Verify staging repository before destructive Nexus actions

Before publish-release.sh promotes a staging repo to Maven Central
and before cancel-rc.sh drops one, perform a four-layer check on the
provided staging_repo_id:

1. Profile == org.apache.parquet (catches wrong-project IDs)
2. State == closed (catches already-released, already-dropped, never-closed)
3. Artifact present: parquet-common-<version>.pom in the repo
   (catches wrong-version IDs and empty repos)
4. Description contains "Apache Parquet <version> RC<rc>"
   (catches wrong-RC of the same version line)

The first three are unambiguous facts about the repo and hard-fail
the script. The description is a free-text field editable in the
Nexus UI, so a mismatch hard-fails by default but can be bypassed
with --allow-description-mismatch (also exposed as a workflow input)
for recovery scenarios.

This closes a gap that exists in both Polaris's and the original
Parquet manual procedure: "type the staging repo ID into a form
field" replaces the Nexus-UI human eyeball check without a
verification step in between.

Author: RussellSpitzer

.github/workflows/release-cancel-rc.yml

@@ -34,6 +34,11 @@ on:
         description: 'Nexus staging repository ID to drop (e.g., orgapacheparquet-1234)'
         required: true
         type: string
+      allow_description_mismatch:
+        description: 'Bypass the staging-repo description check (recovery only)'
+        required: false
+        type: boolean
+        default: false
       dry_run:
         description: 'Dry run mode (no actual changes)'
         required: false
@@ -68,8 +73,10 @@ jobs:
           INPUT_VERSION: ${{ inputs.version }}
           INPUT_RC_NUMBER: ${{ inputs.rc_number }}
           INPUT_STAGING_REPO_ID: ${{ inputs.staging_repo_id }}
+          INPUT_ALLOW_DESCRIPTION_MISMATCH: ${{ inputs.allow_description_mismatch && '1' || '0' }}
         run: |
-          ./release/bin/cancel-rc.sh \
-            "${INPUT_VERSION}" \
-            "${INPUT_RC_NUMBER}" \
-            "${INPUT_STAGING_REPO_ID}"
+          args=("${INPUT_VERSION}" "${INPUT_RC_NUMBER}" "${INPUT_STAGING_REPO_ID}")
+          if [[ "${INPUT_ALLOW_DESCRIPTION_MISMATCH}" == "1" ]]; then
+            args+=(--allow-description-mismatch)
+          fi
+          ./release/bin/cancel-rc.sh "${args[@]}"

.github/workflows/release-publish.yml

@@ -35,6 +35,11 @@ on:
         description: 'Nexus staging repository ID (e.g., orgapacheparquet-1234)'
         required: true
         type: string
+      allow_description_mismatch:
+        description: 'Bypass the staging-repo description check (recovery only)'
+        required: false
+        type: boolean
+        default: false
       dry_run:
         description: 'Dry run mode (no actual changes)'
         required: false
@@ -81,9 +86,13 @@ jobs:
           INPUT_VERSION: ${{ inputs.version }}
           INPUT_RC_NUMBER: ${{ inputs.rc_number }}
           INPUT_STAGING_REPO_ID: ${{ inputs.staging_repo_id }}
+          INPUT_ALLOW_DESCRIPTION_MISMATCH: ${{ inputs.allow_description_mismatch && '1' || '0' }}
         run: |
           args=("${INPUT_VERSION}" "${INPUT_STAGING_REPO_ID}")
           if [[ -n "${INPUT_RC_NUMBER}" ]]; then
             args+=(--rc "${INPUT_RC_NUMBER}")
           fi
+          if [[ "${INPUT_ALLOW_DESCRIPTION_MISMATCH}" == "1" ]]; then
+            args+=(--allow-description-mismatch)
+          fi
           ./release/bin/publish-release.sh "${args[@]}"

release/bin/cancel-rc.sh

@@ -34,7 +34,7 @@ source "${LIBS_DIR}/_nexus.sh"
 # ---------------------------------------------------------------------------
 function usage {
   cat <<EOF
-Usage: $0 <version> <rc-num> <staging-repo-id>
+Usage: $0 <version> <rc-num> <staging-repo-id> [--allow-description-mismatch]
 
 Cancel a release candidate after a failed vote.
 
@@ -43,6 +43,15 @@ Arguments:
   rc-num                RC number to cancel (e.g., 0)
   staging-repo-id       Nexus staging repository ID (e.g., orgapacheparquet-1234)
 
+Options:
+  --allow-description-mismatch
+                        Bypass the staging-repo description check (for recovery scenarios)
+
+Before dropping the staging repo, this script verifies that it belongs
+to org.apache.parquet, is in 'closed' state, contains
+${NEXUS_VERIFY_ARTIFACT_ID:-parquet-common}-<version>.pom, and has a
+description matching "Apache Parquet <version> RC<num>".
+
 Environment variables:
   DRY_RUN               Set to 0 for real execution (default: 1)
   NEXUS_USERNAME        Apache Nexus username
@@ -59,14 +68,40 @@ EOF
 # ---------------------------------------------------------------------------
 # Parse arguments
 # ---------------------------------------------------------------------------
-if [[ $# -lt 3 ]]; then
-  print_error "Expected 3 arguments, got $#"
+version=""
+rc_num=""
+staging_repo_id=""
+allow_description_mismatch=0
+positional=()
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --allow-description-mismatch)
+      allow_description_mismatch=1
+      shift
+      ;;
+    --help|-h)
+      usage 0
+      ;;
+    -*)
+      print_error "Unknown option: $1"
+      usage 1
+      ;;
+    *)
+      positional+=("$1")
+      shift
+      ;;
+  esac
+done
+
+if [[ ${#positional[@]} -lt 3 ]]; then
+  print_error "Expected 3 positional arguments (version, rc-num, staging-repo-id), got ${#positional[@]}"
   usage 1
 fi
 
-version="$1"
-rc_num="$2"
-staging_repo_id="$3"
+version="${positional[0]}"
+rc_num="${positional[1]}"
+staging_repo_id="${positional[2]}"
 
 # ---------------------------------------------------------------------------
 # Validate inputs
@@ -102,6 +137,18 @@ step_summary "| Version | \`${version}\` |"
 step_summary "| RC tag | \`${rc_tag}\` |"
 step_summary "| Staging repo | \`${staging_repo_id}\` |"
 
+# ---------------------------------------------------------------------------
+# Step 0: Verify staging repository before any destructive action
+# ---------------------------------------------------------------------------
+step_summary ""
+step_summary "### Staging Repository Verification"
+
+if ! nexus_verify_staging_repo "${staging_repo_id}" "${version}" "${rc_num}" "${allow_description_mismatch}"; then
+  step_summary "Staging repository verification: **FAILED**"
+  exit 1
+fi
+step_summary "Staging repository \`${staging_repo_id}\` verified"
+
 # ---------------------------------------------------------------------------
 # Step 1: Drop Nexus staging repo
 # ---------------------------------------------------------------------------

release/bin/publish-release.sh

@@ -35,7 +35,7 @@ source "${LIBS_DIR}/_maven.sh"
 # ---------------------------------------------------------------------------
 function usage {
   cat <<EOF
-Usage: $0 <version> <staging-repo-id> [--rc <num>]
+Usage: $0 <version> <staging-repo-id> [--rc <num>] [--allow-description-mismatch]
 
 Publish a release after the vote passes.
 
@@ -45,8 +45,15 @@ Arguments:
 
 Options:
   --rc <num>            RC number that passed the vote (default: auto-detect latest)
+  --allow-description-mismatch
+                        Bypass the staging-repo description check (for recovery scenarios)
   --help                Show this help
 
+Before any destructive action, this script verifies that the staging repo
+belongs to org.apache.parquet, is in 'closed' state, contains
+${NEXUS_VERIFY_ARTIFACT_ID:-parquet-common}-<version>.pom, and has a
+description matching "Apache Parquet <version> RC<num>".
+
 The next development version is auto-computed by incrementing the patch
 version (e.g., 1.18.0 -> 1.18.1-SNAPSHOT).
 
@@ -71,6 +78,7 @@ EOF
 version=""
 staging_repo_id=""
 rc_num=""
+allow_description_mismatch=0
 positional=()
 
 while [[ $# -gt 0 ]]; do
@@ -83,6 +91,10 @@ while [[ $# -gt 0 ]]; do
       rc_num="$2"
       shift 2
       ;;
+    --allow-description-mismatch)
+      allow_description_mismatch=1
+      shift
+      ;;
     --help|-h)
       usage 0
       ;;
@@ -181,6 +193,18 @@ step_summary "| Staging repo | \`${staging_repo_id}\` |"
 step_summary "| Next dev version | \`${next_dev_version}-SNAPSHOT\` |"
 step_summary "| Commit | \`${rc_commit}\` |"
 
+# ---------------------------------------------------------------------------
+# Step 0: Verify staging repository before any destructive action
+# ---------------------------------------------------------------------------
+step_summary ""
+step_summary "### Staging Repository Verification"
+
+if ! nexus_verify_staging_repo "${staging_repo_id}" "${version}" "${rc_num}" "${allow_description_mismatch}"; then
+  step_summary "Staging repository verification: **FAILED**"
+  exit 1
+fi
+step_summary "Staging repository \`${staging_repo_id}\` verified"
+
 # ---------------------------------------------------------------------------
 # Step 1: Move SVN artifacts from dist/dev to dist/release
 # ---------------------------------------------------------------------------

release/libs/_constants.sh

@@ -29,8 +29,13 @@ APACHE_DIST_DEV_PATH="/dev/parquet"
 APACHE_DIST_RELEASE_PATH="/release/parquet"
 
 NEXUS_BASE_URL=${NEXUS_BASE_URL:-"https://repository.apache.org/service/local"}
+NEXUS_CONTENT_BASE_URL=${NEXUS_CONTENT_BASE_URL:-"https://repository.apache.org/content/repositories"}
 NEXUS_STAGING_GROUP_URL="https://repository.apache.org/content/groups/staging/org/apache/parquet/"
 
+NEXUS_PROFILE_NAME="org.apache.parquet"
+NEXUS_VERIFY_GROUP_PATH="org/apache/parquet"
+NEXUS_VERIFY_ARTIFACT_ID="parquet-common"
+
 DRY_RUN=${DRY_RUN:-1}
 
 VERSION_REGEX="([0-9]+)\.([0-9]+)\.([0-9]+)"

release/libs/_nexus.sh

@@ -68,8 +68,111 @@ function nexus_drop_staging_repo {
   _nexus_bulk_action "drop" "${repo_id}" "${description}"
 }
 
+function nexus_get_staging_repo_metadata {
+  local repo_id="$1"
+  local url="${NEXUS_BASE_URL}/staging/repository/${repo_id}"
+
+  nexus_repo_profile=""
+  nexus_repo_state=""
+  nexus_repo_description=""
+
+  if [[ ${DRY_RUN:-1} -eq 1 ]]; then
+    print_command "Dry-run, WOULD GET ${url} (skipping metadata fetch)"
+    nexus_repo_profile="${NEXUS_PROFILE_NAME}"
+    nexus_repo_state="closed"
+    nexus_repo_description="DRY_RUN_DESCRIPTION"
+    return 0
+  fi
+
+  local response
+  if ! response=$(curl --fail --silent --show-error \
+    -K <(printf 'user = "%s:%s"\n' "${NEXUS_USERNAME}" "${NEXUS_PASSWORD}") \
+    -H "Accept: application/json" \
+    "${url}"); then
+    print_error "Failed to fetch staging repository metadata for ${repo_id}"
+    return 1
+  fi
+
+  nexus_repo_profile=$(echo "${response}" | jq -r '.profileName // ""')
+  nexus_repo_state=$(echo "${response}" | jq -r '.type // ""')
+  nexus_repo_description=$(echo "${response}" | jq -r '.description // ""')
+
+  if [[ -z "${nexus_repo_profile}" || -z "${nexus_repo_state}" ]]; then
+    print_error "Unable to parse staging repository metadata for ${repo_id}"
+    return 1
+  fi
+
+  return 0
+}
+
+function nexus_check_staging_artifact {
+  local repo_id="$1"
+  local version="$2"
+  local artifact_url="${NEXUS_CONTENT_BASE_URL}/${repo_id}/${NEXUS_VERIFY_GROUP_PATH}/${NEXUS_VERIFY_ARTIFACT_ID}/${version}/${NEXUS_VERIFY_ARTIFACT_ID}-${version}.pom"
+
+  if [[ ${DRY_RUN:-1} -eq 1 ]]; then
+    print_command "Dry-run, WOULD HEAD ${artifact_url}"
+    return 0
+  fi
+
+  if ! curl --fail --silent --show-error --head \
+    -K <(printf 'user = "%s:%s"\n' "${NEXUS_USERNAME}" "${NEXUS_PASSWORD}") \
+    "${artifact_url}" >/dev/null; then
+    print_error "Expected artifact not found in staging repo: ${artifact_url}"
+    return 1
+  fi
+
+  return 0
+}
+
+function nexus_verify_staging_repo {
+  local repo_id="$1"
+  local version="$2"
+  local rc_num="$3"
+  local allow_description_mismatch="${4:-0}"
+
+  local expected_description="Apache Parquet ${version} RC${rc_num}"
+
+  print_info "Verifying staging repository ${repo_id}..."
+
+  if ! nexus_get_staging_repo_metadata "${repo_id}"; then
+    return 1
+  fi
+
+  if [[ "${nexus_repo_profile}" != "${NEXUS_PROFILE_NAME}" ]]; then
+    print_error "Profile mismatch: expected '${NEXUS_PROFILE_NAME}', got '${nexus_repo_profile}'"
+    print_error "This staging repo does not belong to Apache Parquet."
+    return 1
+  fi
+
+  if [[ "${nexus_repo_state}" != "closed" ]]; then
+    print_error "Unexpected state: expected 'closed', got '${nexus_repo_state}'"
+    print_error "Staging repo must be closed (not open/released/dropped) before this action."
+    return 1
+  fi
+
+  if ! nexus_check_staging_artifact "${repo_id}" "${version}"; then
+    print_error "Verification failed: ${NEXUS_VERIFY_ARTIFACT_ID}-${version}.pom not found in staging repo."
+    print_error "This staging repo does not appear to contain ${version} artifacts."
+    return 1
+  fi
+
+  if [[ ${DRY_RUN:-1} -ne 1 && "${nexus_repo_description}" != *"${expected_description}"* ]]; then
+    print_warning "Description mismatch: expected to contain '${expected_description}'"
+    print_warning "Actual description: '${nexus_repo_description}'"
+    if [[ "${allow_description_mismatch}" != "1" ]]; then
+      print_error "Refusing to proceed. Re-run with --allow-description-mismatch to bypass."
+      return 1
+    fi
+    print_warning "Continuing despite description mismatch (--allow-description-mismatch)."
+  fi
+
+  print_info "Staging repository ${repo_id} verified."
+  return 0
+}
+
 function nexus_find_open_staging_repo {
-  local profile_name="${1:-org.apache.parquet}"
+  local profile_name="${1:-${NEXUS_PROFILE_NAME}}"
 
   print_info "Searching for open staging repository for ${profile_name}..."