CLOUDP-326355: Add extra release checks (#4046)

Author: fmenezes

build/ci/check-release-files.sh

@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+
+# Copyright 2025 MongoDB Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -Eeou pipefail
+
+if [[ -z "${version}" ]]; then
+    echo "version environment variable is not set"
+    exit 1
+fi
+
+# shellcheck disable=SC2154 # unstable is set by evergreen
+if [[ "${unstable}" == "-unstable" ]]; then
+    version="${version}-next"
+fi
+
+REQUIRED_FILES=(
+    "dist/mongodb-atlas-cli_${version}_linux_arm64.deb"
+    "dist/mongodb-atlas-cli_${version}_linux_arm64.deb.sig"
+    "dist/mongodb-atlas-cli_${version}_linux_arm64.rpm"
+    "dist/mongodb-atlas-cli_${version}_linux_arm64.rpm.sig"
+    "dist/mongodb-atlas-cli_${version}_linux_arm64.tar.gz"
+    "dist/mongodb-atlas-cli_${version}_linux_arm64.tar.gz.sig"
+    "dist/mongodb-atlas-cli_${version}_linux_x86_64.deb"
+    "dist/mongodb-atlas-cli_${version}_linux_x86_64.deb.sig"
+    "dist/mongodb-atlas-cli_${version}_linux_x86_64.rpm"
+    "dist/mongodb-atlas-cli_${version}_linux_x86_64.rpm.sig"
+    "dist/mongodb-atlas-cli_${version}_linux_x86_64.tar.gz"
+    "dist/mongodb-atlas-cli_${version}_linux_x86_64.tar.gz.sig"
+    "dist/mongodb-atlas-cli_${version}_macos_arm64.zip"
+    "dist/mongodb-atlas-cli_${version}_macos_x86_64.zip"
+    "dist/mongodb-atlas-cli_${version}_windows_x86_64.msi"
+    "dist/mongodb-atlas-cli_${version}_windows_x86_64.zip"
+    "sbom.json"
+)
+
+for file in "${REQUIRED_FILES[@]}"; do
+    if [[ ! -f "${file}" ]]; then
+        echo "${file} is missing"
+        exit 1
+    fi
+done

build/ci/release.yml

@@ -350,6 +350,29 @@ functions:
           set -Eeou pipefail
           echo "${__project_aws_ssh_key_value}" > ./build/ci/ssh_id
           chmod 0600 ./build/ci/ssh_id
+  "check-git-dirty":
+    - command: shell.exec
+      params:
+        <<: *go_options
+        script: |
+          set -Eeou pipefail
+          git checkout -- dist/.keep
+          OUTPUT=$(git status --porcelain)
+          if [ -z "$OUTPUT" ]; then
+            echo "Git is clean"
+          else
+            echo "Git is dirty"
+            echo "$OUTPUT"
+            exit 1
+          fi
+  "check-required-files":
+    - command: subprocess.exec
+      params:
+        <<: *go_options
+        include_expansions_in_env:
+          - unstable
+          - version
+        binary: build/ci/check-release-files.sh
 tasks:
   - name: package_goreleaser
     tags: ["packaging"]
@@ -417,15 +440,14 @@ tasks:
             - src/github.com/mongodb/mongodb-atlas-cli/dist/*.sig
           remote_file: mongocli/
           build_variants:
-            - release_mongocli_github
             - release_atlascli_github
           bucket: cdn-origin-mongocli
           permissions: private
           content_type: ${content_type|application/x-gzip}
           display_name: downloads-center-
+      - func: "check-required-files"
+      - func: "check-git-dirty"
       - func: "trace artifacts"
-        vars:
-          unstable: ${unstable}
       - func: "send slack notification"
   - name: push_atlascli_generate
     patchable: false

build/package/linux_notarize.sh

@@ -20,22 +20,26 @@ set -Eeou pipefail
 # This depends on binaries being generated in a goreleaser manner and gon being set up.
 # goreleaser should already take care of calling this script as a part of a custom publisher.
 
-echo "GRS_CONFIG_USER1_USERNAME=${GRS_USERNAME}" >> "signing-envfile"
+if [[ ! -f "${artifact:?}" ]]; then
+  echo "artifact ${artifact} does not exist"
+  exit 1
+fi
+
+echo "GRS_CONFIG_USER1_USERNAME=${GRS_USERNAME}" > "signing-envfile"
 echo "GRS_CONFIG_USER1_PASSWORD=${GRS_PASSWORD}" >> "signing-envfile"
 
-if [[ -f "${artifact:?}" ]]; then
-  echo "${ARTIFACTORY_PASSWORD}" | podman login --password-stdin --username "${ARTIFACTORY_USERNAME}" artifactory.corp.mongodb.com
+echo "${ARTIFACTORY_PASSWORD}" | podman login --password-stdin --username "${ARTIFACTORY_USERNAME}" artifactory.corp.mongodb.com
 
-  echo "notarizing Linux binary ${artifact}"
+echo "notarizing Linux binary ${artifact}"
 
-  podman run \
-    --env-file=signing-envfile \
-    --rm \
-    -v "$(pwd)":"$(pwd)" \
-    -w "$(pwd)" \
-    artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-gpg \
-    /bin/bash -c "gpgloader && gpg --yes -v --armor -o ${artifact}.sig --detach-sign ${artifact}"
-fi
+podman run \
+  --env-file=signing-envfile \
+  --rm \
+  -v "$(pwd)":"$(pwd)" \
+  -w "$(pwd)" \
+  artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-gpg \
+  /bin/bash -c "gpgloader && gpg --yes -v --armor -o ${artifact}.sig --detach-sign ${artifact}"
 
-echo "Signing of ${artifact} completed."
+rm -rf signing-envfile
 
+echo "Signing of ${artifact} completed."