From a3d0e2303d51d6fa1e53419b8155674995f3291c Mon Sep 17 00:00:00 2001 From: Peter Dave Hello <3691490+PeterDaveHello@users.noreply.github.com> Date: Wed, 1 Jul 2026 03:34:57 +0800 Subject: [PATCH] Harden manual store submission workflow --- .github/workflows/tagged-release.yml | 46 ++++++++++++++++++++-------- 1 file changed, 33 insertions(+), 13 deletions(-) diff --git a/.github/workflows/tagged-release.yml b/.github/workflows/tagged-release.yml index c997ddf3..8ae7600d 100644 --- a/.github/workflows/tagged-release.yml +++ b/.github/workflows/tagged-release.yml @@ -25,9 +25,6 @@ on: permissions: id-token: "write" contents: "write" -env: - GH_TOKEN: ${{ github.token }} - jobs: build_and_release: runs-on: macos-14 @@ -36,6 +33,7 @@ jobs: - uses: actions/checkout@v6 with: ref: ${{ github.event_name == 'push' && 'master' || github.ref_name }} + persist-credentials: ${{ github.event_name == 'push' }} - uses: actions/setup-node@v6 with: @@ -79,6 +77,8 @@ jobs: - if: github.event_name == 'push' run: | gh release create ${{github.ref_name}} -d -F CURRENT_CHANGE.md -t ${{github.ref_name}} + env: + GH_TOKEN: ${{ github.token }} - uses: actions/setup-python@v6 if: github.event_name == 'push' @@ -107,19 +107,37 @@ jobs: gh release upload ${{github.ref_name}} build/safari.dmg gh release upload ${{github.ref_name}} build/chromium-without-katex-and-tiktoken.zip gh release upload ${{github.ref_name}} build/firefox-without-katex-and-tiktoken.zip + env: + GH_TOKEN: ${{ github.token }} - - name: Submit stores - if: github.event_name == 'push' || inputs.submit_stores == 'true' + - name: Submit stores dry run + if: github.event_name != 'push' && inputs.submit_stores == 'true' run: | - args=() - if [ "${{ github.event_name }}" != "push" ]; then - if [ "${{ inputs.dry_run }}" != "true" ]; then - echo "::error::Manual store submission only supports dry_run=true. Push a v* tag for a real submission." - exit 1 - fi - args+=(--dry-run) + if [ "${{ inputs.dry_run }}" != "true" ]; then + echo "::error::Manual store submission only supports dry_run=true. Push a v* tag for a real submission." + exit 1 fi - npm run release:submit -- "${args[@]}" + npm run release:submit -- --dry-run + env: + CHROME_EXTENSION_ID: dry-run-chrome-extension-id + CHROME_CLIENT_ID: dry-run-chrome-client-id + CHROME_CLIENT_SECRET: dry-run-chrome-client-secret + CHROME_REFRESH_TOKEN: dry-run-chrome-refresh-token + CHROME_PUBLISH_TARGET: default + CHROME_DEPLOY_PERCENTAGE: '100' + CHROME_REVIEW_EXEMPTION: 'false' + FIREFOX_EXTENSION_ID: dry-run-firefox-extension-id + FIREFOX_JWT_ISSUER: dry-run-firefox-jwt-issuer + FIREFOX_JWT_SECRET: dry-run-firefox-jwt-secret + FIREFOX_CHANNEL: listed + FIREFOX_COMPATIBILITY: firefox + EDGE_PRODUCT_ID: dry-run-edge-product-id + EDGE_CLIENT_ID: dry-run-edge-client-id + EDGE_API_KEY: dry-run-edge-api-key + + - name: Submit stores + if: github.event_name == 'push' + run: npm run release:submit env: CHROME_EXTENSION_ID: ${{ secrets.CHROME_EXTENSION_ID }} CHROME_CLIENT_ID: ${{ secrets.CHROME_CLIENT_ID }} @@ -140,3 +158,5 @@ jobs: - if: github.event_name == 'push' run: | gh release edit ${{github.ref_name}} --draft=false + env: + GH_TOKEN: ${{ github.token }}