Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 33 additions & 13 deletions .github/workflows/tagged-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,6 @@ on:
permissions:
id-token: "write"
contents: "write"
env:
GH_TOKEN: ${{ github.token }}

jobs:
build_and_release:
runs-on: macos-14
Expand All @@ -36,6 +33,7 @@ jobs:
- uses: actions/checkout@v6
with:
ref: ${{ github.event_name == 'push' && 'master' || github.ref_name }}
persist-credentials: ${{ github.event_name == 'push' }}

- uses: actions/setup-node@v6
with:
Expand Down Expand Up @@ -79,6 +77,8 @@ jobs:
- if: github.event_name == 'push'
run: |
gh release create ${{github.ref_name}} -d -F CURRENT_CHANGE.md -t ${{github.ref_name}}
env:
GH_TOKEN: ${{ github.token }}

- uses: actions/setup-python@v6
if: github.event_name == 'push'
Expand Down Expand Up @@ -107,19 +107,37 @@ jobs:
gh release upload ${{github.ref_name}} build/safari.dmg
gh release upload ${{github.ref_name}} build/chromium-without-katex-and-tiktoken.zip
gh release upload ${{github.ref_name}} build/firefox-without-katex-and-tiktoken.zip
env:
GH_TOKEN: ${{ github.token }}

- name: Submit stores
if: github.event_name == 'push' || inputs.submit_stores == 'true'
- name: Submit stores dry run
if: github.event_name != 'push' && inputs.submit_stores == 'true'
run: |
args=()
if [ "${{ github.event_name }}" != "push" ]; then
if [ "${{ inputs.dry_run }}" != "true" ]; then
echo "::error::Manual store submission only supports dry_run=true. Push a v* tag for a real submission."
exit 1
fi
args+=(--dry-run)
if [ "${{ inputs.dry_run }}" != "true" ]; then
echo "::error::Manual store submission only supports dry_run=true. Push a v* tag for a real submission."
exit 1
fi
npm run release:submit -- "${args[@]}"
npm run release:submit -- --dry-run
env:
CHROME_EXTENSION_ID: dry-run-chrome-extension-id
CHROME_CLIENT_ID: dry-run-chrome-client-id
CHROME_CLIENT_SECRET: dry-run-chrome-client-secret
CHROME_REFRESH_TOKEN: dry-run-chrome-refresh-token
Comment on lines +123 to +125

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Don't feed dummy credentials to dry-run submission

When this workflow is manually dispatched with submit_stores=true, these fake credentials make the dry run fail during store authentication rather than validating the release artifacts. I checked publish-browser-extension: its --dry-run option is documented as checking authentication, and its store submit paths fetch auth tokens/details before skipping upload, so npm run release:submit -- --dry-run will reject the dummy Chrome/Firefox/Edge values. If manual runs must avoid secrets, this step needs a non-auth preflight path instead of invoking the real dry-run submission with fake credentials.

Useful? React with 👍 / 👎.

CHROME_PUBLISH_TARGET: default
CHROME_DEPLOY_PERCENTAGE: '100'
CHROME_REVIEW_EXEMPTION: 'false'
FIREFOX_EXTENSION_ID: dry-run-firefox-extension-id
FIREFOX_JWT_ISSUER: dry-run-firefox-jwt-issuer
FIREFOX_JWT_SECRET: dry-run-firefox-jwt-secret
FIREFOX_CHANNEL: listed
FIREFOX_COMPATIBILITY: firefox
EDGE_PRODUCT_ID: dry-run-edge-product-id
EDGE_CLIENT_ID: dry-run-edge-client-id
EDGE_API_KEY: dry-run-edge-api-key

- name: Submit stores
if: github.event_name == 'push'
run: npm run release:submit
env:
CHROME_EXTENSION_ID: ${{ secrets.CHROME_EXTENSION_ID }}
CHROME_CLIENT_ID: ${{ secrets.CHROME_CLIENT_ID }}
Expand All @@ -140,3 +158,5 @@ jobs:
- if: github.event_name == 'push'
run: |
gh release edit ${{github.ref_name}} --draft=false
env:
GH_TOKEN: ${{ github.token }}