Mozilla VPN Release Process =========================== `Mozilla VPN`_ is shipped in two parts, the client and addons. The client is shipped on Windows, Mac and Linux, as well as Android and iOS. Ensure you are in the ``#releaseduty`` channel in Matrix. .. _vpn relpro: Find the Release Promotion Action --------------------------------- Many of the steps below use a `release promotion action`_, these all share the same initial steps: 1. Navigate to the Decision task of the push in Taskcluster. Ensure it is the one for the ``github-push`` event, it will be called ``Decision (push)``. 2. Navigate to the task group. 3. From the three dot menu in the bottom right, select ``Release Promotion``. Windows and Mac Clients ----------------------- Promote a Build ~~~~~~~~~~~~~~~ You'll receive a ping in the ``#releaseduty`` channel in Matrix asking to "promote a build" or "push a build to candidates". The request should include a link to the commit they would like promoted. 1. :ref:`vpn relpro`. 2. Change the ``release_promotion_flavor`` to ``promote-client``. 3. Trigger the action. This will run beetmover tasks that uploads the signed builds to the `candidates directory`_ on archive.mozilla.org. The builds will be under the path with the following pattern: ``pub/vpn/candidates/-candidates/build/`` 4. :ref:`vpn balrog`, making sure to use the ``FirefoxVPN: release-cdntest`` channel. 5. Reply in-thread that the candidate builds are ready for testing. Ship a Build ~~~~~~~~~~~~ You'll receive a ping in the ``#releaseduty`` channel in Matrix asking to ship or release a build. The request should include a link to the commit they would like promoted. .. note:: As of this writing, the ship phase doesn't actually depend on the promote phase as the build signing tasks run on-push. So for now the action can simply be triggered from the `github-push` Decision task the same as the promote phase. This will change in the future. 1. :ref:`vpn relpro`. 2. Change the ``release_promotion_flavor`` to ``ship-client``. 3. Trigger the action. This will run beetmover tasks that copy the signed builds from candidates, over to the `releases directory`_ on archive.mozilla.org. 4. :ref:`vpn balrog`, making sure to use the ``FirefoxVPN: release`` channel. 5. Reply in-thread in the ``#releaseduty`` channel that the release has been shipped on Windows and Mac. .. _vpn balrog: Update Balrog ~~~~~~~~~~~~~ Once the builds are on ``archive.mozilla.org``, you'll need to update the ``FirefoxVPN: release-cdntest`` channel on `Balrog`_ to point at them. 1. Create the release. It's usually easiest to copy/paste the previous release. a. Set the release name to ``FirefoxVPN-``. b. Set the channel. Use ``FirefoxVPN: release-cdntest`` for the candidate builds. Use ``FirefoxVPN: release`` for the actual release. c. Update the URLs. d. Update the sha512 hashes, you'll need to download the binaries and compute them manually. Make sure the files are ``gunzip``'ed first (downloading via browser is safe way to ensure this). e. Update the version in the name and version fields. 2. Update the default rule to point to the new release. Required Releases ````````````````` From time to time, you may be asked to create a "required" release. This means that the client will force users to update to the newer version (normally they would have the option to ignore the update prompt). Required releases should be created *in addition* to the release you created in the previous step. 1. Create the required release by copy/pasting the previous release blob except: a. Append ``-Required`` to the release name (both in Balrog and in the release blob). b. Change the ``required`` field to ``true``. 2. Update or create the appropriate rules to point to this release. It will likely be the case that only certain platforms or version numbers will want to use this release, so be sure to work with the VPN team to determine what exactly is desired. Linux Client ------------ The Linux client is shipped via `launchpad`_, credentials are in Releng SOPS under ``ubuntu-store.yml``. .. note:: For now we are still using builds generated by Github Actions, but will hopefully be switching to the Taskcluster builds shortly. 1. Ensure that ``publish`` is disabled in the `edit section of launchpad`_. This will ensure we don't accidentally ship the builds that are uploaded immediately. 2. Find the ``Sources.zip`` artifact from Github Actions. Ideally this will be linked by someone from VPN but if not: a. Click the ``Actions`` tab in Github. b. Click ``PPA Automated Releases`` workflow on the left. c. Under the branch filter, type in the version tag (e.g ``v2.10.0``). d. Click the task and download the ``Sources.zip`` at the bottom. 3. Extract the zip to a temporary directory: .. code-block:: bash $ unzip -d vpn_release Sources.zip $ cd vpn_release 4. Run a docker container to perform the signing: .. code-block:: bash export RELENG_GPG_KEYCHAIN=/path-to/releng-secrets-global/keys/mozillavpn-launchpad-gpg docker run --rm -it -v $(pwd):/packages -v $RELENG_GPG_KEYCHAIN:/keychain --entrypoint /bin/bash ubuntu:latest -i 5. When inside the container, run the following commands: .. code-block:: bash apt update && DEBIAN_FRONTEND=noninteractive apt install -y devscripts dput rsync rsync -av /keychain/ /keychain2/ export GNUPGHOME=/keychain2 cd /packages # have the passphrase at hand in keys/mozillavpn-launchpad-gpg.passphrase # for the next command for signing debsign -k Release --re-sign *.dsc *.buildinfo *.changes dput ppa:mozillacorp/mozillavpn mozillavpn*.changes An email will be sent by lauchpad to release+ubuntu-store@mozilla.com. If ``dput`` complains about the package had already been uploaded, then delete all files ``*.ppa.upload`` and try again. If the build fails for some reason (i.e.: GPG key rotated), and the server complains the package has already been uploaded, then ``dput`` can be run with ``-f`` to force the upload/override. 6. The build should eventually show up on `launchpad`_. You can also `watch the state of the builds here`_. 7. Once the builds are successful, open the `edit section of launchpad`_ and check the ``Publish`` box. Click ``Save``. 8. After the releases have been shipped and verified, go back and disable ``Publish`` again. Android and iOS Clients ----------------------- Releng is not involved with the mobile release process. Addons ------ Addons are shipped independently from the main client, they are akin to Firefox's "system addons". They live in the main repo and are not to be confused with web extensions (they use a custom format to VPN). Promote Addons ~~~~~~~~~~~~~~ 1. :ref:`vpn relpro`, using the lastest push from `main` (unless otherwise specified). 2. Change the ``release_promotion_flavor`` to ``promote-addons``. 3. Trigger the action. This will trigger beetmover tasks that will upload the addons plus the manifest to the `addons candidates directory`_. The path will have a pattern like: ``pub/vpn/addons/candidates/`` 4. Provide the link in a thread to the original request in ``#releaseduty``. Ship Addons ~~~~~~~~~~~ 1. :ref:`vpn relpro`, using the same push as in the `promote` phase. 2. Change the ``release_promotion_flavor`` to ``ship-addons``. 3. Trigger the action. This will trigger beetmover tasks that will upload the addons plus the manifest to the `addons releases directory`_. The files will be uploaded to two locations: a. ``pub/vpn/addons/releases/`` b. ``pub/vpn/addons/releases/latest`` 4. Provide the link in a thread to the original request in ``#releaseduty``. .. _Mozilla VPN: https://github.com/mozilla-mobile/mozilla-vpn-client .. _release promotion action: .. _candidates directory: https://archive.mozilla.org/pub/vpn/candidates/ .. _RELENG-797: https://mozilla-hub.atlassian.net/browse/RELENG-797 .. _releases directory: https://archive.mozilla.org/pub/vpn/releases/ .. _Balrog: https://balrog.services.mozilla.com/ .. _launchpad: https://launchpad.net/~mozillacorp/+archive/ubuntu/mozillavpn .. _edit section of launchpad: https://launchpad.net/~mozillacorp/+archive/ubuntu/mozillavpn/+edit .. _watch the state of the builds here: https://launchpad.net/~mozillacorp/+archive/ubuntu/mozillavpn/+builds?build_text=&build_state=all .. _addons candidates directory: https://archive.mozilla.org/pub/vpn/addons/candidates/ .. _addons releases directory: https://archive.mozilla.org/pub/vpn/addons/releases/