Support Chrome Web Store service account auth

iFurySt · iFurySt · commit fb93479b47ae · 2026-05-08T21:48:50.000+08:00
diff --git a/.github/workflows/chrome-web-store-publish.yml b/.github/workflows/chrome-web-store-publish.yml
@@ -46,28 +46,43 @@ jobs:
 
       - name: 校验 Chrome Web Store secrets
         env:
+          CWS_ACCESS_TOKEN: ${{ secrets.CWS_ACCESS_TOKEN }}
           CWS_CLIENT_ID: ${{ secrets.CWS_CLIENT_ID }}
           CWS_CLIENT_SECRET: ${{ secrets.CWS_CLIENT_SECRET }}
           CWS_REFRESH_TOKEN: ${{ secrets.CWS_REFRESH_TOKEN }}
+          CWS_SERVICE_ACCOUNT_JSON: ${{ secrets.CWS_SERVICE_ACCOUNT_JSON }}
           CWS_PUBLISHER_ID: ${{ secrets.CWS_PUBLISHER_ID }}
           CWS_EXTENSION_ID: ${{ secrets.CWS_EXTENSION_ID }}
         run: |
           missing=()
           for name in \
-            CWS_CLIENT_ID \
-            CWS_CLIENT_SECRET \
-            CWS_REFRESH_TOKEN \
             CWS_PUBLISHER_ID \
             CWS_EXTENSION_ID
           do
             if [ -z "${!name}" ]; then
               missing+=("${name}")
             fi
           done
+          has_oauth="false"
+          if [ -n "${CWS_CLIENT_ID}" ] && [ -n "${CWS_CLIENT_SECRET}" ] && [ -n "${CWS_REFRESH_TOKEN}" ]; then
+            has_oauth="true"
+          fi
+          has_service_account="false"
+          if [ -n "${CWS_SERVICE_ACCOUNT_JSON}" ]; then
+            has_service_account="true"
+          fi
+          has_access_token="false"
+          if [ -n "${CWS_ACCESS_TOKEN}" ]; then
+            has_access_token="true"
+          fi
           if [ "${#missing[@]}" -gt 0 ]; then
             printf 'Missing required repository secrets: %s\n' "${missing[*]}" >&2
             exit 1
           fi
+          if [ "${has_oauth}" != "true" ] && [ "${has_service_account}" != "true" ] && [ "${has_access_token}" != "true" ]; then
+            echo "Configure one Chrome Web Store auth method: CWS_SERVICE_ACCOUNT_JSON, CWS_ACCESS_TOKEN, or CWS_CLIENT_ID+CWS_CLIENT_SECRET+CWS_REFRESH_TOKEN" >&2
+            exit 1
+          fi
 
       - name: 下载 Chrome extension release asset
         id: asset
@@ -99,9 +114,11 @@ jobs:
 
       - name: 上传到 Chrome Web Store
         env:
+          CWS_ACCESS_TOKEN: ${{ secrets.CWS_ACCESS_TOKEN }}
           CWS_CLIENT_ID: ${{ secrets.CWS_CLIENT_ID }}
           CWS_CLIENT_SECRET: ${{ secrets.CWS_CLIENT_SECRET }}
           CWS_REFRESH_TOKEN: ${{ secrets.CWS_REFRESH_TOKEN }}
+          CWS_SERVICE_ACCOUNT_JSON: ${{ secrets.CWS_SERVICE_ACCOUNT_JSON }}
           CWS_PUBLISHER_ID: ${{ secrets.CWS_PUBLISHER_ID }}
           CWS_EXTENSION_ID: ${{ secrets.CWS_EXTENSION_ID }}
           CHROME_EXTENSION_ZIP: ${{ steps.asset.outputs.chrome_extension_zip }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -100,9 +100,11 @@ jobs:
       - name: 上传并提交 Chrome Web Store 审核
         if: ${{ inputs.publish_chrome_web_store }}
         env:
+          CWS_ACCESS_TOKEN: ${{ secrets.CWS_ACCESS_TOKEN }}
           CWS_CLIENT_ID: ${{ secrets.CWS_CLIENT_ID }}
           CWS_CLIENT_SECRET: ${{ secrets.CWS_CLIENT_SECRET }}
           CWS_REFRESH_TOKEN: ${{ secrets.CWS_REFRESH_TOKEN }}
+          CWS_SERVICE_ACCOUNT_JSON: ${{ secrets.CWS_SERVICE_ACCOUNT_JSON }}
           CWS_PUBLISHER_ID: ${{ secrets.CWS_PUBLISHER_ID }}
           CWS_EXTENSION_ID: ${{ secrets.CWS_EXTENSION_ID }}
           CHROME_EXTENSION_ZIP: ${{ steps.package.outputs.chrome_extension_zip }}
diff --git a/docs/CHROME_WEB_STORE_LISTING.md b/docs/CHROME_WEB_STORE_LISTING.md
@@ -13,6 +13,8 @@ Store Developer Dashboard still needs:
 - Store listing fields completed.
 - Privacy practices fields completed.
 - A privacy policy URL attached to the developer account or item.
+- The service account email added under the Chrome Web Store Developer Dashboard
+  Account settings if CI/CD uses `CWS_SERVICE_ACCOUNT_JSON`.
 - The resulting Extension ID copied into the `CWS_EXTENSION_ID` GitHub secret.
 
 ## Store Listing
diff --git a/docs/CHROME_WEB_STORE_RELEASE.md b/docs/CHROME_WEB_STORE_RELEASE.md
@@ -67,26 +67,37 @@ Chrome Web Store API v2 用于上传 extension zip，并可选提交审核。官
 - 首次提交 Dashboard 文案、权限说明和隐私字段时，先使用
   `docs/CHROME_WEB_STORE_LISTING.md` 里的 listing draft。
 
-需要在 GitHub repository secrets 里配置：
+推荐使用 Chrome Web Store API v2 service account 给 CI/CD 授权。需要在
+Google Cloud 启用 Chrome Web Store API，创建 service account，并在 Chrome
+Web Store Developer Dashboard 的 Account 设置里添加该 service account email。
+官方限制是 publisher 当前只能添加一个 service account。
+
+service account 路径需要在 GitHub repository secrets 里配置：
 
 ```text
-CWS_CLIENT_ID
-CWS_CLIENT_SECRET
-CWS_REFRESH_TOKEN
+CWS_SERVICE_ACCOUNT_JSON
 CWS_PUBLISHER_ID
 CWS_EXTENSION_ID
 ```
 
 可用 `gh` 写入：
 
 ```bash
-gh secret set CWS_CLIENT_ID
-gh secret set CWS_CLIENT_SECRET
-gh secret set CWS_REFRESH_TOKEN
+gh secret set CWS_SERVICE_ACCOUNT_JSON < /path/to/service-account.json
 gh secret set CWS_PUBLISHER_ID
 gh secret set CWS_EXTENSION_ID
 ```
 
+也可以继续使用 OAuth refresh token 路径；这种方式需要配置：
+
+```text
+CWS_CLIENT_ID
+CWS_CLIENT_SECRET
+CWS_REFRESH_TOKEN
+CWS_PUBLISHER_ID
+CWS_EXTENSION_ID
+```
+
 `CWS_REFRESH_TOKEN` 可以用本地 OAuth helper 生成。先在 Google Cloud 中为同一
 项目启用 Chrome Web Store API，创建 OAuth client，并确保 loopback redirect
 URI 可用：
@@ -115,6 +126,13 @@ CWS_REFRESH_TOKEN` 写入 GitHub repository secret。
 3. 调用 Chrome Web Store API v2 `upload`。
 4. 上传成功后调用 `publish`，提交审核。
 
+`scripts/publish-chrome-web-store.mjs` 的认证优先级是：
+
+1. `CWS_ACCESS_TOKEN`：短期 access token，适合本地一次性验证。
+2. `CWS_SERVICE_ACCOUNT_JSON`：推荐的 CI/CD service account JSON key。
+3. `CWS_CLIENT_ID`、`CWS_CLIENT_SECRET`、`CWS_REFRESH_TOKEN`：OAuth refresh
+   token fallback。
+
 `chrome_publish_type` 默认为 `DEFAULT_PUBLISH`，通过审核后自动发布；如果想
 审核通过后再手动发布，选择 `STAGED_PUBLISH`。`chrome_deploy_percentage`
 留空时使用 Developer Dashboard 当前设置。
@@ -145,6 +163,8 @@ zip，可以显式填写完整 asset 文件名。
 
 - Chrome Web Store API 使用指南：
   <https://developer.chrome.com/docs/webstore/using-api>
+- Chrome Web Store API service account：
+  <https://developer.chrome.com/docs/webstore/service-accounts>
 - Chrome Web Store API v2 upload：
   <https://developer.chrome.com/docs/webstore/api/reference/rest/v2/media/upload>
 - Chrome Web Store API v2 publish：
diff --git a/docs/histories/2026-05/20260508-2105-chrome-web-store-release.md b/docs/histories/2026-05/20260508-2105-chrome-web-store-release.md
@@ -82,3 +82,5 @@ upload and publish behavior.
 - Added a Chrome Web Store listing and privacy practices draft based on the
   current manifest permissions and native host boundary, so the Dashboard setup
   is reproducible instead of only described in chat.
+- Added Chrome Web Store service account authentication support for CI/CD while
+  keeping OAuth refresh tokens as a fallback path.
diff --git a/scripts/publish-chrome-web-store.mjs b/scripts/publish-chrome-web-store.mjs
@@ -1,11 +1,13 @@
 #!/usr/bin/env node
 
 import { readFile, writeFile } from "node:fs/promises";
+import { createSign } from "node:crypto";
 import path from "node:path";
 import process from "node:process";
 
 const apiRoot = "https://chromewebstore.googleapis.com";
 const oauthTokenUrl = "https://oauth2.googleapis.com/token";
+const chromeWebStoreScope = "https://www.googleapis.com/auth/chromewebstore";
 
 function readFlag(name, fallback = null) {
   const prefix = `--${name}=`;
@@ -24,6 +26,10 @@ function hasFlag(name) {
   return process.argv.includes(`--${name}`);
 }
 
+function optionalEnv(name) {
+  return process.env[name] ?? "";
+}
+
 function env(name) {
   const value = process.env[name];
   if (!value) {
@@ -54,7 +60,44 @@ async function requestJson(url, options = {}) {
   return body;
 }
 
-async function getAccessToken() {
+function base64UrlEncode(input) {
+  return Buffer.from(input)
+    .toString("base64")
+    .replaceAll("+", "-")
+    .replaceAll("/", "_")
+    .replace(/=+$/, "");
+}
+
+function signJwt(payload, privateKey) {
+  const header = {
+    alg: "RS256",
+    typ: "JWT"
+  };
+  const encodedHeader = base64UrlEncode(JSON.stringify(header));
+  const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+  const signingInput = `${encodedHeader}.${encodedPayload}`;
+  const signer = createSign("RSA-SHA256");
+  signer.update(signingInput);
+  signer.end();
+  const signature = signer.sign(privateKey);
+  return `${signingInput}.${base64UrlEncode(signature)}`;
+}
+
+function readServiceAccountJson() {
+  const raw = optionalEnv("CWS_SERVICE_ACCOUNT_JSON");
+  if (!raw) {
+    return null;
+  }
+  try {
+    return JSON.parse(raw);
+  } catch (error) {
+    throw new Error(
+      `CWS_SERVICE_ACCOUNT_JSON is not valid JSON: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
+
+async function getOauthAccessToken() {
   const body = new URLSearchParams({
     client_id: env("CWS_CLIENT_ID"),
     client_secret: env("CWS_CLIENT_SECRET"),
@@ -74,6 +117,64 @@ async function getAccessToken() {
   return token.access_token;
 }
 
+async function getServiceAccountAccessToken(serviceAccount) {
+  const clientEmail = serviceAccount.client_email;
+  const privateKey = serviceAccount.private_key;
+  const tokenUri = serviceAccount.token_uri ?? oauthTokenUrl;
+  if (typeof clientEmail !== "string" || clientEmail === "") {
+    throw new Error("CWS_SERVICE_ACCOUNT_JSON must include client_email");
+  }
+  if (typeof privateKey !== "string" || privateKey === "") {
+    throw new Error("CWS_SERVICE_ACCOUNT_JSON must include private_key");
+  }
+  const now = Math.floor(Date.now() / 1000);
+  const assertion = signJwt(
+    {
+      iss: clientEmail,
+      scope: chromeWebStoreScope,
+      aud: tokenUri,
+      exp: now + 3600,
+      iat: now
+    },
+    privateKey
+  );
+  const token = await requestJson(tokenUri, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded"
+    },
+    body: new URLSearchParams({
+      grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+      assertion
+    })
+  });
+  if (!token.access_token) {
+    throw new Error("Service account token response did not include access_token");
+  }
+  return token.access_token;
+}
+
+async function getAccessToken() {
+  const directAccessToken = optionalEnv("CWS_ACCESS_TOKEN");
+  if (directAccessToken) {
+    return directAccessToken;
+  }
+  const serviceAccount = readServiceAccountJson();
+  if (serviceAccount) {
+    return await getServiceAccountAccessToken(serviceAccount);
+  }
+  if (
+    !optionalEnv("CWS_CLIENT_ID") ||
+    !optionalEnv("CWS_CLIENT_SECRET") ||
+    !optionalEnv("CWS_REFRESH_TOKEN")
+  ) {
+    throw new Error(
+      "Configure one Chrome Web Store auth method: CWS_ACCESS_TOKEN, CWS_SERVICE_ACCOUNT_JSON, or CWS_CLIENT_ID+CWS_CLIENT_SECRET+CWS_REFRESH_TOKEN"
+    );
+  }
+  return await getOauthAccessToken();
+}
+
 function itemName() {
   return `publishers/${env("CWS_PUBLISHER_ID")}/items/${env("CWS_EXTENSION_ID")}`;
 }
