-match-b36e6c7d6fb7333e.yaml b/releasenotes/notes/releases-verify-version-match-b36e6c7d6fb7333e.yaml
new file mode 100644
index 00000000..63015a92
--- /dev/null
+++ b/releasenotes/notes/releases-verify-version-match-b36e6c7d6fb7333e.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    Add a verification step to maven releases to make sure the version being
+    defined in the releases file matches the actual version produced by the
+    maven-stage job that created the release candidate. This is to prevent
+    releases being pushed in Nexus with a version different from what the
+    developer intended in the releases file.
diff --git a/shell/release-job.sh b/shell/release-job.sh
index b764ac19..7080a4e6 100644
--- a/shell/release-job.sh
+++ b/shell/release-job.sh
@@ -125,6 +125,18 @@ verify_version(){
     fi
 }
 
+verify_version_match_release(){
+    wget -P /tmp "${LOGS_URL}/"console.log.gz
+    echo "INFO: Comparing version $VERSION with log snippet from maven-stage:"
+    if zgrep "Successfully uploaded" /tmp/console.log.gz | grep "$VERSION"; then
+        echo "INFO: version $VERSION matches maven-stage artifacts"
+    else
+        echo "ERROR: Defined version in release file does not match staging repo artifacts version to be released"
+        echo "       Please make sure maven-stage job selected as candidate and release version are correct"
+        exit 1
+    fi
+}
+
 tag(){
     # Import public signing key
     gpg --import "$SIGNING_PUBKEY"
@@ -249,6 +261,7 @@ if [[ "$DISTRIBUTION_TYPE" == "maven" ]]; then
     fi
     set_variables_maven
     verify_version
+    verify_version_match_release
     maven_release_file
 elif [[ "$DISTRIBUTION_TYPE" == "container" ]]; then
     wget -q https://raw.githubusercontent.com/lfit/releng-global-jjb/master/schema/release-container-schema.yaml
-- 
2.16.6