From 13ddb50170ed55f63ec3bee618d9c2475252791a Mon Sep 17 00:00:00 2001
From: Florian Bruhin <me@the-compiler.org>
Date: Wed, 16 Aug 2023 16:34:03 +0200
Subject: ci: More automatic release improvements/fixes

---
 .github/workflows/release.yml | 35 ++++++++++++++++++++++++++++++-----
 scripts/dev/update_version.py | 14 +++++++++-----
 2 files changed, 39 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9b963bc9e..309b59392 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -29,6 +29,8 @@ jobs:
     timeout-minutes: 5
     outputs:
       version: ${{ steps.bump.outputs.version }}
+    permissions:
+      contents: write  # To push release commit/tag
     steps:
       - name: Find release branch
         uses: actions/github-script@v6
@@ -78,23 +80,25 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{ steps.find-branch.outputs.result }}
-      # FIXME set up GPG for signed tag
+      - name: Import GPG Key
+        run: |
+          gpg --import <<< "${{ secrets.QUTEBROWSER_BOT_GPGKEY }}"
       - name: Bump version
         id: bump
         run: "tox -e update-version -- ${{ github.event.inputs.release_type }}"
       - name: Push release commit/tag
         run: |
-            git push origin main
+            git push origin ${{ steps.find-branch.outputs.result }}
             git push origin v${{ steps.bump.outputs.version }}
       - name: Cherry-pick release commit
-        if: "${{ github.event.inputs.release_type }} == 'patch'"
+        if: ${{ github.event.inputs.release_type == 'patch' }}
         run: |
             git checkout main
             git cherry-pick v${{ steps.bump.outputs.version }}
             git push origin main
             git checkout v${{ steps.bump.outputs.version_x }}
       - name: Create release branch
-        if: "${{ github.event.inputs.release_type }} != 'patch'"
+        if: ${{ github.event.inputs.release_type != 'patch' }}
         run: |
             git checkout -b v${{ steps.bump.outputs.version_x }}
             git push --set-upstream origin v${{ steps.bump.outputs.version_x }}
@@ -114,13 +118,32 @@ jobs:
     runs-on: "${{ matrix.os }}"
     timeout-minutes: 45
     needs: [prepare]
+    permissions:
+      contents: write  # To upload release artifacts
     steps:
       - uses: actions/checkout@v3
+        with:
+          ref: v${{ needs.prepare.outputs.version }}
       - name: Set up Python
         uses: actions/setup-python@v4
         with:
           python-version: ${{ github.event.inputs.python_version }}
-      # FIXME set up GPG for signed releases (at least on Ubuntu)
+      - name: Import GPG Key
+        if: ${{ startsWith(matrix.os, 'ubuntu-') }}
+        run: |
+          gpg --import <<< "${{ secrets.QUTEBROWSER_BOT_GPGKEY }}"
+      # Needed because of the following import chain:
+      # - scripts/dev/build_release.py
+      # - scripts/dev/update_3rdparty.py
+      # - scripts/dictcli.py
+      # - qutebrowser/browser/webengine/spell.py
+      # - utils.message -> utils.usertypes -> utils.qtutils -> qt.gui
+      # - PyQt6.QtGui
+      - name: Install apt dependencies
+        if: ${{ startsWith(matrix.os, 'ubuntu-') }}
+        run: |
+            sudo apt-get update
+            sudo apt-get install --no-install-recommends libegl1-mesa
       - name: Install dependencies
         run: |
             python -m pip install -U pip
@@ -131,6 +154,8 @@ jobs:
     runs-on: ubuntu-20.04
     timeout-minutes: 5
     needs: [prepare, release]
+    permissions:
+      contents: write  # To change release
     steps:
       - name: Publish final release
         uses: softprops/action-gh-release@v1
diff --git a/scripts/dev/update_version.py b/scripts/dev/update_version.py
index c67873496..1029fb29d 100644
--- a/scripts/dev/update_version.py
+++ b/scripts/dev/update_version.py
@@ -32,7 +32,7 @@ def verify_branch(version_leap):
     branch = proc.stdout.strip()
 
     if (
-        version_leap == 'patch' and not re.fullmatch(r'v\d+\.\d+\.\*', branch) or
+        version_leap == 'patch' and not re.fullmatch(r'v\d+\.\d+\.x', branch) or
         version_leap != 'patch' and branch != 'main'
     ):
         raise Error(f"Invalid branch for {version_leap} release: {branch}")
@@ -50,7 +50,11 @@ def bump_version(version_leap="patch"):
 
 
 def show_commit():
-    subprocess.run(['git', 'show'], check=True)
+    """Show the latest git commit."""
+    git_args = ['git', 'show']
+    if utils.ON_CI:
+        git_args.append("--color")
+    subprocess.run(git_args, check=True)
 
 
 if __name__ == "__main__":
@@ -71,14 +75,14 @@ if __name__ == "__main__":
 
     import qutebrowser
     version = qutebrowser.__version__
-    x_version = '.'.join([str(p) for p in qutebrowser.__version_info__[:-1]] +
+    version_x = '.'.join([str(p) for p in qutebrowser.__version_info__[:-1]] +
                          ['x'])
 
     if utils.ON_CI:
         output_file = os.environ["GITHUB_OUTPUT"]
         with open(output_file, "w", encoding="ascii") as f:
             f.write(f"version={version}\n")
-            f.write(f"x_version={x_version}\n")
+            f.write(f"version_x={version_x}\n")
 
         print(f"Outputs for {version} written to GitHub Actions output file")
     else:
@@ -89,7 +93,7 @@ if __name__ == "__main__":
                 "git push origin".format(v=version))
         else:
             print("* git branch v{x} v{v} && git push --set-upstream origin v{x}"
-                .format(v=version, x=x_version))
+                .format(v=version, x=version_x))
         print("* Create new release via GitHub (required to upload release "
             "artifacts)")
         print("* Linux: git fetch && git checkout v{v} && "
-- 
cgit v1.2.3-54-g00ecf