aboutsummaryrefslogtreecommitdiff
path: root/.github/workflows/publish-firefox-development.yml
blob: 37098a4611b7ef4a25b474e04f1b84b83ac2dbb6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# For the Firefox development addon, people install it manually,
# and updates are distributed via the JSON file created in this
# action which is stored in the metadata branch of this repo.

name: publish-firefox-development
on:
  workflow_dispatch:
    inputs:
      upload_url:
        description: "The upload_url from the release created by create-prerelease-on-tag.yml"
        required: true
permissions:
  contents: read
jobs:
  build:
    runs-on: ubuntu-latest
    environment: cd
    permissions:
      contents: write
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
    steps:
      - uses: robinraju/release-downloader@c39a3b234af58f0cf85888573d361fb6fa281534 # pin@v1.10
        with:
          tag: ${{ github.ref_name }}
          fileName: "*"

      - name: Sign Firefox xpi for offline distribution
        id: ffSignXpi
        continue-on-error: true
        uses: cardinalby/webext-buildtools-firefox-sign-xpi-action@6c31e947111a95f05682fc98c6340367cce49cdc # pin@v1.0.8
        with:
          timeoutMs: 1200000
          extensionId: ${{ secrets.FF_OFFLINE_EXT_ID }}
          zipFilePath: yomitan-firefox-dev.zip
          xpiFilePath: yomitan-firefox-dev.xpi
          jwtIssuer: ${{ secrets.FF_JWT_ISSUER }}
          jwtSecret: ${{ secrets.FF_JWT_SECRET }}

      - name: Abort on sign error
        if: |
          steps.ffSignXpi.outcome == 'failure' &&
          steps.ffSignXpi.outputs.sameVersionAlreadyUploadedError != 'true'
        run: exit 1

      - name: Generate hashes
        id: hash
        run: |
          echo "hashes=$(sha256sum yomitan-firefox-dev.xpi | base64 -w0)" >> "$GITHUB_OUTPUT"

      - name: Upload offline xpi release asset
        id: uploadReleaseAsset
        if: steps.ffSignXpi.outcome == 'success'
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ inputs.upload_url }}
          asset_path: yomitan-firefox-dev.xpi
          asset_name: yomitan-firefox-dev.xpi
          asset_content_type: application/x-xpinstall

      # update updates.json so that all people who have the dev version installed get the new update

      - uses: actions/checkout@v4
        with:
          ref: metadata

      - name: Recreate updates.json
        run: |
          cat > updates.json << EOF
          {
              "addons": {
                  "{2d13e145-294e-4ead-9bce-b4644b203a00}": {
                      "updates": [
                          {
                              "version": "${{ github.ref_name }}",
                              "update_link": "${{ steps.uploadReleaseAsset.outputs.browser_download_url }}"
                          }
                      ]
                  }
              }
          }
          EOF

      - name: Commit files
        continue-on-error: true
        run: |
          git config --local user.email "github-actions[bot]@users.noreply.github.com"
          git config --local user.name "github-actions[bot]"
          git commit -a -m "${{ github.ref_name }}"

      - name: Push changes
        uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # pin@master
        with:
          branch: metadata

  provenance:
    needs: [build]
    permissions:
      actions: read # To read the workflow path.
      id-token: write # To sign the provenance.
      contents: write # To add assets to a release.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
    with:
      base64-subjects: "${{ needs.build.outputs.hashes }}"
      upload-assets: true