Make privacy policy text consistent #364
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Native CI/CD | |
| on: | |
| push: | |
| paths: | |
| - .github/workflows/native.yaml | |
| - native/** | |
| tags: | |
| - v* | |
| branches-ignore: | |
| - crowdin-* | |
| pull_request: | |
| paths: | |
| - .github/workflows/native.yaml | |
| - native/** | |
| defaults: | |
| run: | |
| shell: bash | |
| jobs: | |
| clippy: | |
| name: Clippy (${{ matrix.os }}, ${{ matrix.portable && 'portable' || 'normal' }}) | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| contents: read | |
| defaults: | |
| run: | |
| working-directory: native | |
| shell: bash | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: ubuntu-latest | |
| - os: windows-latest | |
| - os: windows-latest | |
| flags: --features portable | |
| portable: true | |
| - os: macos-latest | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| - name: Configure Rust and Clippy | |
| uses: actions-rust-lang/setup-rust-toolchain@fb51252c7ba57d633bc668f941da052e410add48 # v1.13.0 | |
| with: | |
| toolchain: stable | |
| components: clippy | |
| cache: false | |
| rustflags: '' | |
| - name: Configure cache | |
| uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0 | |
| with: | |
| workspaces: native | |
| cache-on-failure: true | |
| cache-all-crates: true | |
| key: ${{ matrix.portable == true }} | |
| - name: Run Clippy | |
| run: cargo clippy --all-targets ${{ matrix.flags }} -- -D warnings | |
| rustfmt: | |
| name: Rustfmt | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| defaults: | |
| run: | |
| working-directory: native | |
| shell: bash | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| - name: Configure Rust and Rustfmt | |
| uses: actions-rust-lang/setup-rust-toolchain@fb51252c7ba57d633bc668f941da052e410add48 # v1.13.0 | |
| with: | |
| toolchain: nightly | |
| components: rustfmt | |
| cache: false | |
| rustflags: '' | |
| - name: Configure cache | |
| uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0 | |
| with: | |
| workspaces: native | |
| cache-on-failure: true | |
| cache-all-crates: true | |
| - name: Run Rustfmt | |
| run: cargo fmt --all -- --check | |
| build: | |
| name: Build (${{ matrix.target }}, ${{ matrix.portable && 'portable' || 'normal' }}) | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| actions: read | |
| contents: read | |
| attestations: write | |
| id-token: write | |
| defaults: | |
| run: | |
| working-directory: native | |
| shell: bash | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| # Normal builds for Linux | |
| - os: ubuntu-latest | |
| target: x86_64-unknown-linux-gnu | |
| flags: --features static | |
| - os: ubuntu-latest | |
| target: i686-unknown-linux-gnu | |
| flags: --features static | |
| - os: ubuntu-latest | |
| target: aarch64-unknown-linux-gnu | |
| flags: --features static | |
| - os: ubuntu-latest | |
| target: armv7-unknown-linux-gnueabihf | |
| flags: --features static | |
| # Normal builds for Windows | |
| - os: windows-latest | |
| target: x86_64-pc-windows-msvc | |
| - os: windows-latest | |
| target: i686-pc-windows-msvc | |
| # Portable builds for Windows | |
| - os: windows-latest | |
| target: x86_64-pc-windows-msvc | |
| flags: --features portable | |
| portable: true | |
| steps: | |
| # == Setting Environment | |
| - name: Harden runner | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| - name: Configure Rust | |
| uses: actions-rust-lang/setup-rust-toolchain@fb51252c7ba57d633bc668f941da052e410add48 # v1.13.0 | |
| with: | |
| toolchain: stable | |
| target: ${{ matrix.target }} | |
| cache: false | |
| rustflags: '' | |
| - name: Configure cache | |
| uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0 | |
| with: | |
| workspaces: | | |
| native | |
| native/packages/paf/PWAsForFirefoxHelpers | |
| cache-on-failure: true | |
| cache-all-crates: true | |
| key: ${{ matrix.target }}-${{ matrix.portable == true }} | |
| # == Setting Dependencies | |
| - name: Install cross (Linux) | |
| if: matrix.os == 'ubuntu-latest' | |
| run: | | |
| # Use cross 0.2.4 for now because newer versions require too new glibc versions | |
| # In the future, we should update cross and configure zig to link to older glibc | |
| cargo install cross --git https://github.com/cross-rs/cross.git --rev 4645d937bdae6952d9df38eff3ecb91fd719c3bd | |
| - name: Install Cargo DEB (Linux) | |
| if: matrix.os == 'ubuntu-latest' | |
| run: | | |
| cargo install cargo-deb --git https://github.com/kornelski/cargo-deb.git --rev 7e66d7f6162cc1cc2349c2abfb6258bf43eb6aa5 | |
| - name: Install Cargo RPM (Linux) | |
| if: matrix.os == 'ubuntu-latest' | |
| run: | | |
| cargo install cargo-rpm --git https://github.com/filips123/cargo-rpm.git --rev cf5e33de8e8dbb80103f81afc8a2bcd471ef6d31 | |
| - name: Install Cargo WiX (Windows) | |
| if: matrix.os == 'windows-latest' && matrix.portable != true | |
| run: | | |
| echo "${WIX}bin" >> $GITHUB_PATH | |
| cargo install cargo-wix --git https://github.com/volks73/cargo-wix.git --rev 032be8310f9aa9684e9524db54632792a9d85e28 | |
| - name: Install PortableApps.com (Windows) | |
| if: matrix.os == 'windows-latest' && matrix.portable == true | |
| run: | | |
| mkdir $TEMP/PortableAppsLauncher && cd $TEMP/PortableAppsLauncher | |
| curl -L "https://github.com/filips123/PortableAppsTools/releases/download/PortableAppsLauncher/2.2.9/PortableAppsLauncher.paf.exe" -o PortableAppsLauncher.paf.exe | |
| 7z x -y PortableAppsLauncher.paf.exe | |
| echo $TEMP/PortableAppsLauncher >> $GITHUB_PATH | |
| mkdir $TEMP/PortableAppsInstaller && cd $TEMP/PortableAppsInstaller | |
| curl -L "https://github.com/filips123/PortableAppsTools/releases/download/PortableAppsInstaller/3.8.12/PortableAppsInstaller.paf.exe" -o PortableAppsInstaller.paf.exe | |
| 7z x -y PortableAppsInstaller.paf.exe | |
| echo $TEMP/PortableAppsInstaller >> $GITHUB_PATH | |
| # == Building Project | |
| - name: Configure Linux builds | |
| if: matrix.os == 'ubuntu-latest' | |
| run: | | |
| # Replace completions paths with the correct paths for cross-compilation | |
| sed -i 's/..\/target\/release\/completions\//..\/target\/${{ matrix.target }}\/release\/completions\//g' Cargo.toml | |
| # Pin cross images to 0.2.4 as newer versions require too new glibc versions | |
| printf '[target.x86_64-unknown-linux-gnu]\nimage = "ghcr.io/cross-rs/x86_64-unknown-linux-gnu:0.2.4"\n\n' >> Cross.toml | |
| printf '[target.i686-unknown-linux-gnu]\nimage = "ghcr.io/cross-rs/i686-unknown-linux-gnu:0.2.4"\n\n' >> Cross.toml | |
| printf '[target.aarch64-unknown-linux-gnu]\nimage = "ghcr.io/cross-rs/aarch64-unknown-linux-gnu:0.2.4"\n\n' >> Cross.toml | |
| printf '[target.armv7-unknown-linux-gnueabihf]\nimage = "ghcr.io/cross-rs/armv7-unknown-linux-gnueabihf:0.2.4"\n\n' >> Cross.toml | |
| # Manually specify minimum libc6 version as cargo-deb cannot determine it correctly when using cross | |
| sed -i '/\[package.metadata.deb\]/a depends = "libc6 (>= 2.18)"' Cargo.toml | |
| # Configure binutils for ARM targets | |
| if [[ ${{ matrix.target }} == aarch64-* ]] || [[ ${{ matrix.target }} == armv7-* ]] | |
| then | |
| sudo apt-get update | |
| sudo apt-get install binutils-aarch64-linux-gnu binutils-arm-linux-gnueabihf | |
| mkdir -p .cargo && touch .cargo/config | |
| printf '[target.aarch64-unknown-linux-gnu]\nstrip = { path = "aarch64-linux-gnu-strip" }\nobjcopy = { path = "aarch64-linux-gnu-objcopy" }\n\n' >> .cargo/config | |
| printf '[target.armv7-unknown-linux-gnueabihf]\nstrip = { path = "arm-linux-gnueabihf-strip" }\nobjcopy = { path = "arm-linux-gnueabihf-objcopy" }\n' >> .cargo/config | |
| fi | |
| - name: Determine the target architecture | |
| id: target | |
| env: | |
| TARGET: ${{ matrix.target }} | |
| run: echo "target=${TARGET%%-*}" >> $GITHUB_OUTPUT | |
| - name: Set the version | |
| run: | | |
| if [[ $GITHUB_REF == refs/tags/v* ]] | |
| then | |
| VERSION=${GITHUB_REF/refs\/tags\/v} | |
| echo "VERSION=$VERSION" >> $GITHUB_ENV | |
| sed -i "s/version = \"0.0.0\"/version = \"$VERSION\"/g" Cargo.toml | |
| sed -i "s/DISTRIBUTION_VERSION = '0.0.0'/DISTRIBUTION_VERSION = '$VERSION'/g" userchrome/profile/chrome/pwa/chrome.sys.mjs | |
| else | |
| echo "VERSION=0.0.0" >> $GITHUB_ENV | |
| fi | |
| - name: Build the project | |
| run: | | |
| [[ ${{ matrix.os }} == ubuntu-latest ]] && CARGO="cross" || CARGO="cargo" | |
| $CARGO build --release --target ${{ matrix.target }} ${{ matrix.flags }} | |
| # == Packaging Shell Completions | |
| - name: Package shell completions | |
| if: matrix.target == 'x86_64-unknown-linux-gnu' | |
| run: | | |
| zip -rj target/completions.zip target/x86_64-unknown-linux-gnu/release/completions/* | |
| - name: Upload shell completions | |
| if: matrix.target == 'x86_64-unknown-linux-gnu' | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: build-artifacts-shell-completions | |
| path: native/target/completions.zip | |
| compression-level: 0 | |
| # == Packaging Linux DEB | |
| - name: Package DEB (Linux) | |
| if: matrix.os == 'ubuntu-latest' | |
| run: | | |
| cargo deb --verbose --no-build --target ${{ matrix.target }} | |
| mkdir -p target/debian/ && cp -r target/${{ matrix.target }}/debian/*.deb target/debian/ | |
| - name: Upload DEB (Linux) | |
| if: matrix.os == 'ubuntu-latest' | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: unsigned-artifacts-linux-deb-${{ steps.target.outputs.target }} | |
| path: native/target/debian/*.deb | |
| compression-level: 0 | |
| # == Packaging Linux RPM | |
| - name: Package RPM (Linux) | |
| if: matrix.os == 'ubuntu-latest' | |
| run: | | |
| cargo rpm build --verbose --no-cargo-build --target ${{ matrix.target }} | |
| - name: Upload RPM (Linux) | |
| if: matrix.os == 'ubuntu-latest' | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: unsigned-artifacts-linux-rpm-${{ steps.target.outputs.target }} | |
| path: native/target/rpm/*.rpm | |
| compression-level: 0 | |
| # == Packaging Windows MSI | |
| - name: Upload unsigned executables (Windows, MSI) | |
| id: unsigned-executables-normal | |
| if: matrix.os == 'windows-latest' && matrix.portable != true && startsWith(github.ref, 'refs/tags/v') | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: unsigned-executables-normal-${{ steps.target.outputs.target }} | |
| path: native/target/${{ matrix.target }}/release/*.exe | |
| - name: Sign executables with SignPath (Windows, MSI) | |
| if: matrix.os == 'windows-latest' && matrix.portable != true && startsWith(github.ref, 'refs/tags/v') | |
| uses: signpath/github-action-submit-signing-request@4f13d373e8f0cd8d3c0465ff4877feff27aed2ae # v1.2 | |
| with: | |
| api-token: ${{ secrets.SIGNPATH_TOKEN }} | |
| organization-id: ${{ vars.SIGNPATH_ORGANIZATION_ID }} | |
| project-slug: ${{ vars.SIGNPATH_PROJECT_SLUG }} | |
| signing-policy-slug: ${{ vars.SIGNPATH_POLICY_SLUG }} | |
| github-artifact-id: ${{ steps.unsigned-executables-normal.outputs.artifact-id }} | |
| artifact-configuration-slug: installer-contents | |
| output-artifact-directory: native/target/${{ matrix.target }}/release | |
| - name: Package MSI (Windows, MSI) | |
| if: matrix.os == 'windows-latest' && matrix.portable != true | |
| run: | | |
| heat dir userchrome -o packages/wix/userchrome.wxs -scom -srd -sreg -gg -cg UserChrome -dr UserChromeDir -var wix.UserChromeSource | |
| cargo wix --verbose --no-build --nocapture --target ${{ matrix.target }} | |
| - name: Upload unsigned MSI (Windows, MSI) | |
| id: artifact-unsigned-msi | |
| if: matrix.os == 'windows-latest' && matrix.portable != true | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: unsigned-artifacts-windows-msi-${{ steps.target.outputs.target }} | |
| path: native/target/wix/*.msi | |
| compression-level: 0 | |
| - name: Sign MSI with SignPath (Windows, MSI) | |
| if: matrix.os == 'windows-latest' && matrix.portable != true && startsWith(github.ref, 'refs/tags/v') | |
| uses: signpath/github-action-submit-signing-request@4f13d373e8f0cd8d3c0465ff4877feff27aed2ae # v1.2 | |
| with: | |
| api-token: ${{ secrets.SIGNPATH_TOKEN }} | |
| organization-id: ${{ vars.SIGNPATH_ORGANIZATION_ID }} | |
| project-slug: ${{ vars.SIGNPATH_PROJECT_SLUG }} | |
| signing-policy-slug: ${{ vars.SIGNPATH_POLICY_SLUG }} | |
| github-artifact-id: ${{ steps.artifact-unsigned-msi.outputs.artifact-id }} | |
| artifact-configuration-slug: installer | |
| output-artifact-directory: signed/msi | |
| - name: Upload signed MSI (Windows, MSI) | |
| if: matrix.os == 'windows-latest' && matrix.portable != true && startsWith(github.ref, 'refs/tags/v') | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: build-artifacts-windows-msi-${{ steps.target.outputs.target }} | |
| path: signed/msi/*.msi | |
| compression-level: 0 | |
| # == Packaging Windows PAF | |
| - name: Prepare portable package (Windows, PAF) | |
| if: matrix.os == 'windows-latest' && matrix.portable == true | |
| run: | | |
| # Build helper executables | |
| echo "::group::Building helpers" | |
| (cd packages/paf/PWAsForFirefoxHelpers && cargo build --release --target ${{ matrix.target }}) | |
| echo "::endgroup::" | |
| # Copy files to the portable app package | |
| echo "::group::Copying files to the package" | |
| mkdir -p packages/paf/PWAsForFirefoxPortable/App/PWAsForFirefox/ | |
| cp target/${{ matrix.target }}/release/firefoxpwa.exe packages/paf/PWAsForFirefoxPortable/App/PWAsForFirefox/ | |
| cp target/${{ matrix.target }}/release/firefoxpwa-connector.exe packages/paf/PWAsForFirefoxPortable/App/PWAsForFirefox/ | |
| cp packages/paf/PWAsForFirefoxHelpers/target/${{ matrix.target }}/release/firefoxpwa-background.exe packages/paf/PWAsForFirefoxPortable/App/PWAsForFirefox/ | |
| cp manifests/windows.json packages/paf/PWAsForFirefoxPortable/App/PWAsForFirefox/firefoxpwa.json | |
| cp -r userchrome/ packages/paf/PWAsForFirefoxPortable/App/PWAsForFirefox/ | |
| echo "::endgroup::" | |
| # Set the package version | |
| echo "::group::Setting the package versions" | |
| if [[ $VERSION != 0.0.0 ]] | |
| then | |
| sed -i "s/PackageVersion=0.0.0.0/PackageVersion=$VERSION.0/g" packages/paf/PWAsForFirefoxPortable/App/AppInfo/appinfo.ini | |
| sed -i "s/DisplayVersion=0.0.0/DisplayVersion=$VERSION/g" packages/paf/PWAsForFirefoxPortable/App/AppInfo/appinfo.ini | |
| fi | |
| echo "::endgroup::" | |
| # Generate the launcher | |
| echo "::group::Generating the launcher" | |
| (cd packages/paf && PortableApps.comLauncherGenerator.exe $(cygpath -d $(realpath PWAsForFirefoxPortable))) | |
| echo "::endgroup::" | |
| - name: Upload unsigned executables (Windows, PAF) | |
| id: unsigned-executables-portable | |
| if: matrix.os == 'windows-latest' && matrix.portable == true && startsWith(github.ref, 'refs/tags/v') | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: unsigned-executables-portable-${{ steps.target.outputs.target }} | |
| path: native/packages/paf/PWAsForFirefoxPortable | |
| - name: Sign executables with SignPath (Windows, PAF) | |
| if: matrix.os == 'windows-latest' && matrix.portable == true && startsWith(github.ref, 'refs/tags/v') | |
| uses: signpath/github-action-submit-signing-request@4f13d373e8f0cd8d3c0465ff4877feff27aed2ae # v1.2 | |
| with: | |
| api-token: ${{ secrets.SIGNPATH_TOKEN }} | |
| organization-id: ${{ vars.SIGNPATH_ORGANIZATION_ID }} | |
| project-slug: ${{ vars.SIGNPATH_PROJECT_SLUG }} | |
| signing-policy-slug: ${{ vars.SIGNPATH_POLICY_SLUG }} | |
| github-artifact-id: ${{ steps.unsigned-executables-portable.outputs.artifact-id }} | |
| artifact-configuration-slug: portable-contents | |
| output-artifact-directory: native/packages/paf/PWAsForFirefoxPortable | |
| - name: Generate portable package (Windows, PAF) | |
| if: matrix.os == 'windows-latest' && matrix.portable == true | |
| run: | | |
| # Generate the installer | |
| echo "::group::Generating the launcher" | |
| (cd packages/paf && PortableApps.comInstaller.exe $(cygpath -d $(realpath PWAsForFirefoxPortable))) | |
| echo "::endgroup::" | |
| # Rename the installer | |
| echo "::group::Renaming the installer" | |
| mkdir -p target/paf/ | |
| mv packages/paf/PWAsForFirefoxPortable_*.paf.exe target/paf/firefoxpwa_${VERSION}_online.paf.exe | |
| echo "::endgroup::" | |
| - name: Upload unsigned PAF (Windows, PAF) | |
| id: artifact-unsigned-paf | |
| if: matrix.os == 'windows-latest' && matrix.portable == true | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: unsigned-artifacts-windows-paf-${{ steps.target.outputs.target }} | |
| path: native/target/paf/*.paf.exe | |
| compression-level: 0 | |
| - name: Sign PAF with SignPath (Windows, PAF) | |
| if: matrix.os == 'windows-latest' && matrix.portable == true && startsWith(github.ref, 'refs/tags/v') | |
| uses: signpath/github-action-submit-signing-request@4f13d373e8f0cd8d3c0465ff4877feff27aed2ae # v1.2 | |
| with: | |
| api-token: ${{ secrets.SIGNPATH_TOKEN }} | |
| organization-id: ${{ vars.SIGNPATH_ORGANIZATION_ID }} | |
| project-slug: ${{ vars.SIGNPATH_PROJECT_SLUG }} | |
| signing-policy-slug: ${{ vars.SIGNPATH_POLICY_SLUG }} | |
| github-artifact-id: ${{ steps.artifact-unsigned-paf.outputs.artifact-id }} | |
| artifact-configuration-slug: portable | |
| output-artifact-directory: signed/paf | |
| - name: Upload signed PAF (Windows, PAF) | |
| if: matrix.os == 'windows-latest' && matrix.portable == true && startsWith(github.ref, 'refs/tags/v') | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: build-artifacts-windows-paf-${{ steps.target.outputs.target }} | |
| path: signed/paf/*.paf.exe | |
| compression-level: 0 | |
| # == Build Provenance | |
| - name: Attest artifacts | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 | |
| with: | |
| subject-path: | | |
| native/target/completions.zip | |
| native/target/debian/*.deb | |
| native/target/rpm/*.rpm | |
| native/target/wix/*.msi | |
| native/target/paf/*.paf.exe | |
| signed/msi/*.msi | |
| signed/paf/*.paf.exe | |
| sign: | |
| name: Sign Linux packages | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| attestations: write | |
| id-token: write | |
| needs: | |
| - build | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: audit | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install gnupg debsigs rpm | |
| - name: Download artifacts | |
| uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| pattern: unsigned-artifacts-linux-* | |
| path: artifacts | |
| merge-multiple: true | |
| - name: Import GPG key | |
| run: echo "${{ secrets.PACKAGES_KEY_PRIVATE }}" | gpg --import --batch | |
| - name: Prepare RPM macros | |
| run: | | |
| echo "%_gpg_name ${{ vars.PACKAGES_KEY_NAME }}" >> ~/.rpmmacros | |
| echo "%__gpg /usr/bin/gpg" >> ~/.rpmmacros | |
| - name: Sign DEB packages | |
| run: | | |
| for file in artifacts/*.deb | |
| do | |
| echo "Signing $file" | |
| debsigs --sign=origin --default-key="${{ vars.PACKAGES_KEY_ID }}" "$file" | |
| done | |
| - name: Sign RPM packages | |
| run: | | |
| for file in artifacts/*.rpm | |
| do | |
| echo "Signing $file" | |
| rpm --addsign "$file" | |
| done | |
| - name: Upload signed DEB packages | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: build-artifacts-linux-deb | |
| path: artifacts/*.deb | |
| compression-level: 0 | |
| - name: Upload signed RPM packages | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: build-artifacts-linux-rpm | |
| path: artifacts/*.rpm | |
| compression-level: 0 | |
| - name: Attest artifacts | |
| uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 | |
| with: | |
| subject-path: | | |
| artifacts/*.deb | |
| artifacts/*.rpm | |
| release-github: | |
| name: Release on GitHub | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: write | |
| needs: | |
| - clippy | |
| - rustfmt | |
| - build | |
| - sign | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: audit | |
| - name: Download artifacts | |
| uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| pattern: build-artifacts-* | |
| path: artifacts | |
| merge-multiple: true | |
| - name: Upload artifacts to GitHub Release | |
| uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2 | |
| with: | |
| fail_on_unmatched_files: true | |
| files: | | |
| artifacts/completions.zip | |
| artifacts/*.deb | |
| artifacts/*.rpm | |
| artifacts/*.msi | |
| artifacts/*.paf.exe | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| release-packagecloud: | |
| name: Release on packagecloud.io | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| needs: | |
| - clippy | |
| - rustfmt | |
| - build | |
| - sign | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: audit | |
| - name: Download artifacts | |
| uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| pattern: build-artifacts-linux-* | |
| path: artifacts | |
| merge-multiple: true | |
| - name: Install packagecloud.io CLI | |
| run: sudo gem install package_cloud | |
| - name: Upload artifacts to packagecloud.io repositories | |
| env: | |
| PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }} | |
| run: | | |
| package_cloud push filips/FirefoxPWA/any/any artifacts/*.deb | |
| package_cloud push filips/FirefoxPWA/rpm_any/rpm_any artifacts/*.rpm | |
| release-gentoo: | |
| name: Release on Gentoo GURU | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| runs-on: ubuntu-latest | |
| container: ghcr.io/filips123/gentoo-pycargoebuild | |
| permissions: | |
| contents: write | |
| attestations: write | |
| id-token: write | |
| needs: | |
| - release-github | |
| steps: | |
| # == Setting Environment | |
| - name: Harden runner | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout project repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| - name: Checkout GURU repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| repository: gentoo/guru | |
| path: tmp/guru | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Configure cache | |
| run: echo "CACHE_ID=$(date --utc '+%Y-%V')" >> $GITHUB_ENV | |
| - name: Configure cache | |
| uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 | |
| with: | |
| path: /var/cache/distfiles | |
| key: gentoo-distfiles-${{ env.CACHE_ID }} | |
| restore-keys: gentoo-distfiles- | |
| - name: Import GPG key | |
| run: echo "${{ secrets.GENTOO_KEY_PRIVATE }}" | gpg --import --batch | |
| - name: Prepare Git user | |
| working-directory: tmp/guru | |
| run: | | |
| git config --local user.name "${{ vars.GENTOO_USERNAME }}" | |
| git config --local user.email "${{ vars.GENTOO_EMAIL }}" | |
| git config --local user.signingkey "${{ vars.GENTOO_KEY_ID }}" | |
| - name: Prepare Git settings | |
| working-directory: tmp/guru | |
| run: | | |
| git config --local pull.ff only | |
| git config --local pull.rebase merges | |
| git config --local commit.gpgsign 1 | |
| git remote set-head origin master | |
| - name: Set the version | |
| run: | | |
| VERSION=${GITHUB_REF/refs\/tags\/v} | |
| echo "VERSION=$VERSION" >> $GITHUB_ENV | |
| # == Generating New Package | |
| - name: Generate package ebuild | |
| working-directory: tmp/guru/www-plugins/firefoxpwa | |
| run: | | |
| cp "$GITHUB_WORKSPACE/native/packages/gentoo/firefoxpwa.ebuild" "firefoxpwa-$VERSION.ebuild" | |
| pycargoebuild -i "firefoxpwa-$VERSION.ebuild" -c "$GITHUB_WORKSPACE/native" | |
| - name: Attest crates tarball | |
| uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 | |
| with: | |
| subject-path: /var/cache/distfiles/firefoxpwa-*-crates.tar.xz | |
| - name: Upload crates tarball to GitHub Release | |
| uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2 | |
| with: | |
| fail_on_unmatched_files: true | |
| files: /var/cache/distfiles/firefoxpwa-*-crates.tar.xz | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Update package manifest | |
| working-directory: tmp/guru/www-plugins/firefoxpwa | |
| run: ebuild "firefoxpwa-$VERSION.ebuild" manifest | |
| - name: Commit package changes | |
| working-directory: tmp/guru/www-plugins/firefoxpwa | |
| run: | | |
| git add -A | |
| pkgdev commit --signoff | |
| # == Removing Old Packages | |
| - name: Remove old ebuilds | |
| id: remove-old-ebuilds | |
| working-directory: tmp/guru/www-plugins/firefoxpwa | |
| run: | | |
| # Set the number of ebuilds to keep | |
| PRESERVE=3 | |
| # Collect all ebuild files | |
| files=(firefoxpwa-*.ebuild) | |
| # Skip if there are not enough ebuilds | |
| if [ "${#files[@]}" -le "$PRESERVE" ] | |
| then | |
| echo "No old ebuilds to remove" | |
| echo "removed=false" >> $GITHUB_OUTPUT | |
| exit 0 | |
| fi | |
| # Get the time the ebuilds were created | |
| timestamped="" | |
| for file in "${files[@]}" | |
| do | |
| timestamp=$(git log --diff-filter=A --format=%at -1 -- "$file" 2> /dev/null || echo 0) | |
| timestamped+="$timestamp $file"$'\n' | |
| done | |
| timestamped=$(echo "$timestamped" | sed '/^$/d') | |
| # Sort the ebuilds by time | |
| mapfile -t sorted < <(echo "$timestamped" | sort -n | awk '{print $2}') | |
| # Remove all but the last few ebuilds | |
| dropped=$((${#sorted[@]} - PRESERVE)) | |
| for file in "${sorted[@]:0:$dropped}" | |
| do | |
| echo "Removing $file" | |
| rm "$file" | |
| done | |
| # Mark the ebuilds as removed | |
| echo "removed=true" >> $GITHUB_OUTPUT | |
| - name: Update package manifest | |
| if: steps.remove-old-ebuilds.outputs.removed == 'true' | |
| working-directory: tmp/guru/www-plugins/firefoxpwa | |
| run: pkgdev manifest | |
| - name: Commit package changes | |
| if: steps.remove-old-ebuilds.outputs.removed == 'true' | |
| working-directory: tmp/guru/www-plugins/firefoxpwa | |
| run: | | |
| git add -A | |
| pkgdev commit --signoff | |
| # == Pushing Changes | |
| - name: Scan package changes | |
| working-directory: tmp/guru/www-plugins/firefoxpwa | |
| run: pkgcheck scan --net --commits | |
| - name: Push package changes | |
| uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 | |
| with: | |
| token: ${{ secrets.GH_TOKEN }} | |
| push-to-fork: filips123/gentoo-guru | |
| path: tmp/guru | |
| branch: "add-firefoxpwa-${{ env.VERSION }}" | |
| title: "www-plugins/firefoxpwa: add ${{ env.VERSION }}" | |
| body: "" | |
| # == Cleanup | |
| - name: Cleanup crates tarball | |
| if: always() | |
| run: rm -f /var/cache/distfiles/firefoxpwa-*-crates.tar.xz || true | |
| release-winget: | |
| name: Release on Windows Package Manager | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| runs-on: windows-latest | |
| permissions: | |
| contents: read | |
| needs: | |
| - release-github | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: audit | |
| - name: Install winget-create | |
| shell: powershell | |
| run: iwr https://aka.ms/wingetcreate/latest -OutFile wingetcreate.exe | |
| - name: Prepare Git user | |
| run: | | |
| git config --global user.name "${{ vars.WINGET_USERNAME }}" | |
| git config --global user.email "${{ vars.WINGET_EMAIL }}" | |
| - name: Update and release package manifest | |
| run: | | |
| VERSION=${GITHUB_REF/refs\/tags\/v} | |
| INSTALLER_64BIT="https://github.com/filips123/PWAsForFirefox/releases/download/v$VERSION/firefoxpwa-$VERSION-x86_64.msi" | |
| INSTALLER_32BIT="https://github.com/filips123/PWAsForFirefox/releases/download/v$VERSION/firefoxpwa-$VERSION-x86.msi" | |
| ./wingetcreate.exe update -s filips.FirefoxPWA -u $INSTALLER_64BIT $INSTALLER_32BIT -v $VERSION -t ${{ secrets.GH_TOKEN }} | |
| release-chocolatey: | |
| name: Release on Chocolatey | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| runs-on: windows-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| needs: | |
| - release-github | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| - name: Download artifacts | |
| uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| pattern: build-artifacts-windows-msi-* | |
| path: artifacts | |
| merge-multiple: true | |
| - name: Calculate version and installer checksums | |
| run: | | |
| echo "::group::Copying installers to the package" | |
| cp -R artifacts/*.msi native/packages/choco/tools/ | |
| echo "::endgroup::" | |
| echo "::group::Setting the package version" | |
| VERSION=${GITHUB_REF/refs\/tags\/v} | |
| sed -i "s/{{PackageVersion}}/$VERSION/g" native/packages/choco/firefoxpwa.nuspec | |
| echo "::endgroup::" | |
| echo "::group::Updating installer checksums" | |
| cd native/packages/choco/tools/ | |
| echo "$(sha256sum *.msi --tag)" >> ../legal/VERIFICATION.txt | |
| echo "::endgroup::" | |
| - name: Prepare Chocolatey package | |
| run: | | |
| cd native/packages/choco/ | |
| choco pack | |
| - name: Release Chocolatey package | |
| run: choco push native/packages/choco/*.nupkg --source https://push.chocolatey.org/ --key ${{secrets.CHOCO_TOKEN}} |