From 59d3010fa5abc81d2bcf8bc70a11cac335361a54 Mon Sep 17 00:00:00 2001 From: Bryce Mecum Date: Wed, 11 Feb 2026 14:23:49 -0800 Subject: [PATCH 01/13] Include checksum in vote email --- dev/release/02-source.sh | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/dev/release/02-source.sh b/dev/release/02-source.sh index 5f813eb80bc..18157a36631 100755 --- a/dev/release/02-source.sh +++ b/dev/release/02-source.sh @@ -130,6 +130,8 @@ if [ ${SOURCE_VOTE} -gt 0 ]; then curl_options+=(--data "head=apache:${rc_branch}") curl_options+=(https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls) verify_pr_url=$(curl "${curl_options[@]}" | jq -r ".[0].html_url") + # read the checksum so we can include it in the vote thread email + tarball_hash=$(curl -s "https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-${version}-rc${rc}/${tarball}.sha512" | awk '{print $1}') echo "The following draft email has been created to send to the" echo "dev@arrow.apache.org mailing list" @@ -153,9 +155,10 @@ The binary artifacts are hosted at [4][5][6][7][8][9]. The changelog is located at [10]. Please download, verify checksums and signatures, run the unit tests, -and vote on the release. See [11] for how to validate a release candidate. +and vote on the release. See [11] for the SHA-512 checksum for this RC and [12] +for how to validate a release candidate. -See also a verification result on GitHub pull request [12]. +See also a verification result on GitHub pull request [13]. The vote will be open for at least 72 hours. @@ -173,8 +176,9 @@ The vote will be open for at least 72 hours. [8]: https://packages.apache.org/artifactory/arrow/ubuntu-rc/ [9]: https://github.com/apache/arrow/releases/tag/apache-arrow-${version}-rc${rc} [10]: https://github.com/apache/arrow/blob/${release_hash}/CHANGELOG.md -[11]: https://arrow.apache.org/docs/developers/release_verification.html -[12]: ${verify_pr_url} +[11]: ${tarball_hash} +[12]: https://arrow.apache.org/docs/developers/release_verification.html +[13]: ${verify_pr_url} MAIL echo "---------------------------------------------------------" fi From 4f5742b57cd5bbb2c6cb09df1b6af84ff074b2c6 Mon Sep 17 00:00:00 2001 From: Bryce Mecum Date: Wed, 11 Feb 2026 14:38:26 -0800 Subject: [PATCH 02/13] Update 02-source-test.rb --- dev/release/02-source-test.rb | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/dev/release/02-source-test.rb b/dev/release/02-source-test.rb index fe2c7b77591..bfe11602c97 100644 --- a/dev/release/02-source-test.rb +++ b/dev/release/02-source-test.rb @@ -106,6 +106,8 @@ def test_vote verify_pr_url = (JSON.parse(response.read)[0] || {})["html_url"] end output = source("VOTE") + # Extract the tarball hash from the output + tarball_hash = output[/\[11\]: ([a-f0-9]+)/, 1] assert_equal(<<-VOTE.strip, output[/^-+$(.+?)^-+$/m, 1].strip) To: dev@arrow.apache.org Subject: [VOTE] Release Apache Arrow #{@release_version} - RC0 @@ -124,9 +126,10 @@ def test_vote The changelog is located at [10]. Please download, verify checksums and signatures, run the unit tests, -and vote on the release. See [11] for how to validate a release candidate. +and vote on the release. See [11] for the SHA-512 checksum for this RC and [12] +for how to validate a release candidate. -See also a verification result on GitHub pull request [12]. +See also a verification result on GitHub pull request [13]. The vote will be open for at least 72 hours. @@ -144,8 +147,9 @@ def test_vote [8]: https://packages.apache.org/artifactory/arrow/ubuntu-rc/ [9]: https://github.com/apache/arrow/releases/tag/apache-arrow-#{@release_version}-rc0 [10]: https://github.com/apache/arrow/blob/#{@current_commit}/CHANGELOG.md -[11]: https://arrow.apache.org/docs/developers/release_verification.html -[12]: #{verify_pr_url || "null"} +[11]: #{tarball_hash} +[12]: https://arrow.apache.org/docs/developers/release_verification.html +[13]: #{verify_pr_url || "null"} VOTE end end From c410a0756fe0577499908584b5570ee3ee8e4058 Mon Sep 17 00:00:00 2001 From: Bryce Mecum Date: Wed, 11 Feb 2026 14:59:12 -0800 Subject: [PATCH 03/13] set hash earlier too --- dev/release/02-source.sh | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/dev/release/02-source.sh b/dev/release/02-source.sh index 18157a36631..2100c2dec44 100755 --- a/dev/release/02-source.sh +++ b/dev/release/02-source.sh @@ -60,6 +60,7 @@ fi echo "Using commit $release_hash" tarball=apache-arrow-${version}.tar.gz +tarball_hash="" if [ ${SOURCE_DOWNLOAD} -gt 0 ]; then # Wait for the release candidate workflow to finish before attempting @@ -89,6 +90,9 @@ if [ ${SOURCE_UPLOAD} -gt 0 ]; then svn add tmp/${tag} svn ci -m "Apache Arrow ${version} RC${rc}" tmp/${tag} + # save hash for SOURCE_VOTE step + tarball_hash=$(awk '{print $1}' "artifacts/${tarball}.sha512") + # clean up rm -rf artifacts rm -rf tmp @@ -130,8 +134,12 @@ if [ ${SOURCE_VOTE} -gt 0 ]; then curl_options+=(--data "head=apache:${rc_branch}") curl_options+=(https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls) verify_pr_url=$(curl "${curl_options[@]}" | jq -r ".[0].html_url") - # read the checksum so we can include it in the vote thread email - tarball_hash=$(curl -s "https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-${version}-rc${rc}/${tarball}.sha512" | awk '{print $1}') + + # get the hash if it wasn't already set (like when this is run with + # SOURCE_DEFAULT=0 SOURCE_VOTE=1). + if [ -z "${tarball_hash}" ]; then + tarball_hash=$(curl -s "https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-${version}-rc${rc}/${tarball}.sha512" | awk '{print $1}') + fi echo "The following draft email has been created to send to the" echo "dev@arrow.apache.org mailing list" From 8baf46d33c46c72b71e924b7f5be7f50c190d2ae Mon Sep 17 00:00:00 2001 From: Bryce Mecum Date: Wed, 11 Feb 2026 16:32:44 -0800 Subject: [PATCH 04/13] Revert "set hash earlier too" This reverts commit c410a0756fe0577499908584b5570ee3ee8e4058. --- dev/release/02-source.sh | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/dev/release/02-source.sh b/dev/release/02-source.sh index 2100c2dec44..18157a36631 100755 --- a/dev/release/02-source.sh +++ b/dev/release/02-source.sh @@ -60,7 +60,6 @@ fi echo "Using commit $release_hash" tarball=apache-arrow-${version}.tar.gz -tarball_hash="" if [ ${SOURCE_DOWNLOAD} -gt 0 ]; then # Wait for the release candidate workflow to finish before attempting @@ -90,9 +89,6 @@ if [ ${SOURCE_UPLOAD} -gt 0 ]; then svn add tmp/${tag} svn ci -m "Apache Arrow ${version} RC${rc}" tmp/${tag} - # save hash for SOURCE_VOTE step - tarball_hash=$(awk '{print $1}' "artifacts/${tarball}.sha512") - # clean up rm -rf artifacts rm -rf tmp @@ -134,12 +130,8 @@ if [ ${SOURCE_VOTE} -gt 0 ]; then curl_options+=(--data "head=apache:${rc_branch}") curl_options+=(https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls) verify_pr_url=$(curl "${curl_options[@]}" | jq -r ".[0].html_url") - - # get the hash if it wasn't already set (like when this is run with - # SOURCE_DEFAULT=0 SOURCE_VOTE=1). - if [ -z "${tarball_hash}" ]; then - tarball_hash=$(curl -s "https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-${version}-rc${rc}/${tarball}.sha512" | awk '{print $1}') - fi + # read the checksum so we can include it in the vote thread email + tarball_hash=$(curl -s "https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-${version}-rc${rc}/${tarball}.sha512" | awk '{print $1}') echo "The following draft email has been created to send to the" echo "dev@arrow.apache.org mailing list" From 1563b65cdd36b8320552b7add12323fa37b7ebd8 Mon Sep 17 00:00:00 2001 From: Bryce Mecum Date: Wed, 11 Feb 2026 17:03:57 -0800 Subject: [PATCH 05/13] detect when we're being tested --- dev/release/02-source.sh | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/dev/release/02-source.sh b/dev/release/02-source.sh index 18157a36631..69eaf3752c7 100755 --- a/dev/release/02-source.sh +++ b/dev/release/02-source.sh @@ -130,8 +130,15 @@ if [ ${SOURCE_VOTE} -gt 0 ]; then curl_options+=(--data "head=apache:${rc_branch}") curl_options+=(https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls) verify_pr_url=$(curl "${curl_options[@]}" | jq -r ".[0].html_url") - # read the checksum so we can include it in the vote thread email - tarball_hash=$(curl -s "https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-${version}-rc${rc}/${tarball}.sha512" | awk '{print $1}') + # Read the checksum so we can include it in the vote thread email + # We check if $tarball exists to detect when this script is being run by + # 02-source-test.rb and we fill in the hash from the test tarball in that + # case. + if [ -f "${tarball}" ]; then + tarball_hash=$(shasum -a 512 "${tarball}" | awk '{print $1}') + else + tarball_hash=$(curl -s "https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-${version}-rc${rc}/${tarball}.sha512" | awk '{print $1}') + fi echo "The following draft email has been created to send to the" echo "dev@arrow.apache.org mailing list" From 255c034b885f347f409b16ce14b5ed5b4a9dc90f Mon Sep 17 00:00:00 2001 From: Bryce Mecum Date: Thu, 12 Feb 2026 11:43:13 -0800 Subject: [PATCH 06/13] Update dev/release/02-source.sh Co-authored-by: Sutou Kouhei --- dev/release/02-source.sh | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/dev/release/02-source.sh b/dev/release/02-source.sh index 69eaf3752c7..975bb5c9415 100755 --- a/dev/release/02-source.sh +++ b/dev/release/02-source.sh @@ -130,15 +130,8 @@ if [ ${SOURCE_VOTE} -gt 0 ]; then curl_options+=(--data "head=apache:${rc_branch}") curl_options+=(https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls) verify_pr_url=$(curl "${curl_options[@]}" | jq -r ".[0].html_url") - # Read the checksum so we can include it in the vote thread email - # We check if $tarball exists to detect when this script is being run by - # 02-source-test.rb and we fill in the hash from the test tarball in that - # case. - if [ -f "${tarball}" ]; then - tarball_hash=$(shasum -a 512 "${tarball}" | awk '{print $1}') - else - tarball_hash=$(curl -s "https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-${version}-rc${rc}/${tarball}.sha512" | awk '{print $1}') - fi + # Read the checksum so we can include it in the vote thread email. + tarball_hash=$(cat "artifacts/${tarball}.sha512" | awk '{print $1}') echo "The following draft email has been created to send to the" echo "dev@arrow.apache.org mailing list" From d9c07a8ea76fa2e4fc1b4624f24e638dc396e7e4 Mon Sep 17 00:00:00 2001 From: Bryce Mecum Date: Thu, 12 Feb 2026 11:50:23 -0800 Subject: [PATCH 07/13] Fail when checksum doesn't exist --- dev/release/02-source.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dev/release/02-source.sh b/dev/release/02-source.sh index 975bb5c9415..f942514cd12 100755 --- a/dev/release/02-source.sh +++ b/dev/release/02-source.sh @@ -131,6 +131,7 @@ if [ ${SOURCE_VOTE} -gt 0 ]; then curl_options+=(https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls) verify_pr_url=$(curl "${curl_options[@]}" | jq -r ".[0].html_url") # Read the checksum so we can include it in the vote thread email. + [[ -f "artifacts/${tarball}.sha512" ]] || { echo "Error: artifacts/${tarball}.sha512 must exist"; exit 1; } tarball_hash=$(cat "artifacts/${tarball}.sha512" | awk '{print $1}') echo "The following draft email has been created to send to the" From da73c6f1290cdb739a9363580f41b32b15f9c102 Mon Sep 17 00:00:00 2001 From: Bryce Mecum Date: Thu, 12 Feb 2026 11:50:38 -0800 Subject: [PATCH 08/13] Update 02-source-test.rb --- dev/release/02-source-test.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dev/release/02-source-test.rb b/dev/release/02-source-test.rb index bfe11602c97..767eecef7ce 100644 --- a/dev/release/02-source-test.rb +++ b/dev/release/02-source-test.rb @@ -44,6 +44,9 @@ def source(*targets) env["SOURCE_#{target}"] = "1" end sh(env, @tarball_script, @release_version, "0") + File.open("#{@archive_name}.sha512", "w") do |sha512| + sha512.puts(sh(env, "shasum", "-a", "512", @archive_name)) + end output = sh(env, @script, @release_version, "0") sh("tar", "xf", @archive_name) output From f6b239101d9799c39834f7b6597c5e3f4a036e7e Mon Sep 17 00:00:00 2001 From: Bryce Mecum Date: Thu, 12 Feb 2026 11:53:09 -0800 Subject: [PATCH 09/13] Update dev/release/02-source-test.rb Co-authored-by: Sutou Kouhei --- dev/release/02-source-test.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dev/release/02-source-test.rb b/dev/release/02-source-test.rb index 767eecef7ce..5359995af4b 100644 --- a/dev/release/02-source-test.rb +++ b/dev/release/02-source-test.rb @@ -109,8 +109,7 @@ def test_vote verify_pr_url = (JSON.parse(response.read)[0] || {})["html_url"] end output = source("VOTE") - # Extract the tarball hash from the output - tarball_hash = output[/\[11\]: ([a-f0-9]+)/, 1] + tarball_hash = Digest::SHA512.file(@archive_name).to_s assert_equal(<<-VOTE.strip, output[/^-+$(.+?)^-+$/m, 1].strip) To: dev@arrow.apache.org Subject: [VOTE] Release Apache Arrow #{@release_version} - RC0 From 8ea4395f974aac0a038af3ae11798cc229efc6f9 Mon Sep 17 00:00:00 2001 From: Bryce Mecum Date: Thu, 12 Feb 2026 11:53:32 -0800 Subject: [PATCH 10/13] Add require --- dev/release/02-source-test.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dev/release/02-source-test.rb b/dev/release/02-source-test.rb index 5359995af4b..cab4ac94e17 100644 --- a/dev/release/02-source-test.rb +++ b/dev/release/02-source-test.rb @@ -15,6 +15,8 @@ # specific language governing permissions and limitations # under the License. +require 'digest' + class SourceTest < Test::Unit::TestCase include GitRunnable include VersionDetectable From ebd639cfccc71448dab5e635ce9b748d2162ea5e Mon Sep 17 00:00:00 2001 From: Bryce Mecum Date: Thu, 12 Feb 2026 12:34:01 -0800 Subject: [PATCH 11/13] Put tarball in artifacts subdir --- dev/release/02-source-test.rb | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/dev/release/02-source-test.rb b/dev/release/02-source-test.rb index cab4ac94e17..7b2bfb67d42 100644 --- a/dev/release/02-source-test.rb +++ b/dev/release/02-source-test.rb @@ -46,11 +46,13 @@ def source(*targets) env["SOURCE_#{target}"] = "1" end sh(env, @tarball_script, @release_version, "0") - File.open("#{@archive_name}.sha512", "w") do |sha512| - sha512.puts(sh(env, "shasum", "-a", "512", @archive_name)) + Dir.mkdir("artifacts") unless Dir.exist?("artifacts") + sh("mv", @archive_name, "artifacts/") + File.open("artifacts/#{@archive_name}.sha512", "w") do |sha512| + sha512.puts(sh(env, "shasum", "-a", "512", "artifacts/#{@archive_name}")) end output = sh(env, @script, @release_version, "0") - sh("tar", "xf", @archive_name) + sh("tar", "xf", "artifacts/#{@archive_name}") output end From b485e0f6ebeb0e70869233ef4064eb640e00f1e2 Mon Sep 17 00:00:00 2001 From: Bryce Mecum Date: Thu, 12 Feb 2026 12:56:59 -0800 Subject: [PATCH 12/13] Update 02-source-test.rb --- dev/release/02-source-test.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev/release/02-source-test.rb b/dev/release/02-source-test.rb index 7b2bfb67d42..553eb7638c3 100644 --- a/dev/release/02-source-test.rb +++ b/dev/release/02-source-test.rb @@ -113,7 +113,7 @@ def test_vote verify_pr_url = (JSON.parse(response.read)[0] || {})["html_url"] end output = source("VOTE") - tarball_hash = Digest::SHA512.file(@archive_name).to_s + tarball_hash = Digest::SHA512.file("artifacts/#{@archive_name}).to_s assert_equal(<<-VOTE.strip, output[/^-+$(.+?)^-+$/m, 1].strip) To: dev@arrow.apache.org Subject: [VOTE] Release Apache Arrow #{@release_version} - RC0 From ddd09c3044f732d74094632862e2936d40fa1737 Mon Sep 17 00:00:00 2001 From: Bryce Mecum Date: Thu, 12 Feb 2026 12:59:43 -0800 Subject: [PATCH 13/13] fix syntax --- dev/release/02-source-test.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev/release/02-source-test.rb b/dev/release/02-source-test.rb index 553eb7638c3..a881a0d4ac8 100644 --- a/dev/release/02-source-test.rb +++ b/dev/release/02-source-test.rb @@ -113,7 +113,7 @@ def test_vote verify_pr_url = (JSON.parse(response.read)[0] || {})["html_url"] end output = source("VOTE") - tarball_hash = Digest::SHA512.file("artifacts/#{@archive_name}).to_s + tarball_hash = Digest::SHA512.file("artifacts/#{@archive_name}").to_s assert_equal(<<-VOTE.strip, output[/^-+$(.+?)^-+$/m, 1].strip) To: dev@arrow.apache.org Subject: [VOTE] Release Apache Arrow #{@release_version} - RC0