-
Notifications
You must be signed in to change notification settings - Fork 48
Add WinGet auto-publish workflow #648
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
+82
−0
Merged
Changes from all commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
ba9b6a7
Add WinGet auto-publish workflow
jschick04 e48b94c
Address PR review feedback on WinGet workflow
jschick04 d75bb89
Address second review pass on WinGet workflow
jschick04 f78c29f
Harden WinGet workflow: prerelease guard and exit-code checks
jschick04 40f2ed5
Fail fast on missing WINGET_TOKEN; align trigger comment with guard
jschick04 f56a51b
Use token auth scheme for the releases API fallback
jschick04 9071ca7
Harden WinGet workflow: env-pass event inputs, pin runner
jschick04 d46708c
Use GITHUB_TOKEN for the releases API; guard and comment refinements
jschick04 90ab2d1
Require exactly four version components
jschick04 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Some comments aren't visible on the classic Files Changed page.
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,82 @@ | ||
| name: Publish to WinGet | ||
|
|
||
| # Submits the multi-architecture (x64 + arm64) .msixbundle to the Windows Package | ||
| # Manager community repo (microsoft/winget-pkgs) using Microsoft's wingetcreate tool. | ||
| on: | ||
| # Fires when a draft release is published as a full (stable) release. `released` | ||
| # does not fire for pre-releases; the job-level guard below also enforces stable-only. | ||
| release: | ||
| types: [released] | ||
| # Manual run: submit a specific version on demand (blank input = latest release). | ||
| workflow_dispatch: | ||
| inputs: | ||
| version: | ||
| description: 'Version to submit, e.g. 26.7.10.1209 (blank = latest release)' | ||
| required: false | ||
| type: string | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| env: | ||
| # wingetcreate reads this token to fork winget-pkgs and open the pull request. | ||
| # Store a classic PAT with the public_repo scope as the WINGET_TOKEN repo secret. | ||
| # See https://aka.ms/winget-create-token | ||
| WINGET_CREATE_GITHUB_TOKEN: ${{ secrets.WINGET_TOKEN }} | ||
|
|
||
| jobs: | ||
| publish: | ||
| name: Submit Microsoft.EventLogExpert to WinGet | ||
| # Stable releases only: manual dispatch runs on demand; release events run only for non-prereleases. | ||
| if: ${{ github.event_name != 'release' || github.event.release.prerelease != true }} | ||
| runs-on: windows-2022 # pinned like the repo's other workflows; wingetcreate runs on Windows only | ||
| steps: | ||
| - name: Submit updated manifest | ||
| shell: pwsh | ||
| env: | ||
| INPUT_VERSION: ${{ github.event.inputs.version }} | ||
| RELEASE_TAG: ${{ github.event.release.tag_name }} | ||
| # Least privilege: the ephemeral job token (contents: read) is used for the | ||
| # Releases API lookup; the WINGET_TOKEN PAT is reserved for wingetcreate. | ||
| GH_API_TOKEN: ${{ github.token }} | ||
|
jschick04 marked this conversation as resolved.
|
||
| run: | | ||
| $ErrorActionPreference = 'Stop' | ||
|
|
||
| if (-not $env:WINGET_CREATE_GITHUB_TOKEN) { | ||
| throw 'The WINGET_TOKEN secret is not set. Add a classic PAT with the public_repo scope as the WINGET_TOKEN repository secret.' | ||
| } | ||
|
|
||
| # Resolve the version: a manual input wins; otherwise use the release tag; | ||
| # otherwise fall back to the latest published release. The event-supplied | ||
| # version values are read from env vars (not inlined) to avoid script injection; | ||
| # github.repository below is a trusted, non-user-controlled context value. | ||
| $version = ("$env:INPUT_VERSION".Trim()) -replace '^v', '' | ||
| if (-not $version) { | ||
| $version = ("$env:RELEASE_TAG".Trim()) -replace '^v', '' | ||
| } | ||
| if (-not $version) { | ||
| $headers = @{ 'User-Agent' = 'eventlogexpert-winget' } | ||
| if ($env:GH_API_TOKEN) { $headers['Authorization'] = "Bearer $env:GH_API_TOKEN" } | ||
| $latest = Invoke-RestMethod -Headers $headers 'https://api.github.com/repos/${{ github.repository }}/releases/latest' | ||
|
jschick04 marked this conversation as resolved.
|
||
| $version = ($latest.tag_name) -replace '^v', '' | ||
| } | ||
| if (-not $version) { throw 'Could not determine a version to submit.' } | ||
| if ($version -notmatch '^\d+(\.\d+){3}$') { | ||
| throw "Resolved version '$version' is not a valid four-part version (e.g. 26.7.10.1209)." | ||
| } | ||
|
|
||
| Write-Host "Submitting Microsoft.EventLogExpert $version to WinGet" | ||
|
jschick04 marked this conversation as resolved.
|
||
|
|
||
| # One self-contained multi-arch bundle; wingetcreate reads both the x64 and | ||
| # arm64 packages from it and updates the matching installer nodes. | ||
| $bundleUrl = "https://github.com/${{ github.repository }}/releases/download/v$version/EventLogExpert_$version.msixbundle" | ||
|
|
||
| # Download Microsoft's wingetcreate and verify its Authenticode signature before running it. | ||
| curl.exe -fsSL -o wingetcreate.exe https://aka.ms/wingetcreate/latest | ||
| if ($LASTEXITCODE -ne 0) { throw "Failed to download wingetcreate.exe (curl exit $LASTEXITCODE)." } | ||
|
jschick04 marked this conversation as resolved.
jschick04 marked this conversation as resolved.
|
||
| $signature = Get-AuthenticodeSignature .\wingetcreate.exe | ||
| if ($signature.Status -ne 'Valid' -or $signature.SignerCertificate.Subject -notlike '*Microsoft Corporation*') { | ||
| throw "wingetcreate.exe failed Authenticode verification (status: $($signature.Status); signer: $($signature.SignerCertificate.Subject))." | ||
| } | ||
| .\wingetcreate.exe update Microsoft.EventLogExpert --submit --version $version --urls $bundleUrl | ||
| if ($LASTEXITCODE -ne 0) { throw "wingetcreate update failed (exit $LASTEXITCODE)." } | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.