chore: fixes and improvements for the release process (dfinity#3703)

aterga · claude · web-flow · commit 81af29d34e23 · 2026-03-24T15:52:37.000Z
## Summary Follow-up fixes to the release SOP script (merged in dfinity#3699): - **Fall back to `.ic0.app`** when `.icp0.io` config endpoint is unavailable - **Split `prepare_proposal_argument`** into per-canister steps for finer-grained checklist progress - **Fix Candid parsing**: handle multi-line nested values (analytics_config, related_origins) - **Default missing fields to `null`**: prevents `dev_csp = ` causing didc encode failures - **Fix backend init arg**: default to `(null)` when user declines optional value - **Idempotent `append_proposal_argument`**: removes previously appended sections on re-run, adds Wasm Verification section - **Use HTTPS for git operations**: avoids SSH key prompts for public operations - **Format Candid args**: one top-level field per line for readability ## Test plan - [ ] Run `./scripts/make-upgrade-proposal --new --name release-test` and verify the improved flow - [ ] Run `./scripts/deploy-pr-to-beta -sa -fe <PR>` and verify shared helpers work correctly | [Next PR](dfinity#3702) > --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/scripts/frontend-arg-helpers.bash b/scripts/frontend-arg-helpers.bash
@@ -31,17 +31,21 @@ prompt_field() {
 # -------------------------
 build_frontend_install_arg() {
     local canister_id="$1"
-    local config_url="https://${canister_id}.icp0.io/.config"
+    local primary_url="https://${canister_id}.icp0.io/.config"
+    local fallback_url="https://${canister_id}.ic0.app/.config"
 
     echo ""
-    echo "Fetching current frontend config from $config_url ..."
-    local raw_config
-    if ! raw_config=$(curl --connect-timeout 10 --max-time 30 -sfL "$config_url"); then
-        echo "Error: Could not fetch current config from $config_url" >&2
-        exit 1
-    fi
+    local raw_config=""
+    for config_url in "$primary_url" "$fallback_url"; do
+        echo "Fetching current frontend config from $config_url ..."
+        if raw_config=$(curl --connect-timeout 10 --max-time 30 -sfL "$config_url") && [ -n "$raw_config" ]; then
+            break
+        fi
+        echo "  Failed, trying next domain..." >&2
+        raw_config=""
+    done
     if [ -z "$raw_config" ]; then
-        echo "Error: Empty config response from $config_url" >&2
+        echo "Error: Could not fetch config from either $primary_url or $fallback_url" >&2
         exit 1
     fi
 
@@ -52,37 +56,81 @@ build_frontend_install_arg() {
     echo "Configure install arguments (press Enter to keep each current value):"
 
     # Parse individual fields from the Candid text output.
+    # For multi-line nested values (analytics_config, related_origins), we extract
+    # everything from "field = " to the matching closing brace/semicolon.
+    parse_candid_field() {
+        local field="$1" config="$2"
+        # Try multi-line extraction: from "field = " to the line where braces balance
+        awk -v field="$field" '
+            BEGIN { found=0; depth=0; val="" }
+            !found && $0 ~ field" = " {
+                found=1
+                sub(".*"field" = ", "")
+                # Remove trailing semicolon if this is a single-line value
+            }
+            found {
+                val = (val == "" ? $0 : val "\n" $0)
+                depth += gsub(/[{(]/, "&")
+                depth -= gsub(/[})]/, "&")
+                if (depth <= 0) {
+                    # Remove trailing semicolon at the top level
+                    sub(/;[[:space:]]*$/, "", val)
+                    print val
+                    exit
+                }
+            }
+        ' <<< "$config"
+    }
+
     local current_backend_canister_id
-    current_backend_canister_id=$(echo "$raw_config" | grep 'backend_canister_id' | sed 's/.*= *//;s/ *;$//')
+    current_backend_canister_id=$(parse_candid_field "backend_canister_id" "$raw_config")
     local current_backend_origin
-    current_backend_origin=$(echo "$raw_config" | grep 'backend_origin' | sed 's/.*= *//;s/ *;$//')
+    current_backend_origin=$(parse_candid_field "backend_origin" "$raw_config")
     local current_related_origins
-    current_related_origins=$(echo "$raw_config" | sed -n '/related_origins/,/}/p' | tr '\n' ' ' | sed 's/.*= *//;s/ *;[[:space:]]*$//')
+    current_related_origins=$(parse_candid_field "related_origins" "$raw_config")
     local current_fetch_root_key
-    current_fetch_root_key=$(echo "$raw_config" | grep 'fetch_root_key' | sed 's/.*= *//;s/ *;$//')
+    current_fetch_root_key=$(parse_candid_field "fetch_root_key" "$raw_config")
     local current_analytics_config
-    current_analytics_config=$(echo "$raw_config" | grep 'analytics_config' | sed 's/.*= *//;s/ *;$//')
+    current_analytics_config=$(parse_candid_field "analytics_config" "$raw_config")
     local current_dummy_auth
-    current_dummy_auth=$(echo "$raw_config" | grep 'dummy_auth' | sed 's/.*= *//;s/ *;$//')
+    current_dummy_auth=$(parse_candid_field "dummy_auth" "$raw_config")
     local current_dev_csp
-    current_dev_csp=$(echo "$raw_config" | grep 'dev_csp' | sed 's/.*= *//;s/ *;$//')
+    current_dev_csp=$(parse_candid_field "dev_csp" "$raw_config")
+
+    # All known fields with their defaults (null for missing fields)
+    local -a field_names=(backend_canister_id backend_origin related_origins fetch_root_key analytics_config dummy_auth dev_csp)
+    local -A current_values=(
+        [backend_canister_id]="$current_backend_canister_id"
+        [backend_origin]="$current_backend_origin"
+        [related_origins]="$current_related_origins"
+        [fetch_root_key]="$current_fetch_root_key"
+        [analytics_config]="$current_analytics_config"
+        [dummy_auth]="$current_dummy_auth"
+        [dev_csp]="$current_dev_csp"
+    )
+
+    # Prompt for each field, defaulting empty values to null
+    local -A final_values
+    for field in "${field_names[@]}"; do
+        local current="${current_values[$field]:-null}"
+        local value
+        value=$(prompt_field "$field" "$current")
+        # Normalize empty input to null to avoid invalid Candid
+        final_values[$field]="${value:-null}"
+    done
 
-    local val_backend_canister_id
-    val_backend_canister_id=$(prompt_field "backend_canister_id" "$current_backend_canister_id")
-    local val_backend_origin
-    val_backend_origin=$(prompt_field "backend_origin" "$current_backend_origin")
-    local val_related_origins
-    val_related_origins=$(prompt_field "related_origins" "$current_related_origins")
-    local val_fetch_root_key
-    val_fetch_root_key=$(prompt_field "fetch_root_key" "$current_fetch_root_key")
-    local val_analytics_config
-    val_analytics_config=$(prompt_field "analytics_config" "$current_analytics_config")
-    local val_dummy_auth
-    val_dummy_auth=$(prompt_field "dummy_auth" "$current_dummy_auth")
-    local val_dev_csp
-    val_dev_csp=$(prompt_field "dev_csp" "$current_dev_csp")
+    # Build the Candid record with each top-level field on its own line
+    local record_fields=""
+    for field in "${field_names[@]}"; do
+        if [ -n "$record_fields" ]; then
+            record_fields+=$';\n'
+        fi
+        record_fields+="  ${field} = ${final_values[$field]}"
+    done
 
-    FRONTEND_CANDID_ARG="(record { backend_canister_id = ${val_backend_canister_id}; backend_origin = ${val_backend_origin}; related_origins = ${val_related_origins}; fetch_root_key = ${val_fetch_root_key}; analytics_config = ${val_analytics_config}; dummy_auth = ${val_dummy_auth}; dev_csp = ${val_dev_csp} })"
+    FRONTEND_CANDID_ARG="(record {
+${record_fields};
+})"
 
     echo ""
     echo "Install argument (Candid):"
diff --git a/scripts/make-upgrade-proposal b/scripts/make-upgrade-proposal
@@ -10,6 +10,11 @@ set -euo pipefail
 SOURCE_DIR="$(dirname "${BASH_SOURCE[0]}")"
 source "$SOURCE_DIR/frontend-arg-helpers.bash"
 
+# Resolve the HTTPS remote URL for git operations that don't need SSH.
+# gh is authenticated via HTTPS, so this avoids SSH key prompts for
+# public read operations (fetch) and authenticated writes (push).
+REPO_HTTPS_URL="https://github.com/dfinity/internet-identity.git"
+
 print_help() {
   cat <<-EOF
 
@@ -365,6 +370,9 @@ prepare_staging_backend_argument() {
   echo "=== Filling init arguments for STAGING BACKEND canister (InternetIdentityInit) ==="
   echo ""
   didc_assist_ii_init > staging_args.txt
+  if [ ! -s staging_args.txt ]; then
+    echo "(null)" > staging_args.txt
+  fi
   didc_encode_ii_init staging_args.txt > staging_dfx_arg.bin
 }
 
@@ -494,40 +502,56 @@ compute_sha256sum_for_frontend_args() {
   didc_encode_frontend_init "$ARG_FILE" | xxd -r -p | sha256sum | cut -f1 -d' '
 }
 
-prepare_proposal_argument() {
-  local upgrade_type="$(checklist_must_get 'Upgrade type')"
+prepare_production_backend_argument() {
   echo "You need at least the didc from 2024-07-29 https://github.com/dfinity/candid/releases/tag/2024-07-29"
-
-  if should_upgrade_backend "$upgrade_type"; then
-    echo ""
-    echo "=== Filling init arguments for PRODUCTION BACKEND canister (InternetIdentityInit) ==="
-    echo ""
-    didc_assist_ii_init > args.txt
-    didc_encode_ii_init args.txt > dfx_arg.bin
-    # DFX raw arguments are encoded differently than ic-admin's --arg values (mainnet_arg.bin).
-    xxd -r -p dfx_arg.bin > mainnet_arg.bin
+  echo ""
+  echo "=== Filling init arguments for PRODUCTION BACKEND canister (InternetIdentityInit) ==="
+  echo ""
+  didc_assist_ii_init > args.txt
+  # Default to (null) when the user declines the optional init arg
+  if [ ! -s args.txt ]; then
+    echo "(null)" > args.txt
   fi
+  didc_encode_ii_init args.txt > dfx_arg.bin
+  # DFX raw arguments are encoded differently than ic-admin's --arg values (mainnet_arg.bin).
+  xxd -r -p dfx_arg.bin > mainnet_arg.bin
+}
 
-  if should_upgrade_frontend "$upgrade_type"; then
-    echo ""
-    echo "=== Filling init arguments for PRODUCTION FRONTEND canister ==="
-    echo ""
-    build_frontend_install_arg "$PROD_FRONTEND_CANISTER_ID"
-    echo "$FRONTEND_CANDID_ARG" > frontend_args.txt
-    echo "$FRONTEND_INSTALL_ARG" > dfx_frontend_arg.bin
-    xxd -r -p dfx_frontend_arg.bin > mainnet_frontend_arg.bin
-  fi
+prepare_production_frontend_argument() {
+  echo ""
+  echo "=== Filling init arguments for PRODUCTION FRONTEND canister ==="
+  echo ""
+  build_frontend_install_arg "$PROD_FRONTEND_CANISTER_ID"
+  echo "$FRONTEND_CANDID_ARG" > frontend_args.txt
+  echo "$FRONTEND_INSTALL_ARG" > dfx_frontend_arg.bin
+  xxd -r -p dfx_frontend_arg.bin > mainnet_frontend_arg.bin
 }
 
 append_proposal_argument() {
   local upgrade_type="$(checklist_must_get 'Upgrade type')"
-  
+  local git_commit
+  git_commit=$(git rev-parse "$TAG_NAME")
+
   if should_upgrade_backend "$upgrade_type"; then
-    # Get the arguments from the file
     ARGUMENTS="$(cat args.txt)"
-    
+    II_WASM_SHA=$(sha256sum "internet_identity.wasm.gz" | awk '{print $1}')
+
+    # Remove previously appended sections (idempotent on re-run)
+    sed -i.bak '/^## Backend Argument Verification/,$d' backend_proposal.md && rm -f backend_proposal.md.bak
+    sed -i.bak '/^## Wasm Verification/,$d' backend_proposal.md && rm -f backend_proposal.md.bak
+
     cat >> backend_proposal.md << EOF
 
+## Wasm Verification
+
+To build the wasm modules yourself and verify their hashes, run the following commands from the root of the [Internet Identity repository](https://github.com/dfinity/internet-identity):
+
+\`\`\`
+git pull  # to ensure you have the latest changes.
+git checkout ${git_commit}
+./scripts/verify-hash --ii-hash ${II_WASM_SHA}
+\`\`\`
+
 ## Backend Argument Verification
 
 Run the following command to verify the backend upgrade argument hash:
@@ -539,13 +563,27 @@ didc encode -d ./src/internet_identity/internet_identity.did -t '(opt InternetId
 The output should match the argument hash.
 EOF
   fi
-  
+
   if should_upgrade_frontend "$upgrade_type"; then
-    # Get the frontend arguments from the file
     FRONTEND_ARGUMENTS="$(cat frontend_args.txt)"
-    
+    FRONTEND_WASM_SHA=$(sha256sum "internet_identity_frontend.wasm.gz" | awk '{print $1}')
+
+    # Remove previously appended sections (idempotent on re-run)
+    sed -i.bak '/^## Frontend Argument Verification/,$d' frontend_proposal.md && rm -f frontend_proposal.md.bak
+    sed -i.bak '/^## Wasm Verification/,$d' frontend_proposal.md && rm -f frontend_proposal.md.bak
+
     cat >> frontend_proposal.md << EOF
 
+## Wasm Verification
+
+To build the wasm modules yourself and verify their hashes, run the following commands from the root of the [Internet Identity repository](https://github.com/dfinity/internet-identity):
+
+\`\`\`
+git pull  # to ensure you have the latest changes.
+git checkout ${git_commit}
+./scripts/verify-hash --iife-hash ${FRONTEND_WASM_SHA}
+\`\`\`
+
 ## Frontend Argument Verification
 
 Run the following command to verify the frontend upgrade argument hash:
@@ -746,15 +784,15 @@ tag_proposal() {
     backend_proposal_num=$(checklist_get "Backend proposal number")
     if [ "$backend_proposal_num" ]; then
       git tag -f "proposal-backend-$backend_proposal_num"
-      git push origin "proposal-backend-$backend_proposal_num"
+      git push "$REPO_HTTPS_URL" "proposal-backend-$backend_proposal_num"
     fi
   fi
   
   if should_upgrade_frontend "$upgrade_type"; then
     frontend_proposal_num=$(checklist_get "Frontend proposal number")
     if [ "$frontend_proposal_num" ]; then
       git tag -f "proposal-frontend-$frontend_proposal_num"
-      git push origin "proposal-frontend-$frontend_proposal_num"
+      git push "$REPO_HTTPS_URL" "proposal-frontend-$frontend_proposal_num"
     fi
   fi
 }
@@ -772,10 +810,10 @@ UPGRADE_TYPE="$(checklist_must_get 'Upgrade type')"
 echo "Upgrade type: $UPGRADE_TYPE"
 echo ""
 
-confirm_cmd git fetch --tags --force
+confirm_cmd git fetch "$REPO_HTTPS_URL" --tags --force
 confirm_cmd git tag -f $TAG_NAME
 record "Release commit" git rev-parse $TAG_NAME
-record "New tag pushed" git push origin $TAG_NAME
+record "New tag pushed" git push "$REPO_HTTPS_URL" $TAG_NAME
 confirm_cmd wait_for_release
 confirm_manual "Review release page update" update_release_text
 
@@ -811,7 +849,12 @@ confirm_manual "Test release candidate" test_release_candidate
 
 # --- Production: prepare proposal arguments ---
 confirm_cmd download_proposal_text
-confirm_cmd prepare_proposal_argument
+if should_upgrade_backend "$UPGRADE_TYPE"; then
+  confirm_cmd prepare_production_backend_argument
+fi
+if should_upgrade_frontend "$UPGRADE_TYPE"; then
+  confirm_cmd prepare_production_frontend_argument
+fi
 confirm_cmd append_proposal_argument
 confirm_manual "Confirm proposal arguments" confirm_proposal_arguments
 confirm_manual "Share proposal contents on Slack" share_proposal
