Guard Chrome Web Store active submissions

Author: iFurySt

.github/workflows/chrome-web-store-publish.yml

@@ -32,6 +32,11 @@ on:
         required: false
         type: boolean
         default: false
+      cancel_pending_submission:
+        description: 是否先取消 Chrome Web Store 中当前审核中或 staged 的提交，再上传本次版本
+        required: false
+        type: boolean
+        default: false
 
 permissions:
   contents: read
@@ -127,6 +132,7 @@ jobs:
           CHROME_PUBLISH_TYPE: ${{ inputs.publish_type }}
           CHROME_DEPLOY_PERCENTAGE: ${{ inputs.deploy_percentage }}
           CHROME_SKIP_REVIEW: ${{ inputs.skip_review }}
+          CHROME_CANCEL_PENDING_SUBMISSION: ${{ inputs.cancel_pending_submission }}
         run: |
           args=(
             --zip "${CHROME_EXTENSION_ZIP}"
@@ -142,6 +148,9 @@ jobs:
           if [ "${CHROME_SKIP_REVIEW}" = "true" ]; then
             args+=(--skip-review)
           fi
+          if [ "${CHROME_CANCEL_PENDING_SUBMISSION}" = "true" ]; then
+            args+=(--cancel-pending)
+          fi
           ./scripts/publish-chrome-web-store.mjs "${args[@]}"
 
       - name: 上传 Chrome Web Store API 结果

.github/workflows/release.yml

@@ -34,6 +34,11 @@ on:
         required: false
         type: boolean
         default: false
+      chrome_cancel_pending_submission:
+        description: 是否先取消 Chrome Web Store 中当前审核中或 staged 的提交，再上传本次版本
+        required: false
+        type: boolean
+        default: false
 
 permissions:
   contents: read
@@ -181,18 +186,22 @@ jobs:
           CHROME_PUBLISH_TYPE_INPUT: ${{ inputs.chrome_publish_type }}
           CHROME_DEPLOY_PERCENTAGE_INPUT: ${{ inputs.chrome_deploy_percentage }}
           CHROME_SKIP_REVIEW_INPUT: ${{ inputs.chrome_skip_review }}
+          CHROME_CANCEL_PENDING_SUBMISSION_INPUT: ${{ inputs.chrome_cancel_pending_submission }}
           CWS_PUBLISH_TYPE: ${{ vars.CWS_PUBLISH_TYPE }}
           CWS_DEPLOY_PERCENTAGE: ${{ vars.CWS_DEPLOY_PERCENTAGE }}
           CWS_SKIP_REVIEW: ${{ vars.CWS_SKIP_REVIEW }}
+          CWS_CANCEL_PENDING_SUBMISSION: ${{ vars.CWS_CANCEL_PENDING_SUBMISSION }}
         run: |
           if [ "${GITHUB_EVENT_NAME}" = "workflow_dispatch" ]; then
             publish_type="${CHROME_PUBLISH_TYPE_INPUT:-DEFAULT_PUBLISH}"
             deploy_percentage="${CHROME_DEPLOY_PERCENTAGE_INPUT:-}"
             skip_review="${CHROME_SKIP_REVIEW_INPUT:-false}"
+            cancel_pending_submission="${CHROME_CANCEL_PENDING_SUBMISSION_INPUT:-false}"
           else
             publish_type="${CWS_PUBLISH_TYPE:-DEFAULT_PUBLISH}"
             deploy_percentage="${CWS_DEPLOY_PERCENTAGE:-}"
             skip_review="${CWS_SKIP_REVIEW:-false}"
+            cancel_pending_submission="${CWS_CANCEL_PENDING_SUBMISSION:-false}"
           fi
 
           args=(
@@ -206,6 +215,9 @@ jobs:
           if [ "${skip_review}" = "true" ]; then
             args+=(--skip-review)
           fi
+          if [ "${cancel_pending_submission}" = "true" ]; then
+            args+=(--cancel-pending)
+          fi
           ./scripts/publish-chrome-web-store.mjs --submit "${args[@]}"
 
       - name: 上传 Chrome Web Store API 结果

docs/CHROME_WEB_STORE_RELEASE.md

@@ -124,6 +124,9 @@ Chrome Web Store API v2 用于上传 extension zip，并可选提交审核。官
   Extension ID。
 - 上传新包时，`apps/chrome-extension/manifest.json` 的 `version` 必须比
   已发布版本更高。
+- 如果已有 active submission（例如 `PENDING_REVIEW` 或 `STAGED`），API 不允许继续
+  上传或提交新版本。仓库脚本会先调用 `fetchStatus` 检查状态，默认跳过本轮商店提交
+  并写出 JSON 结果，避免 GitHub Release 因商店审核队列而失败。
 - 首次提交 Dashboard 文案、权限说明和隐私字段时，先使用
   `docs/CHROME_WEB_STORE_LISTING.md` 里的 listing draft。
 
@@ -186,6 +189,13 @@ CWS_REFRESH_TOKEN` 写入 GitHub repository secret。
 3. 调用 Chrome Web Store API v2 `upload`。
 4. 上传成功后调用 `publish`，提交审核。
 
+如果 Chrome Web Store 里已经有审核中或 staged 的提交，workflow 默认不会取消它；
+脚本会跳过上传并在 `chrome-web-store-result.json` 里记录
+`skipped.reason=ACTIVE_SUBMISSION`。这让 GitHub Release、npm、PyPI 和 Homebrew
+发布可以继续保持绿色。要让最新版本替换旧的审核中提交，手动触发 workflow 时把
+`chrome_cancel_pending_submission` 设为 `true`。这会先调用
+`cancelSubmission` 取消当前 active submission，再上传并提交本次 extension zip。
+
 `scripts/publish-chrome-web-store.mjs` 的认证优先级是：
 
 1. `CWS_ACCESS_TOKEN`：短期 access token，适合本地一次性验证。
@@ -210,13 +220,19 @@ CWS_AUTO_PUBLISH=true
 CWS_PUBLISH_TYPE=DEFAULT_PUBLISH
 CWS_DEPLOY_PERCENTAGE=
 CWS_SKIP_REVIEW=false
+CWS_CANCEL_PENDING_SUBMISSION=false
 ```
 
 tag 自动发布仍然需要上面的 `CWS_*` secrets。`CWS_SKIP_REVIEW=true` 只会请求
 Chrome Web Store 跳过审核；官方 API 会验证是否符合条件，不符合时会返回错误。
 Open Browser Use 当前包含 `<all_urls>`、`debugger`、`tabs`、`downloads` 等敏感
 能力，普通代码更新应预期继续进入审核流程。
 
+`CWS_CANCEL_PENDING_SUBMISSION=true` 会让 tag 自动发布在发现 active submission
+时先取消旧提交再提交当前 tag 的 zip。这个动作会改变 Chrome Web Store 审核队列，
+建议只在你明确希望“最新 tag 覆盖旧审核版本”时开启；否则保持默认 `false`，等当前
+审核结束后用补发 workflow 提交最新 release。
+
 ## 从已有 GitHub Release 补发商店
 
 如果 GitHub Release 已经创建完成，只需要把其中的插件 zip 上传到 Chrome
@@ -233,12 +249,16 @@ submit=true
 publish_type=DEFAULT_PUBLISH
 deploy_percentage=
 skip_review=false
+cancel_pending_submission=false
 ```
 
 `asset_name` 留空时会按 `release_tag` 精确下载
 `open-browser-use-chrome-extension-<version>.zip`。如果需要上传非默认 asset，可以
 显式填写完整 asset 文件名。
 
+如果补发时商店里仍有旧版本在审核中，先确认是否要替换旧审核版本；确认后把
+`cancel_pending_submission=true`。否则 workflow 会跳过上传并保留当前审核队列。
+
 ## 官方参考
 
 - Chrome Web Store API 使用指南：
@@ -249,3 +269,7 @@ skip_review=false
   <https://developer.chrome.com/docs/webstore/api/reference/rest/v2/media/upload>
 - Chrome Web Store API v2 publish：
   <https://developer.chrome.com/docs/webstore/api/reference/rest/v2/publishers.items/publish>
+- Chrome Web Store API v2 fetchStatus：
+  <https://developer.chrome.com/docs/webstore/api/reference/rest/v2/publishers.items/fetchStatus>
+- Chrome Web Store API v2 cancelSubmission：
+  <https://developer.chrome.com/docs/webstore/api/reference/rest/v2/publishers.items/cancelSubmission>

docs/CICD.md

@@ -12,7 +12,10 @@
   和 skill 下载包，普通安装入口使用 zip/unpacked，其他 manifest、SBOM 和 repo
   metadata 留在 workflow artifact 里。手动触发时按输入参数可把
   extension 上传并提交到 Chrome Web Store；tag 推送时也可以通过 repository
-  variable `CWS_AUTO_PUBLISH=true` 自动上传并提交商店审核。新建 GitHub Release 时使用
+  variable `CWS_AUTO_PUBLISH=true` 自动上传并提交商店审核。商店提交前会检查
+  active submission，默认遇到审核中或 staged 的旧提交时跳过 CWS 上传但不让
+  release workflow 因此失败；需要替换旧审核版本时显式开启 cancel pending
+  submission。新建 GitHub Release 时使用
   `gh release create --generate-notes`，交给 GitHub 自动生成 `What's Changed`、
   `New Contributors` 和 `Full Changelog`。
 - `npm-publish.yml`：tag `v*` 推送触发的 npm 发布流水线，使用 npm
@@ -53,6 +56,8 @@
    `HOMEBREW_TAP_TOKEN` 能写入 tap repo。
 7. 浏览器插件发布走 `docs/CHROME_WEB_STORE_RELEASE.md` 里的 Chrome Web
    Store API v2 流程；需要每个 tag 自动提交时，再开启 `CWS_AUTO_PUBLISH=true`。
+   如果要让最新 tag 取消并替换审核中的旧版本，再开启
+   `CWS_CANCEL_PENDING_SUBMISSION=true`。
 8. 技术栈和环境稳定后，再补其他部署 job 或非阻塞的依赖巡检。
 9. 即使交付方式变化，release 阶段的 SBOM 和 provenance 这类供应链能力也建议保留。
 

docs/histories/2026-05/20260511-1947-cws-active-submission-guard.md

@@ -0,0 +1,35 @@
+## [2026-05-11 19:47] | Task: Chrome Web Store active submission guard
+
+### 🤖 Execution Context
+
+- **Agent ID**: `Codex`
+- **Base Model**: `GPT-5`
+- **Runtime**: `Codex CLI`
+
+### 📥 User Query
+
+> Chrome Web Store 已有版本在审核中时，希望发布机制能检测并处理，必要时取消旧审核并用最新版本重发，避免最新版本没发出去。
+
+### 🛠 Changes Overview
+
+**Scope:** Chrome Web Store publish script, release workflows, release docs.
+
+**Key Actions:**
+
+- **[Preflight]**: Added `fetchStatus` before CWS upload and detect active submitted revisions (`PENDING_REVIEW` and `STAGED`).
+- **[Default Guard]**: Default behavior now skips CWS upload/submission with `skipped.reason=ACTIVE_SUBMISSION` instead of failing the whole release workflow.
+- **[Explicit Replace]**: Added `--cancel-pending`, workflow inputs, and `CWS_CANCEL_PENDING_SUBMISSION=true` to cancel the active CWS submission before uploading the latest zip.
+- **[Docs]**: Documented skip vs cancel behavior and linked official `fetchStatus` / `cancelSubmission` references.
+
+### 🧠 Design Intent (Why)
+
+Chrome Web Store rejects edits while an item is already in review. Release automation should not fail GitHub Release, npm, PyPI, and Homebrew delivery because CWS is busy, but replacing an active submission is externally visible and should require an explicit opt-in.
+
+### 📁 Files Modified
+
+- `scripts/publish-chrome-web-store.mjs`
+- `.github/workflows/release.yml`
+- `.github/workflows/chrome-web-store-publish.yml`
+- `docs/CHROME_WEB_STORE_RELEASE.md`
+- `docs/CICD.md`
+- `docs/releases/feature-release-notes.md`

docs/releases/feature-release-notes.md

@@ -4,6 +4,7 @@
 
 | 日期 | 功能域 | 用户价值 | 变更摘要 |
 | --- | --- | --- | --- |
+| 2026-05-11 | Chrome Web Store Submission Guard | Chrome Web Store 已有版本在审核中时，tag release 不会因为商店拒绝编辑而整体失败；维护者可以选择跳过，或显式取消旧审核并用最新版本重发。 | `publish-chrome-web-store.mjs` 在上传前调用 `fetchStatus`，默认遇到 active submission 写出 `ACTIVE_SUBMISSION` skip 结果；新增 `--cancel-pending`、workflow 输入和 `CWS_CANCEL_PENDING_SUBMISSION` 变量。 |
 | 2026-05-11 | Guided Store Setup | `open-browser-use setup` 会直接打开 Open Browser Use 的 Chrome Web Store 页面，用户可以在明确的页面里安装或启用扩展并按需重启。 | 发布 `0.1.35` patch 版本，setup 仍会注册 native host 和写入 External Extensions hint，同时新增 `--no-open` 供 CI、测试或无桌面环境只写配置。 |
 | 2026-05-11 | Chrome Extension Popup | 高分辨率屏幕上 popup 顶部 LOGO 更清晰，不再因为用 32px 位图放大显示而出现明显锯齿。 | 发布 `0.1.34` patch 版本，popup 头部改用 128px icon 作为源图并保持 32 CSS px 显示尺寸；同步 runtime、SDK、extension 版本号和发布制品。 |
 | 2026-05-11 | Chrome Extension Logo | Chrome Web Store 和浏览器工具栏会显示新版 Open Browser Use 标识，减少旧视觉资产和当前品牌方向不一致的问题。 | 发布 `0.1.33` patch 版本，替换 Chrome extension 的 16/32/48/128 PNG icons 和 1024px source logo，并沿用现有 tag release 与 Chrome Web Store 自动提交链路。 |

scripts/ci.sh

@@ -25,6 +25,7 @@ node "${repo_root}/scripts/generate-chrome-extension-icons.mjs"
   cd "${repo_root}"
   go test ./...
   node --test apps/chrome-extension/*.test.mjs
+  node --test scripts/*.test.mjs
   pnpm -r --if-present test
 )
 (

scripts/publish-chrome-web-store.mjs

@@ -5,7 +5,7 @@ import { createSign } from "node:crypto";
 import path from "node:path";
 import process from "node:process";
 
-const apiRoot = "https://chromewebstore.googleapis.com";
+const apiRoot = process.env.CWS_API_ROOT ?? "https://chromewebstore.googleapis.com";
 const oauthTokenUrl = "https://oauth2.googleapis.com/token";
 const chromeWebStoreScope = "https://www.googleapis.com/auth/chromewebstore";
 
@@ -199,6 +199,44 @@ async function fetchStatus(accessToken) {
   });
 }
 
+async function cancelSubmission(accessToken) {
+  return requestJson(`${apiRoot}/v2/${itemName()}:cancelSubmission`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${accessToken}`
+    }
+  });
+}
+
+function submittedRevisionState(status) {
+  return status?.submittedItemRevisionStatus?.state ?? "";
+}
+
+function revisionVersions(revisionStatus) {
+  if (!Array.isArray(revisionStatus?.distributionChannels)) {
+    return [];
+  }
+  return revisionStatus.distributionChannels
+    .map((channel) => channel?.crxVersion)
+    .filter((version) => typeof version === "string" && version !== "");
+}
+
+function statusSummary(status) {
+  return {
+    publishedState: status?.publishedItemRevisionStatus?.state ?? null,
+    publishedVersions: revisionVersions(status?.publishedItemRevisionStatus),
+    submittedState: submittedRevisionState(status) || null,
+    submittedVersions: revisionVersions(status?.submittedItemRevisionStatus),
+    lastAsyncUploadState: status?.lastAsyncUploadState ?? null,
+    takenDown: status?.takenDown ?? false,
+    warned: status?.warned ?? false
+  };
+}
+
+function hasActiveSubmittedRevision(status) {
+  return ["PENDING_REVIEW", "STAGED"].includes(submittedRevisionState(status));
+}
+
 async function waitForUpload(accessToken, uploadResponse) {
   let state = uploadResponse.uploadState;
   if (state === "SUCCEEDED") {
@@ -253,12 +291,34 @@ async function main() {
   }
   const absoluteZipPath = path.resolve(zipPath);
   const accessToken = await getAccessToken();
-  const uploadResponse = await uploadPackage(accessToken, absoluteZipPath);
-  const finalUploadState = await waitForUpload(accessToken, uploadResponse);
+  const preflightStatus = await fetchStatus(accessToken);
   const result = {
-    uploaded: finalUploadState,
+    preflightStatus: statusSummary(preflightStatus),
+    skipped: null,
+    cancelledSubmission: null,
+    uploaded: null,
     published: null
   };
+  if (hasActiveSubmittedRevision(preflightStatus)) {
+    if (hasFlag("cancel-pending") || process.env.CWS_CANCEL_PENDING_SUBMISSION === "true") {
+      result.cancelledSubmission = await cancelSubmission(accessToken);
+    } else {
+      result.skipped = {
+        reason: "ACTIVE_SUBMISSION",
+        message:
+          "Chrome Web Store already has an active submitted revision. Re-run with --cancel-pending or CWS_CANCEL_PENDING_SUBMISSION=true to replace it."
+      };
+      const outputPath = readFlag("output", process.env.CWS_RESULT_PATH ?? "");
+      if (outputPath) {
+        await writeFile(outputPath, `${JSON.stringify(result, null, 2)}\n`);
+      }
+      console.log(JSON.stringify(result, null, 2));
+      return;
+    }
+  }
+  const uploadResponse = await uploadPackage(accessToken, absoluteZipPath);
+  const finalUploadState = await waitForUpload(accessToken, uploadResponse);
+  result.uploaded = finalUploadState;
   if (hasFlag("submit") || process.env.CWS_SUBMIT_FOR_REVIEW === "true") {
     result.published = await publish(accessToken);
   }