release.yml

name: 发布

on:
  push:
    tags:
      - "v*"
  workflow_dispatch:
    inputs:
      tag:
        description: 要创建的 release tag，例如 v0.1.0
        required: true
      title:
        description: 给人看的发布标题
        required: false
      publish_chrome_web_store:
        description: 是否把 Chrome extension 上传并提交到 Chrome Web Store 审核
        required: false
        type: boolean
        default: false
      chrome_publish_type:
        description: Chrome Web Store publishType
        required: false
        type: choice
        options:
          - DEFAULT_PUBLISH
          - STAGED_PUBLISH
        default: DEFAULT_PUBLISH
      chrome_deploy_percentage:
        description: 可选灰度比例，留空则使用开发者后台当前设置
        required: false
        default: ""
      chrome_skip_review:
        description: 是否请求跳过审核，只有符合条件时 Chrome Web Store 才会接受
        required: false
        type: boolean
        default: false

permissions:
  contents: read

jobs:
  package-and-release:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      attestations: write
      id-token: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: 解析 release 元数据
        id: release
        env:
          DISPATCH_TAG: ${{ github.event.inputs.tag }}
          DISPATCH_TITLE: ${{ github.event.inputs.title }}
        run: |
          if [ "${GITHUB_EVENT_NAME}" = "workflow_dispatch" ]; then
            release_tag="${DISPATCH_TAG}"
            release_title="${DISPATCH_TITLE:-${release_tag}}"
          else
            release_tag="${GITHUB_REF_NAME}"
            release_title="${GITHUB_REF_NAME}"
          fi

          if [ -z "${release_tag}" ]; then
            echo "Release tag is required" >&2
            exit 1
          fi

          echo "tag=${release_tag}" >> "${GITHUB_OUTPUT}"
          echo "title=${release_title}" >> "${GITHUB_OUTPUT}"

      - name: 打包 release 制品
        id: package
        env:
          CHROME_EXTENSION_PRIVATE_KEY: ${{ secrets.CHROME_EXTENSION_PRIVATE_KEY }}
        run: |
          ./scripts/release-package.sh
          chrome_extension_zip="$(find dist/chrome-extension -maxdepth 1 -type f -name '*.zip' -print -quit)"
          if [ -z "${chrome_extension_zip}" ]; then
            echo "Chrome extension zip not found" >&2
            exit 1
          fi
          chrome_extension_crx="$(find dist/chrome-extension -maxdepth 1 -type f -name '*.crx' -print -quit)"
          if [ -z "${chrome_extension_crx}" ]; then
            echo "Chrome extension crx not found" >&2
            exit 1
          fi
          echo "chrome_extension_zip=${chrome_extension_zip}" >> "${GITHUB_OUTPUT}"
          echo "chrome_extension_crx=${chrome_extension_crx}" >> "${GITHUB_OUTPUT}"

      - name: 生成 SBOM
        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
        with:
          path: .
          format: spdx-json
          output-file: dist/sbom.spdx.json
          upload-artifact: false

      - name: 上传内部 release 证据
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: release-evidence
          path: |
            dist/repo-metadata.tgz
            dist/release-manifest.json
            dist/chrome-extension/*.zip
            dist/chrome-extension/*.crx
            dist/chrome-extension/*.json
            dist/sbom.spdx.json

      - name: 生成 build provenance
        if: ${{ !github.event.repository.private }}
        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
        with:
          subject-path: |
            dist/chrome-extension/*.zip
            dist/chrome-extension/*.crx

      - name: 创建 GitHub Release
        env:
          GH_TOKEN: ${{ github.token }}
          RELEASE_TAG: ${{ steps.release.outputs.tag }}
          RELEASE_TITLE: ${{ steps.release.outputs.title }}
        run: |
          assets=(dist/chrome-extension/*.zip dist/chrome-extension/*.crx)

          if gh release view "${RELEASE_TAG}" >/dev/null 2>&1; then
            gh release upload "${RELEASE_TAG}" "${assets[@]}" --clobber
          else
            gh release create "${RELEASE_TAG}" "${assets[@]}" \
              --title "${RELEASE_TITLE}" \
              --generate-notes
          fi

      - name: 上传并提交 Chrome Web Store 审核
        if: ${{ github.event_name == 'workflow_dispatch' && inputs.publish_chrome_web_store }}
        env:
          CWS_ACCESS_TOKEN: ${{ secrets.CWS_ACCESS_TOKEN }}
          CWS_CLIENT_ID: ${{ secrets.CWS_CLIENT_ID }}
          CWS_CLIENT_SECRET: ${{ secrets.CWS_CLIENT_SECRET }}
          CWS_REFRESH_TOKEN: ${{ secrets.CWS_REFRESH_TOKEN }}
          CWS_SERVICE_ACCOUNT_JSON: ${{ secrets.CWS_SERVICE_ACCOUNT_JSON }}
          CWS_PUBLISHER_ID: ${{ secrets.CWS_PUBLISHER_ID }}
          CWS_EXTENSION_ID: ${{ secrets.CWS_EXTENSION_ID }}
          CHROME_EXTENSION_ZIP: ${{ steps.package.outputs.chrome_extension_zip }}
          CHROME_PUBLISH_TYPE: ${{ inputs.chrome_publish_type }}
          CHROME_DEPLOY_PERCENTAGE: ${{ inputs.chrome_deploy_percentage }}
          CHROME_SKIP_REVIEW: ${{ inputs.chrome_skip_review }}
        run: |
          args=(
            --zip "${CHROME_EXTENSION_ZIP}"
            --output dist/chrome-extension/chrome-web-store-result.json
            --publish-type "${CHROME_PUBLISH_TYPE}"
          )
          if [ -n "${CHROME_DEPLOY_PERCENTAGE}" ]; then
            args+=(--deploy-percentage "${CHROME_DEPLOY_PERCENTAGE}")
          fi
          if [ "${CHROME_SKIP_REVIEW}" = "true" ]; then
            args+=(--skip-review)
          fi
          ./scripts/publish-chrome-web-store.mjs --submit "${args[@]}"