Skip to content

Add WinGet auto-publish workflow#648

Merged
jschick04 merged 9 commits into
mainfrom
add-winget-publish-workflow
Jul 14, 2026
Merged

Add WinGet auto-publish workflow#648
jschick04 merged 9 commits into
mainfrom
add-winget-publish-workflow

Conversation

@jschick04

Copy link
Copy Markdown
Collaborator

Adds a GitHub Actions workflow that publishes new releases to the Windows Package Manager (winget) using Microsoft's wingetcreate tool.

  • Triggers on release: [released] (fires when a draft is published as a full stable release) plus workflow_dispatch for manual runs.
  • Submits the single multi-architecture .msixbundle; wingetcreate reads both the x64 and arm64 packages from the one file.
  • Reads the WINGET_TOKEN repo secret via WINGET_CREATE_GITHUB_TOKEN.

Mirrors the pattern in microsoft/terminal's .github/workflows/winget.yml.

Submit the multi-architecture .msixbundle to microsoft/winget-pkgs via Microsoft's wingetcreate when a release is published (or on manual dispatch).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 14, 2026 19:06
@jschick04 jschick04 requested a review from a team as a code owner July 14, 2026 19:06

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an automated GitHub Actions workflow to publish new stable releases of EventLogExpert to the Windows Package Manager (WinGet) using Microsoft’s wingetcreate tool, aligning with the intended release-to-distribution flow.

Changes:

  • Introduces a new release: [released]-triggered workflow (plus workflow_dispatch) for WinGet publishing.
  • Resolves the version to submit (manual input, release tag, or latest release) and submits a .msixbundle URL via wingetcreate.
  • Uses a repository secret (WINGET_TOKEN) mapped to WINGET_CREATE_GITHUB_TOKEN for creating the PR in microsoft/winget-pkgs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/winget.yml Outdated
Comment thread .github/workflows/winget.yml Outdated
Comment thread .github/workflows/winget.yml Outdated
@jschick04 jschick04 marked this pull request as draft July 14, 2026 19:19
Strip a leading 'v' from the manual dispatch version input; only send the Authorization header to the releases API when a token is set; verify the Authenticode signature of wingetcreate.exe before running it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 14, 2026 19:23
@jschick04

Copy link
Copy Markdown
Collaborator Author

Addressed all three review comments in e48b94c:

  1. Manual input v-stripping — the workflow_dispatch version input is now normalized with -replace '^v', '', same as the release-tag path, so v26.7.10.1209 and 26.7.10.1209 both work.
  2. Conditional auth header — the releases/latest fallback only attaches Authorization when WINGET_CREATE_GITHUB_TOKEN is non-empty; otherwise it makes an anonymous request (the repo is public).
  3. Signature verificationwingetcreate.exe is downloaded to a fixed filename and its Authenticode signature is validated (Status = Valid and signer CN=Microsoft Corporation) before execution.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.

Comment thread .github/workflows/winget.yml Outdated
Comment thread .github/workflows/winget.yml Outdated
Comment thread .github/workflows/winget.yml
Use github.event.inputs.version (null-safe on release triggers); use github.repository for the release API and download URLs; validate the resolved version is dotted-numeric before submitting.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 14, 2026 19:32
@jschick04

Copy link
Copy Markdown
Collaborator Author

Second review pass addressed in d75bb89:

  1. inputs context on release triggers — switched to ${{ github.event.inputs.version }}, which safely resolves to empty when the workflow runs from a release event.
  2. Hard-coded repo — the releases/latest API call and the .msixbundle download URL now use ${{ github.repository }}.
  3. Version validation — the resolved version must match ^\d+(\.\d+){1,3}$ (dotted-numeric, v already stripped) before the download URL is built or wingetcreate is invoked.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.

Comment thread .github/workflows/winget.yml Outdated
Comment thread .github/workflows/winget.yml Outdated
Comment thread .github/workflows/winget.yml Outdated
Add a job-level if: guard so release events run only for non-prereleases (keeping the released trigger, which already excludes them). Add curl -f plus explicit LASTEXITCODE checks after the download and the wingetcreate update so native-command failures fail the step immediately.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 14, 2026 19:41
@jschick04

Copy link
Copy Markdown
Collaborator Author

Third review pass — two addressed in f78c29f, one intentionally kept:

  1. Native exit codes (L62) — added -f to the wingetcreate.exe download and explicit $LASTEXITCODE checks after both the download and the wingetcreate update call, so native-command failures fail the step immediately with a clear message.
  2. Pre-release guard (L30) — added a job-level guard: if: ${{ github.event_name != 'release' || github.event.release.prerelease == false }}. This makes the stable-only intent explicit and future-proofs it if the trigger is ever broadened.
  3. released vs published (L9) — keeping released deliberately. microsoft/terminal uses published because it also ships pre-releases to a separate .Preview package; EventLogExpert has no preview package. released fires precisely when a draft is published as a stable release and never for pre-releases, which is exactly the intended behavior — so published would add pre-release noise that we'd then have to filter back out.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

Comment thread .github/workflows/winget.yml Outdated
Comment thread .github/workflows/winget.yml
Throw a clear error when the WINGET_TOKEN secret is empty instead of letting wingetcreate fail with a cryptic auth error. Reword the release-trigger comment so it is consistent with the job-level pre-release guard.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 14, 2026 19:47
@jschick04

Copy link
Copy Markdown
Collaborator Author

Fourth review pass addressed in 40f2ed5:

  1. Fail fast on missing token (L56) — added an early check that throws a clear, actionable error when WINGET_TOKEN (via WINGET_CREATE_GITHUB_TOKEN) is empty, before any version resolution or submission.
  2. Comment/behavior alignment (L7) — reworded the release-trigger comment so it no longer contradicts the pre-release guard: released doesn't fire for pre-releases, and the job-level guard enforces stable-only as belt-and-suspenders.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Comment thread .github/workflows/winget.yml
Switch the Authorization header on the releases/latest lookup from Bearer to the token scheme, the conventional form for classic PATs (both are accepted by the REST API).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 14, 2026 19:51
@jschick04

Copy link
Copy Markdown
Collaborator Author

Fifth pass addressed in f56a51b: switched the releases/latest fallback Authorization header from Bearer to the token scheme, which is the conventional form for classic PATs.

For the record, both schemes are accepted by the GitHub REST API for classic PATs (only JWTs require Bearer), so this was a convention/clarity change rather than a functional bug — the fallback would have worked either way.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

Comment thread .github/workflows/winget.yml Outdated
Comment thread .github/workflows/winget.yml
Pass github.event.inputs.version and github.event.release.tag_name through step env vars instead of inlining them into the PowerShell script, removing the script-injection vector. Pin runs-on to windows-2022 to match the repo's other workflows.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 14, 2026 20:05
@jschick04

Copy link
Copy Markdown
Collaborator Author

Sixth pass addressed in 9071ca7:

  1. Script-injection hardening (L48)github.event.inputs.version and github.event.release.tag_name are now passed via step-level env: vars (INPUT_VERSION / RELEASE_TAG) and read as $env: values, so no event data is interpolated into the script body.
  2. Pinned runner (L32)runs-on is now windows-2022, matching PullRequest.yml.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 5 comments.

Comment thread .github/workflows/winget.yml Outdated
Comment thread .github/workflows/winget.yml
Comment thread .github/workflows/winget.yml
Comment thread .github/workflows/winget.yml
Comment thread .github/workflows/winget.yml Outdated
Use the ephemeral job GITHUB_TOKEN (contents: read, least privilege) for the releases/latest lookup and reserve the WINGET_TOKEN PAT for wingetcreate. Use prerelease != true in the stable-only guard, and clarify in the comment that github.repository is a trusted, non-user context value.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 14, 2026 20:23
@jschick04

Copy link
Copy Markdown
Collaborator Author

Seventh pass — four applied in d46708c, one intentionally declined:

  1. Least-privilege token (L38/L56) — the releases/latest lookup now uses the ephemeral job GITHUB_TOKEN (contents: read) via GH_API_TOKEN; the WINGET_TOKEN PAT is now used only by wingetcreate for the submission.
  2. Guard robustness (L31) — switched to github.event.release.prerelease != true.
  3. Comment accuracy (L48) — clarified that only the event-supplied version values are env-passed, and that github.repository is a trusted, non-user-controlled context value.
  4. Pin wingetcreate (L72) — declined, by design. This mirrors microsoft/terminal's own winget workflow, which also pulls https://aka.ms/wingetcreate/latest. Using latest is deliberate: it guarantees the tool emits the current manifest schema (pinning an old version risks winget-pkgs rejecting a stale schema). The supply-chain concern is already mitigated by the Authenticode signature check (must be Valid and signed by CN=Microsoft Corporation) before the binary runs.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

Comment thread .github/workflows/winget.yml Outdated
Comment thread .github/workflows/winget.yml
EventLogExpert releases use four-part versions (e.g. 26.7.10.1209); tighten the version-validation regex to reject shorter forms that would build a nonexistent bundle URL.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jschick04

Copy link
Copy Markdown
Collaborator Author

Eighth pass:

  1. Four-component version (L66) — tightened the validation regex to ^\d+(\.\d+){3}$ and updated the error message. EventLogExpert releases are always four-part (e.g. 26.7.10.1209), so shorter inputs now fail fast instead of constructing a bundle URL that cannot exist.
  2. Pin wingetcreate (L76) — this repeats pass 7's L72; declining for the same reasons: it mirrors microsoft/terminal's own winget workflow, latest guarantees the current manifest schema (pinning risks winget-pkgs rejecting a stale schema), and the binary is Authenticode-verified as Microsoft-signed before it runs.

Copilot AI review requested due to automatic review settings July 14, 2026 20:29

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

Comment thread .github/workflows/winget.yml
Comment thread .github/workflows/winget.yml
@jschick04 jschick04 marked this pull request as ready for review July 14, 2026 20:34

@ryanriesMSFT ryanriesMSFT left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@jschick04 jschick04 merged commit 7b335de into main Jul 14, 2026
8 checks passed
@jschick04 jschick04 deleted the add-winget-publish-workflow branch July 14, 2026 20:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants