Add winget and Chocolatey publish automation

Add automated publish jobs to the release workflow and supporting scripts/docs. .github/workflows/release.yml gains publish-winget and publish-chocolatey jobs that gate on repository secrets, download release artifacts, and either submit a winget-pkgs PR or push a Chocolatey package when the release succeeds. Added build/submit-winget-pr.ps1 to create a fork branch, add manifests and open a PR to microsoft/winget-pkgs, and build/publish-chocolatey.ps1 to pack and push a Chocolatey nupkg (handling idempotent already-exists cases). README.md and docs/release/PACKAGING.md updated to document the new automation and required secrets (WINGET_GITHUB_TOKEN, WINGET_FORK_OWNER, CHOCOLATEY_API_KEY).

Author: PrimeBuild-pc

.github/workflows/release.yml

@@ -443,3 +443,107 @@ jobs:
             winget-manifests/**/*.yaml
             sbom/manifest.spdx.json
           generate_release_notes: true
+
+  publish-winget:
+    runs-on: windows-latest
+    needs:
+      - build
+      - release
+    if: needs.release.result == 'success'
+
+    steps:
+      - name: Check winget publish secrets
+        id: gate
+        shell: pwsh
+        env:
+          WINGET_GITHUB_TOKEN: ${{ secrets.WINGET_GITHUB_TOKEN }}
+          WINGET_FORK_OWNER: ${{ secrets.WINGET_FORK_OWNER }}
+        run: |
+          if ([string]::IsNullOrWhiteSpace($env:WINGET_GITHUB_TOKEN) -or [string]::IsNullOrWhiteSpace($env:WINGET_FORK_OWNER))
+          {
+            Write-Host "Winget publish secrets missing. Skipping publish-winget job."
+            "enabled=false" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
+            exit 0
+          }
+
+          "enabled=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
+
+      - name: Checkout
+        if: steps.gate.outputs.enabled == 'true'
+        uses: actions/checkout@v4
+
+      - name: Download winget manifests
+        if: steps.gate.outputs.enabled == 'true'
+        uses: actions/download-artifact@v4
+        with:
+          name: winget-manifests
+          path: winget-manifests
+
+      - name: Submit winget PR
+        if: steps.gate.outputs.enabled == 'true'
+        shell: pwsh
+        env:
+          WINGET_GITHUB_TOKEN: ${{ secrets.WINGET_GITHUB_TOKEN }}
+          WINGET_FORK_OWNER: ${{ secrets.WINGET_FORK_OWNER }}
+        run: |
+          $ErrorActionPreference = "Stop"
+          ./build/submit-winget-pr.ps1 `
+            -Version "${{ needs.build.outputs.version }}" `
+            -ManifestSourcePath "winget-manifests" `
+            -ForkOwner "$env:WINGET_FORK_OWNER" `
+            -RepositoryOwner "PrimeBuild" `
+            -PackageIdentifier "PrimeBuild.ThreadPilot" `
+            -GithubToken "$env:WINGET_GITHUB_TOKEN"
+
+  publish-chocolatey:
+    runs-on: windows-latest
+    needs:
+      - build
+      - release
+    if: needs.release.result == 'success'
+
+    steps:
+      - name: Check chocolatey publish secret
+        id: gate
+        shell: pwsh
+        env:
+          CHOCOLATEY_API_KEY: ${{ secrets.CHOCOLATEY_API_KEY }}
+        run: |
+          if ([string]::IsNullOrWhiteSpace($env:CHOCOLATEY_API_KEY))
+          {
+            Write-Host "Chocolatey API key missing. Skipping publish-chocolatey job."
+            "enabled=false" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
+            exit 0
+          }
+
+          "enabled=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
+
+      - name: Checkout
+        if: steps.gate.outputs.enabled == 'true'
+        uses: actions/checkout@v4
+
+      - name: Download installer artifact
+        if: steps.gate.outputs.enabled == 'true'
+        uses: actions/download-artifact@v4
+        with:
+          name: release-installer
+          path: release-assets/installer
+
+      - name: Publish chocolatey package
+        if: steps.gate.outputs.enabled == 'true'
+        shell: pwsh
+        env:
+          CHOCOLATEY_API_KEY: ${{ secrets.CHOCOLATEY_API_KEY }}
+        run: |
+          $ErrorActionPreference = "Stop"
+          $installer = Get-ChildItem "release-assets/installer/*.exe" -File | Select-Object -First 1
+          if (-not $installer)
+          {
+            throw "Installer executable not found for Chocolatey publish."
+          }
+
+          ./build/publish-chocolatey.ps1 `
+            -Version "${{ needs.build.outputs.version }}" `
+            -Tag "${{ needs.build.outputs.tag }}" `
+            -InstallerPath $installer.FullName `
+            -ApiKey "$env:CHOCOLATEY_API_KEY"

README.md

@@ -126,6 +126,7 @@ Notes:
 
 - Winget visibility depends on microsoft/winget-pkgs publication and client source refresh.
 - Chocolatey visibility depends on moderation and verification approval state.
+- The release workflow can auto-submit winget and Chocolatey publication jobs when repository secrets are configured.
 - ThreadPilot uses an administrator-required manifest (`requireAdministrator`) and requests elevation at startup.
 - If UAC elevation is declined at startup, the application exits and does not continue in limited mode.
 - In `Power Plans > Custom Power Plans`, use `Add .pow File` to add new custom plans directly from the app.

build/publish-chocolatey.ps1

@@ -0,0 +1,100 @@
+param(
+  [Parameter(Mandatory = $true)]
+  [string]$Version,
+
+  [Parameter(Mandatory = $true)]
+  [string]$Tag,
+
+  [Parameter(Mandatory = $true)]
+  [string]$InstallerPath,
+
+  [Parameter(Mandatory = $true)]
+  [string]$ApiKey
+)
+
+Set-StrictMode -Version Latest
+$ErrorActionPreference = 'Stop'
+
+function Assert-CommandAvailable {
+  param([string]$CommandName)
+
+  if (-not (Get-Command $CommandName -ErrorAction SilentlyContinue)) {
+    throw "Required command '$CommandName' was not found in PATH."
+  }
+}
+
+Assert-CommandAvailable -CommandName 'choco'
+
+if (-not (Test-Path -LiteralPath $InstallerPath)) {
+  throw "Installer executable not found: $InstallerPath"
+}
+
+$scriptRoot = Split-Path -Parent $PSCommandPath
+$projectRoot = Split-Path -Parent $scriptRoot
+$sourceChocoRoot = Join-Path $projectRoot 'chocolatey'
+
+if (-not (Test-Path -LiteralPath $sourceChocoRoot)) {
+  throw "Chocolatey source folder not found: $sourceChocoRoot"
+}
+
+$workRoot = Join-Path $env:RUNNER_TEMP 'threadpilot-choco-publish'
+if (Test-Path -LiteralPath $workRoot) {
+  Remove-Item -LiteralPath $workRoot -Recurse -Force
+}
+
+New-Item -ItemType Directory -Path $workRoot -Force | Out-Null
+Copy-Item -Path (Join-Path $sourceChocoRoot '*') -Destination $workRoot -Recurse -Force
+
+$nuspecPath = Join-Path $workRoot 'threadpilot.nuspec'
+$installScriptPath = Join-Path $workRoot 'tools\chocolateyInstall.ps1'
+
+if (-not (Test-Path -LiteralPath $nuspecPath)) {
+  throw "Nuspec file not found: $nuspecPath"
+}
+
+if (-not (Test-Path -LiteralPath $installScriptPath)) {
+  throw "chocolateyInstall.ps1 not found: $installScriptPath"
+}
+
+$hash = (Get-FileHash -LiteralPath $InstallerPath -Algorithm SHA256).Hash.ToLowerInvariant()
+$installerFileName = Split-Path -Leaf $InstallerPath
+$installerUrl = "https://github.com/PrimeBuild-pc/ThreadPilot/releases/download/$Tag/$installerFileName"
+$releaseNotesUrl = "https://github.com/PrimeBuild-pc/ThreadPilot/releases/tag/$Tag"
+
+[xml]$nuspec = Get-Content -LiteralPath $nuspecPath
+$nuspec.package.metadata.version = $Version
+$nuspec.package.metadata.releaseNotes = $releaseNotesUrl
+$nuspec.Save($nuspecPath)
+
+$installScript = Get-Content -LiteralPath $installScriptPath -Raw
+$installScript = [regex]::Replace($installScript, "\$url64\s*=\s*'.*?'", "`$url64 = '$installerUrl'")
+$installScript = [regex]::Replace($installScript, "\$checksum64\s*=\s*'.*?'", "`$checksum64 = '$hash'")
+Set-Content -LiteralPath $installScriptPath -Value $installScript -Encoding Ascii
+
+Push-Location -LiteralPath $workRoot
+try {
+  & choco pack threadpilot.nuspec --outputdirectory .
+  if ($LASTEXITCODE -ne 0) {
+    throw 'choco pack failed.'
+  }
+
+  $nupkg = Get-ChildItem -LiteralPath $workRoot -Filter 'threadpilot.*.nupkg' -File | Sort-Object LastWriteTimeUtc -Descending | Select-Object -First 1
+  if (-not $nupkg) {
+    throw 'Chocolatey package was not created.'
+  }
+
+  $pushOutput = (& choco push $nupkg.FullName --source 'https://push.chocolatey.org/' --api-key $ApiKey --timeout 2700 2>&1 | Out-String)
+  if ($LASTEXITCODE -ne 0) {
+    if ($pushOutput -match 'already exists') {
+      Write-Host 'Chocolatey package already exists. Treating as successful idempotent publish.'
+      exit 0
+    }
+
+    throw "choco push failed. Output: $pushOutput"
+  }
+
+  Write-Host 'Chocolatey package published successfully.'
+}
+finally {
+  Pop-Location
+}

build/submit-winget-pr.ps1

@@ -0,0 +1,128 @@
+param(
+  [Parameter(Mandatory = $true)]
+  [string]$Version,
+
+  [Parameter(Mandatory = $true)]
+  [string]$ManifestSourcePath,
+
+  [Parameter(Mandatory = $true)]
+  [string]$ForkOwner,
+
+  [Parameter(Mandatory = $true)]
+  [string]$RepositoryOwner,
+
+  [Parameter(Mandatory = $true)]
+  [string]$PackageIdentifier,
+
+  [Parameter(Mandatory = $true)]
+  [string]$GithubToken
+)
+
+Set-StrictMode -Version Latest
+$ErrorActionPreference = 'Stop'
+
+function Assert-CommandAvailable {
+  param([string]$CommandName)
+
+  if (-not (Get-Command $CommandName -ErrorAction SilentlyContinue)) {
+    throw "Required command '$CommandName' was not found in PATH."
+  }
+}
+
+Assert-CommandAvailable -CommandName 'git'
+Assert-CommandAvailable -CommandName 'gh'
+
+if (-not (Test-Path -LiteralPath $ManifestSourcePath)) {
+  throw "Manifest source path not found: $ManifestSourcePath"
+}
+
+$manifestFiles = Get-ChildItem -LiteralPath $ManifestSourcePath -Recurse -File -Filter '*.yaml'
+if (-not $manifestFiles -or $manifestFiles.Count -eq 0) {
+  throw "No winget manifest files found under $ManifestSourcePath"
+}
+
+$scriptRoot = Split-Path -Parent $PSCommandPath
+$projectRoot = Split-Path -Parent $scriptRoot
+$workDir = Join-Path $env:RUNNER_TEMP 'winget-pkgs-work'
+
+if (Test-Path -LiteralPath $workDir) {
+  Remove-Item -LiteralPath $workDir -Recurse -Force
+}
+
+$env:GH_TOKEN = $GithubToken
+
+Write-Host 'Cloning winget-pkgs fork...'
+& git clone "https://x-access-token:$GithubToken@github.com/$ForkOwner/winget-pkgs.git" $workDir
+if ($LASTEXITCODE -ne 0) {
+  throw 'Failed to clone winget-pkgs fork.'
+}
+
+Push-Location -LiteralPath $workDir
+try {
+  & git config user.name 'ThreadPilot Release Bot'
+  & git config user.email 'threadpilot-release-bot@users.noreply.github.com'
+
+  $branch = "threadpilot-$Version"
+  & git checkout -B $branch
+
+  $packageParts = $PackageIdentifier.Split('.')
+  if ($packageParts.Count -lt 2) {
+    throw "PackageIdentifier must contain at least one dot: $PackageIdentifier"
+  }
+
+  $packagePublisher = $packageParts[0]
+  $packageName = $packageParts[1]
+
+  if ($RepositoryOwner -ne $packagePublisher) {
+    throw "RepositoryOwner '$RepositoryOwner' does not match package publisher '$packagePublisher'."
+  }
+
+  $firstLetter = $packagePublisher.Substring(0, 1).ToLowerInvariant()
+  $targetDir = Join-Path $workDir (Join-Path 'manifests' (Join-Path $firstLetter (Join-Path $packagePublisher (Join-Path $packageName $Version))))
+
+  if (Test-Path -LiteralPath $targetDir) {
+    Remove-Item -LiteralPath $targetDir -Recurse -Force
+  }
+
+  New-Item -ItemType Directory -Path $targetDir -Force | Out-Null
+
+  foreach ($file in $manifestFiles) {
+    Copy-Item -LiteralPath $file.FullName -Destination (Join-Path $targetDir $file.Name) -Force
+  }
+
+  & git add $targetDir
+  & git status --short
+
+  $hasChanges = (& git diff --cached --name-only | Out-String).Trim()
+  if ([string]::IsNullOrWhiteSpace($hasChanges)) {
+    Write-Host "No manifest changes detected for $Version. Nothing to submit."
+    exit 0
+  }
+
+  & git commit -m "Add $PackageIdentifier version $Version"
+  & git push -u origin $branch --force
+
+  $existingPr = (& gh pr list --repo microsoft/winget-pkgs --state open --head "$ForkOwner`:$branch" --json number | Out-String).Trim()
+  if (-not [string]::IsNullOrWhiteSpace($existingPr) -and $existingPr -ne '[]') {
+    Write-Host "Winget PR already exists for branch $branch."
+    exit 0
+  }
+
+  $title = "New version: $PackageIdentifier version $Version"
+  $body = @"
+Automated submission from ThreadPilot release workflow.
+
+- Package: $PackageIdentifier
+- Version: $Version
+"@
+
+  & gh pr create --repo microsoft/winget-pkgs --base master --head "$ForkOwner`:$branch" --title $title --body $body
+  if ($LASTEXITCODE -ne 0) {
+    throw 'Failed to create winget-pkgs PR.'
+  }
+
+  Write-Host "Winget PR submitted successfully for $PackageIdentifier $Version"
+}
+finally {
+  Pop-Location
+}

docs/release/PACKAGING.md

@@ -146,8 +146,16 @@ Channel behavior:
 Current workflow scope:
 
 - `.github/workflows/release.yml` builds release artifacts and uploads winget manifests as artifacts.
-- It does not automatically submit a PR to microsoft/winget-pkgs.
-- It does not automatically publish to Chocolatey community moderation.
+- It automatically submits a PR to `microsoft/winget-pkgs` when release succeeds and winget secrets are configured.
+- It automatically publishes to Chocolatey community feed when release succeeds and Chocolatey API key is configured.
+
+Required repository secrets for full channel automation:
+
+- `WINGET_GITHUB_TOKEN`: PAT with permission to push to your `winget-pkgs` fork and create PRs.
+- `WINGET_FORK_OWNER`: GitHub username/org that owns your `winget-pkgs` fork.
+- `CHOCOLATEY_API_KEY`: API key for `https://push.chocolatey.org/`.
+
+If secrets are missing, publish jobs are skipped and GitHub release remains successful.
 
 Optional automation for publishing the GitHub release after artifacts are ready: