Error releasing v1.22.18

[DanBuild]

An error was encountered while processing the CircleCI release build of v1.22.18:

Build #42523 in wrong status (failed), expected "success". Not releasing it.

Re-running the build on CircleCI might fix it. Click "Rebuild" on this page to trigger a rebuild

Full logs: https://release.yarnpkg.com/log/release_circleci

cc @Daniel15 @arcanis

[Daniel15]

@arcanis This is a weird build issue 🤔

Permission denied (publickey).

[arcanis]

I don't see the publickey log, but perhaps @DanBuild's SSH key changed somehow?

[Daniel15]

It's in the CircleCI output: https://circleci.com/gh/yarnpkg/yarn/42523
This is when cloning the repo so I'm not even sure which key it's using or why it even needs a key? Hmm

[arcanis]

I think it's the key listed here:

However, I don't find this key in the repo configuration:

[johnAirRobe]

I'm using CircleCI and I'm getting a similar issue this is my error:

Latest version of Yarn is 1.22.18
Checking if YARN is already installed...
A different version of Yarn is installed (1.22.5); removing it
Installing YARN v1.22.18

gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now
mv: cannot stat 'yarn-v1.22.18/*': No such file or directory

Exited with code exit status 1

I ran the command we use to download yarn in my console (I'm running an M1 Mac with Monterey 12.3) and then I checked the file type and it didn't return the correct file time. When I cat'd the file I got Not Found%.

These are the commands I ran locally and the results:

❯ curl -L -o yarn.tar.gz --silent "https://yarnpkg.com/downloads/1.22.18/yarn-v1.22.18.tar.gz"
❯ gzip -v -t yarn.tar.gz
gzip: yarn.tar.gz: not in gzip format
yarn.tar.gz:	  NOT OK
❯ mv yarn.tar.gz yarn.txt
❯ cat yarn.txt
Not Found%

I downloaded v1.22.16 and this is the result I get when checking the file type:

❯ file yarn-new.tar.gz
yarn-new.tar.gz: gzip compressed data, last modified: Sat Oct 16 11:08:30 2021, from Unix, original size modulo 2^32 5345280

[tetienne]

The number of assets built for the v1.22.18 is incorrect: https://github.com/yarnpkg/yarn/releases. There is only 3 assets vs 10 usually.

[Daniel15]

@arcanis I can manually build and publish this version in the morning if there's issues with the build process.

[arcanis]

Yep if possible it'd be great - I manually added the .js / .deb / .rpm files to avoid further issues in CIs like the one above, but the others (rpm, deb, asc) are missing.

[Daniel15]

Working on this now

[Daniel15]

For reference, this is what I ran on Linux:

git pull
git checkout v1.22.18
yarn install
yarn build
yarn build-dist
./scripts/build-deb.sh

cd artifacts
gpg -u 23E7166788B63E1E --armor --output - --detach-sign yarn-1.22.18.js > yarn-1.22.18.js.asc
gpg -u 23E7166788B63E1E --armor --output - --detach-sign yarn-legacy-1.22.18.js > yarn-legacy-1.22.18.js.asc
gpg -u 23E7166788B63E1E --armor --output - --detach-sign yarn-v1.22.18.tar.gz > yarn-v1.22.18.tar.gz.asc

which generates all the files except the .msi, which needs to be done on Windows. Looks like the AppVeyor build for the .msi succeeded though, so I didn't have to manually build it.

[Daniel15]

This should be resolved now. @arcanis Feel free to ping me for future releases and I can just manually build everything, if you'd like 😄

[arcanis]

Thanks Daniel!

[chenrui333]

I guess this happened again for 1.22.20 and 1.22.21, creating a new release for tracking the asc file missing issue, #9020

[canterberry]

@Daniel15 Per @chenrui333 's note above, and continuing through to the latest few releases, the GPG signatures are missing.

Downstream tools like twuni/asdf-yarn#33 are breaking (on purpose) due to the missing signatures. If these signatures are missing due to an error (vs an intentional decision to stop signing releases), then it would be nice to see it fixed.

@arcanis Is anyone actively working on fixing this? If not, I'm happy to do what I can to assist.

Daniel's comment above should work for anyone holding that (private) GPG signing key, whether that's CI or a human.

Given the cadence of Yarn releases, if CI is too much of a burden to integrate, then a simple manual process to have a human sign the release artifacts seems reasonable. It's just something that would need to be remembered (and documented).

[Daniel15]

I'm not really working on Yarn any more. @arcanis has both the GPG key (already configured in the secrets in this repo) and a proof-of-concept I made for signing with GPG using Github Actions: https://github.com/Daniel15/yarn/blob/master/.github/workflows/release.yml

…

On March 13, 2024 10:25:01 PM PDT, Devin Canterberry ***@***.***> wrote: @Daniel15 Per @chenrui333 's note above, and continuing through to the latest [few releases](https://github.com/yarnpkg/yarn/releases), the GPG signatures are missing. Downstream tools like twuni/asdf-yarn#33 are breaking (on purpose) due to the missing signatures. If these signatures are missing due to an error (vs an intentional decision to stop signing releases), then it would be nice to see it fixed. @arcanis Is anyone actively working on fixing this? If not, I'm happy to do what I can to assist. Daniel's [comment](#8801 (comment)) above should work for anyone that (private) GPG signing key, whether that's CI or a human. Given the cadence of Yarn releases, if CI is too much of a burden to integrate, then a simple manual process to have a human sign the release artifacts seems reasonable. It's just something that would need to be remembered (and documented). -- Reply to this email directly or view it on GitHub: #8801 (comment) You are receiving this because you were mentioned. Message ID: ***@***.***>

[canterberry]

Thanks, @Daniel15 for chiming in. That's helpful, and should be plenty to work with to get this resolved!