releng: check pinned console's API version matches nexus API version

[david-crespo]

This is meant to avoid a situation that recently obtained, where I forgot that a last-minute API change required a console bump before the release went out. The instance page was broken in staging because the console's API version was out of date. Generally I have kept this in line by hand, but it would be a lot better to check it automatically.

So, at release time the releng script fetches the API_VERSION file from github for the console version pinned in tools/console_version and makes sure it matches the version in nexus-latest.json. Simple enough. On main it should warn, and on actual releases (as indicated by pins.helios.is_some()) it should fail.

oxidecomputer/console#3246 adds the API_VERSION file we use to check.

Do not merge before #10591, which is the console bump fixing my mistake.

[david-crespo]

Let me know if there's a better indicator of whether we're doing a release.

[iliana]

This is about the best indicator we have right now!

[iliana]

This is about the best indicator we have right now!

[david-crespo]

This version mismatch can't really happen in CI because it downloads the assets before this, but there's a line in the runbook that mentions running xtask releng manually, and the above message could be helpful in that case. Otherwise you'd probably get a spurious API version mismatch error.

[david-crespo]

It's not very easy to test the above directly, but here is a script that tests the parsing logic:

---
[dependencies]
anyhow = "1"
serde_json = "1"
---

use std::fs;

fn main() -> anyhow::Result<()> {
    // Pinned console commit: the COMMIT="..." line in tools/console_version.
    let console_version = fs::read_to_string("tools/console_version")?;
    let pinned_commit = console_version
        .lines()
        .find_map(|line| line.trim().strip_prefix("COMMIT=\"")?.strip_suffix('"'))
        .expect("failed to parse COMMIT from tools/console_version");

    // The asset tarball records its source commit in a top-level VERSION file.
    let asset_commit =
        fs::read_to_string("out/console-assets/VERSION")?.trim().to_owned();

    // ... and its API version in API_VERSION.
    let api_version =
        fs::read_to_string("out/console-assets/API_VERSION")?.trim().to_owned();

    // Current nexus API version: info.version of the spec nexus-latest.json points to.
    let spec: serde_json::Value =
        serde_json::from_str(&fs::read_to_string("openapi/nexus/nexus-latest.json")?)?;
    let nexus_version = spec
        .pointer("/info/version")
        .and_then(serde_json::Value::as_str)
        .expect("failed to read info.version");

    println!("pinned_commit  len={:2}  {pinned_commit:?}", pinned_commit.len());
    println!("asset_commit   len={:2}  {asset_commit:?}", asset_commit.len());
    println!("api_version    len={:2}  {api_version:?}", api_version.len());
    println!("nexus_version  len={:2}  {nexus_version:?}", nexus_version.len());
    println!("---");
    println!("VERSION == COMMIT:    {}", if asset_commit == pinned_commit { "MATCH" } else { "MISMATCH" });
    println!("API_VERSION == nexus: {}", if api_version == nexus_version { "MATCH" } else { "MISMATCH" });
    Ok(())
}

$ cargo +nightly -Zscript /tmp/check_console_assets.rs
warning: `package.edition` is unspecified, defaulting to `2024`
    Finished [`dev` profile [unoptimized + debuginfo]](https://doc.rust-lang.org/cargo/reference/profiles.html#default-profiles) target(s) in 0.01s
     Running `/Users/david/.cargo/build/ef/06be145a04bef9/target/debug/check_console_assets`
pinned_commit  len=40  "9858df1b65f5c541563a968629ca1ebf07369be9"
asset_commit   len=40  "9858df1b65f5c541563a968629ca1ebf07369be9"
api_version    len=14  "2026060800.0.0"
nexus_version  len=14  "2026060800.0.0"
---
VERSION == COMMIT:    MATCH
API_VERSION == nexus: MATCH