Add WinGet auto-publish workflow#648
Conversation
Submit the multi-architecture .msixbundle to microsoft/winget-pkgs via Microsoft's wingetcreate when a release is published (or on manual dispatch). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds an automated GitHub Actions workflow to publish new stable releases of EventLogExpert to the Windows Package Manager (WinGet) using Microsoft’s wingetcreate tool, aligning with the intended release-to-distribution flow.
Changes:
- Introduces a new
release: [released]-triggered workflow (plusworkflow_dispatch) for WinGet publishing. - Resolves the version to submit (manual input, release tag, or latest release) and submits a
.msixbundleURL viawingetcreate. - Uses a repository secret (
WINGET_TOKEN) mapped toWINGET_CREATE_GITHUB_TOKENfor creating the PR inmicrosoft/winget-pkgs.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Strip a leading 'v' from the manual dispatch version input; only send the Authorization header to the releases API when a token is set; verify the Authenticode signature of wingetcreate.exe before running it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Addressed all three review comments in e48b94c:
|
Use github.event.inputs.version (null-safe on release triggers); use github.repository for the release API and download URLs; validate the resolved version is dotted-numeric before submitting. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Second review pass addressed in d75bb89:
|
Add a job-level if: guard so release events run only for non-prereleases (keeping the released trigger, which already excludes them). Add curl -f plus explicit LASTEXITCODE checks after the download and the wingetcreate update so native-command failures fail the step immediately. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Third review pass — two addressed in f78c29f, one intentionally kept:
|
Throw a clear error when the WINGET_TOKEN secret is empty instead of letting wingetcreate fail with a cryptic auth error. Reword the release-trigger comment so it is consistent with the job-level pre-release guard. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Fourth review pass addressed in 40f2ed5:
|
Switch the Authorization header on the releases/latest lookup from Bearer to the token scheme, the conventional form for classic PATs (both are accepted by the REST API). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Fifth pass addressed in f56a51b: switched the For the record, both schemes are accepted by the GitHub REST API for classic PATs (only JWTs require |
Pass github.event.inputs.version and github.event.release.tag_name through step env vars instead of inlining them into the PowerShell script, removing the script-injection vector. Pin runs-on to windows-2022 to match the repo's other workflows. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Sixth pass addressed in 9071ca7:
|
Use the ephemeral job GITHUB_TOKEN (contents: read, least privilege) for the releases/latest lookup and reserve the WINGET_TOKEN PAT for wingetcreate. Use prerelease != true in the stable-only guard, and clarify in the comment that github.repository is a trusted, non-user context value. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Seventh pass — four applied in d46708c, one intentionally declined:
|
EventLogExpert releases use four-part versions (e.g. 26.7.10.1209); tighten the version-validation regex to reject shorter forms that would build a nonexistent bundle URL. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Eighth pass:
|
Adds a GitHub Actions workflow that publishes new releases to the Windows Package Manager (winget) using Microsoft's wingetcreate tool.
release: [released](fires when a draft is published as a full stable release) plusworkflow_dispatchfor manual runs..msixbundle; wingetcreate reads both the x64 and arm64 packages from the one file.WINGET_TOKENrepo secret viaWINGET_CREATE_GITHUB_TOKEN.Mirrors the pattern in microsoft/terminal's
.github/workflows/winget.yml.