Run signed builds on git tags and attach to Release using a separate workflow

Author: ChrisRegado

.github/workflows/browser-extension-build.yml

@@ -1,9 +1,7 @@
-name: "Browser Extensions"
+name: "Build Browser Extensions"  # If you change this name, you'll also need to update the release.yaml job
 
 on:
   workflow_dispatch:
-  release:
-    types: [published]
   pull_request:
     paths:
       - browser-extension/**
@@ -14,24 +12,25 @@ on:
       - .github/workflows/**
     branches:
       - '**'
-    tags-ignore:
-      # Don't run again on tags since we already run on all branches.
-      - '**'
+    tags:
+      # Only run on release tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+
 jobs:
   build-extensions:
     name: Build and bundle the browser extensions
+    # Since we run on both branch pushes and PRs, don't do a duplicated run if the PR is for a branch in the local repo:
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     runs-on: ubuntu-latest
     defaults:
       run:
         shell: bash
         working-directory: browser-extension
-    outputs:
-      version: ${{ steps.get-version.outputs.version }}
     steps:
       - name: Check out repository code
         uses: actions/checkout@v4
         with:
-          fetch-depth: 0  # Fetch all history for tags
+          fetch-depth: 0  # Fetch all history to pull git tags
 
       - name: Set up Node.js
         uses: actions/setup-node@v4
@@ -52,7 +51,7 @@ jobs:
           echo "version=$VERSION" >> $GITHUB_OUTPUT
           echo "Using version: $VERSION"
 
-      - name: Build extensions
+      - name: Build our browser extensions
         run: |
           npm run build
 
@@ -71,9 +70,10 @@ jobs:
           npm run package-firefox
 
       - name: Package Firefox extension (signed for release)
+        id: sign-firefox-extension
         # Only sign versions that we actually intend to release. Mozilla does not allow the same version
         # number to be signed multiple times, so duplicated build attempts will fail.
-        if: ${{ github.event_name == 'release' }}
+        if: ${{ github.ref_type == 'tag' }}
         env:
           WEB_EXT_API_KEY: ${{ secrets.FIREFOX_JWT_ISSUER }}
           WEB_EXT_API_SECRET: ${{ secrets.FIREFOX_JWT_SECRET }}
@@ -103,56 +103,37 @@ jobs:
 
           echo "✅ Manifest validation passed - Version: $CHROME_VERSION"
 
+      - name: Rename Chrome extension
+        run: |
+          mv ./build/chrome-extension.zip ./build/chrome-extension-v${{ steps.get-version.outputs.version }}.zip
+
+      - name: Rename Firefox extension (unsigned)
+        run: |
+          mv ./build/firefox-extension.zip ./build/firefox-extension-unsigned-v${{ steps.get-version.outputs.version }}.zip
+
+      - name: Rename Firefox extension (signed)
+        if: ${{ steps.sign-firefox-extension.outcome != 'skipped' }}
+        run: |
+          mv ./build/streamdeck_googlemeet-${{ steps.get-version.outputs.version }}.xpi ./build/firefox-extension-v${{ steps.get-version.outputs.version }}.xpi
+
       - name: Upload Chrome extension artifact
         uses: actions/upload-artifact@v4
         with:
-          name: chrome-extension-v${{ steps.get-version.outputs.version }}
-          path: browser-extension/build/chrome-extension.zip
+          # If you change this artifact name or filename, you must also update the release job's download-artifact steps.
+          name: chrome-extension
+          path: browser-extension/build/chrome-extension-v${{ steps.get-version.outputs.version }}.zip
 
       - name: Upload Firefox extension artifact (unsigned)
         uses: actions/upload-artifact@v4
         with:
-          name: firefox-extension-unsigned-v${{ steps.get-version.outputs.version }}
-          path: browser-extension/build/firefox-extension.zip
+          # If you change this artifact name or filename, you must also update the release job's download-artifact steps.
+          name: firefox-extension-unsigned
+          path: browser-extension/build/firefox-extension-unsigned-v${{ steps.get-version.outputs.version }}.zip
 
       - name: Upload Firefox extension artifact (signed)
-        if: ${{ github.event_name == 'release' }}
+        if: ${{ steps.sign-firefox-extension.outcome != 'skipped' }}
         uses: actions/upload-artifact@v4
         with:
-          name: firefox-extension-signed-v${{ steps.get-version.outputs.version }}
-          path: browser-extension/build/streamdeck_googlemeet-${{ steps.get-version.outputs.version }}.xpi
-
-  attach-to-release:
-    name: Attach artifacts to the GitHub Release
-    if: ${{ github.event_name == 'release' }}
-    runs-on: ubuntu-latest
-    needs: [build-extensions]
-    permissions:
-      contents: write  # Needed for softprops/action-gh-release
-    steps:
-      - name: Download Chrome extension
-        uses: actions/download-artifact@v4
-        with:
-          name: chrome-extension-v${{ needs.build-extensions.outputs.version }}
-          path: ./artifacts
-
-      - name: Rename Chrome extension
-        run: |
-          mv ./artifacts/chrome-extension.zip ./chrome-extension-v${{ needs.build-extensions.outputs.version }}.zip
-
-      - name: Download Firefox extension
-        uses: actions/download-artifact@v4
-        with:
-          name: firefox-extension-signed-v${{ needs.build-extensions.outputs.version }}
-          path: ./artifacts
-
-      - name: Rename Firefox extension
-        run: |
-          mv ./artifacts/streamdeck_googlemeet-${{ needs.build-extensions.outputs.version }}.xpi ./firefox-extension-v${{ needs.build-extensions.outputs.version }}.xpi
-
-      - name: Attach all artifacts to release
-        uses: softprops/action-gh-release@v2
-        with:
-          files: |
-            ./chrome-extension-v${{ needs.build-extensions.outputs.version }}.zip
-            ./firefox-extension-v${{ needs.build-extensions.outputs.version }}.xpi
+          # If you change this artifact name or filename, you must also update the release job's download-artifact steps.
+          name: firefox-extension-signed
+          path: browser-extension/build/firefox-extension-v${{ steps.get-version.outputs.version }}.xpi

.github/workflows/release.yaml

@@ -0,0 +1,91 @@
+# This job runs when a GitHub Release is created. It finds our build artifacts for the CI jobs
+# that ran against this release's associated git tag, and attaches those artifacts to our GitHub
+# Release. We use this multi-step procedure (rather than just doing the build when the Release is
+# created) so that artifacts can be tested and validated before they become available on the Releases
+# page where users are more likely to download them even if they're marked as pre-release.
+
+name: "Prepare GitHub Release"
+
+on:
+  workflow_dispatch:
+  release:
+    types: [published]
+
+jobs:
+  attach-artifacts:
+    name: Attach artifacts from git tag builds to the GitHub Release
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read    # Needed for `gh run list`
+      contents: write  # Needed for softprops/action-gh-release
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+
+      # Find the GitHub Action run IDs of the most recent build jobs for our release's git tag:
+      - name: "Find GHA run IDs for this release's git tag"
+        id: get-workflow-id
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          function getRunId() {
+            gh run list \
+                --branch "${{ github.event.release.tag_name }}" \
+                --workflow "$1" \
+                --limit 1 \
+                --json "status,conclusion,createdAt,databaseId,event,headBranch,headSha,number,startedAt,status,updatedAt,url" \
+                --event push | tee build_workflow_run.json
+
+            TAG_RUN_ID=$( jq 'if .[0].conclusion == "success" then .[0].databaseId else halt end' build_workflow_run.json )
+            if [[ -z "$TAG_RUN_ID" ]]; then
+                echo "❌ The most recent build for a tag matching this GitHub Release name is either missing, incomplete, or unsuccessful!"
+                echo "Check the build history for tag '${{ github.event.release.tag_name }}' to see if it's still running or failed."
+                exit 1
+            fi
+          }
+
+          getRunId "Build Browser Extensions"
+          extensions_run_id="$TAG_RUN_ID"
+          echo "Workflow run ID for browser extensions: ${extensions_run_id}"
+          echo "extensions_run_id=$extensions_run_id" >> $GITHUB_OUTPUT
+
+          getRunId "Build Stream Deck Plugin"
+          plugin_run_id="$TAG_RUN_ID"
+          echo "Workflow run ID for Stream Deck plugin: ${plugin_run_id}"
+          echo "plugin_run_id=$plugin_run_id" >> $GITHUB_OUTPUT
+
+      - name: Download Chrome extension
+        uses: actions/download-artifact@v4
+        with:
+          # Artifact name must match the `actions/upload-artifact` steps from the build job
+          name: chrome-extension
+          run-id: ${{ steps.get-workflow-id.outputs.extensions_run_id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          path: ./artifacts
+
+      - name: Download Firefox extension
+        uses: actions/download-artifact@v4
+        with:
+          # Artifact name must match the `actions/upload-artifact` steps from the build job
+          name: firefox-extension-signed
+          run-id: ${{ steps.get-workflow-id.outputs.extensions_run_id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          path: ./artifacts
+
+      - name: Download Stream Deck Plugin
+        uses: actions/download-artifact@v4
+        with:
+          # Artifact name must match the `actions/upload-artifact` steps from the build job
+          name: com.chrisregado.googlemeet.streamDeckPlugin
+          run-id: ${{ steps.get-workflow-id.outputs.plugin_run_id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          path: ./artifacts
+
+      - name: Attach artifacts to release
+        uses: softprops/action-gh-release@v2
+        with:
+          # Artifact filenames must match the `actions/upload-artifact` steps from the build jobs
+          files: |
+            ./artifacts/chrome-extension-${{ github.event.release.tag_name }}.zip
+            ./artifacts/firefox-extension-${{ github.event.release.tag_name }}.xpi
+            ./artifacts/com.chrisregado.googlemeet.streamDeckPlugin

.github/workflows/streamdeck-plugin-build.yml

@@ -1,9 +1,7 @@
-name: "Stream Deck Plugin"
+name: "Build Stream Deck Plugin"  # If you change this name, you'll also need to update the release.yaml job
 
 on:
   workflow_dispatch:
-  release:
-    types: [published]
   pull_request:
     paths:
       - streamdeck-plugin/**
@@ -16,9 +14,9 @@ on:
       - .github/workflows/**
     branches:
       - '**'
-    tags-ignore:
-      # Don't run again on tags since we already run on all branches.
-      - '**'
+    tags:
+      # Only run on release tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
 
 jobs:
   build-plugin:
@@ -30,6 +28,8 @@ jobs:
           - os: windows
             runs_on: windows-latest
     name: Build ${{ matrix.os }} Stream Deck Plugin
+    # Since we run on both branch pushes and PRs, don't do a duplicated run if the PR is for a branch in the local repo:
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     runs-on: ${{ matrix.runs_on }}
     defaults:
       run:
@@ -88,23 +88,3 @@ jobs:
         with:
           name: com.chrisregado.googlemeet.streamDeckPlugin
           path: output/com.chrisregado.googlemeet.streamDeckPlugin
-
-  attach-to-release:
-    name: Attach artifacts to release
-    if: ${{ github.event_name == 'release' }}
-    runs-on: ubuntu-latest
-    needs: [bundle-streamdeck-distributable]
-    permissions:
-      contents: write  # Needed for softprops/action-gh-release
-    steps:
-      - name: Download Stream Deck plugin
-        uses: actions/download-artifact@v4
-        with:
-          name: com.chrisregado.googlemeet.streamDeckPlugin
-          path: ./artifacts
-
-      - name: Attach artifacts to release
-        uses: softprops/action-gh-release@v2
-        with:
-          files: |
-            ./artifacts/com.chrisregado.googlemeet.streamDeckPlugin

RELEASE_INSTRUCTIONS.md

@@ -35,12 +35,15 @@ Finally, we'll add auth tokens from the Firefox Add-on portal as GitHub Action s
 Follow these steps each time you want to release a new version of the plugin and/or browser extension:
 
 1. Manually update the version number of the Stream Deck plugin by editing `com.chrisregado.googlemeet.sdPlugin/manifest.json` and changing the `Version` field. Make sure that change gets merged into `master`. (We have CI jobs to manage version numbers for the browser extensions, so you don't need to touch those.)
-2. On the Github page for your repo, click "Releases". (e.g. https://github.com/ChrisRegado/streamdeck-googlemeet/releases)
-3. Click "Draft a new release".
-4. Click the "Tag" button. We use semantic versioning with a "v" prefix for our releases. Enter a new version string (e.g. `v1.2.3`) and click "Create a new tag: v1.2.3 on publish". (Or if you already manually pushed a properly-formatted tag to origin, you can pick that tag in the dropdown.)
-5. Use the same version string for the "Release title", and enter a description summarizing notable changes in this release.
-6. Select the "Set as a pre-release" checkbox near the bottom of the page.
-7. Click "Publish release".
-8. Wait for our CI jobs to complete. If all goes well, in a few minutes you should see 3 attachments appear on the release: the `com.chrisregado.googlemeet.streamDeckPlugin` plugin, a zip of the Chrome extension, and an `.xpi` file for the Firefox extension.
-9. Do a final manual validation of those release artifacts. (Download and install the plugin and browser extension, and verify basic functionality.)
-10. Edit the release, uncheck the "Set as a pre-release" checkbox at the bottom of the page, select the "Set as the latest release" checkbox, and click "Update release".
+2. Tag the commit you wish to release and push it to GitHub. We use semantic versioning with a "v" prefix for our releases. For example: `git checkout master && git tag v1.2.3 && git push origin tag v1.2.3`
+3. CI jobs should automatically launch against that tag to build the [Stream Deck plugin](https://github.com/ChrisRegado/streamdeck-googlemeet/actions/workflows/streamdeck-plugin-build.yml) and [browser extensions](https://github.com/ChrisRegado/streamdeck-googlemeet/actions/workflows/browser-extension-build.yml). (The list of workflow runs should show one copy of each of those two jobs with your `v1.2.3` tag.) Wait for them to complete successfully.
+4. Click into those two build jobs, and on each job's "Summary" tab, download our build artifacts. The browser extension build job should have `chrome-extension` and `firefox-extension-signed` artifacts, and the plugin build job should have `com.chrisregado.googlemeet.streamDeckPlugin`.
+5. Do a final manual validation of those release artifacts. Install the plugin, Firefox extension, and Chrome extension, and verify basic functionality.
+6. On the Github page for your repo, click "Releases". (https://github.com/ChrisRegado/streamdeck-googlemeet/releases)
+7. Click "Draft a new release".
+8. Click the "Tag" button and select the tag you made in the previous step.
+9. Use the your tag name as the "Release title", and enter a description summarizing notable changes in this release.
+10. Select the "Set as a pre-release" checkbox near the bottom of the page.
+11. Click "Publish release".
+12. Our [release CI job](https://github.com/ChrisRegado/streamdeck-googlemeet/actions/workflows/release.yaml) should automatically start and attach our tag's artifacts to the GitHub Release. Wait for it to complete. If all goes well, in a minute or two you should see 3 attachments appear on the release: the `com.chrisregado.googlemeet.streamDeckPlugin` plugin, a zip of the Chrome extension, and an `.xpi` file for the Firefox extension.
+13. Edit the release, uncheck the "Set as a pre-release" checkbox at the bottom of the page, select the "Set as the latest release" checkbox, and click "Update release".