set up release pipeline

Author: dumbmoron

.github/check-needs-release.js

@@ -0,0 +1,24 @@
+#!/usr/bin/env node
+
+const getLatestRelease = async (repo) => {
+    const response = await fetch('https://api.github.com/repos/' + repo + '/releases');
+    if (!response.ok) throw "response is not ok";
+
+    const data = await response.json();
+    if (!Array.isArray(data)) throw "invalid data";
+
+    return data.find(r => !r.draft && !r.prerelease);
+}
+
+const checkNewRelease = async () => {
+    const ublock_release = await getLatestRelease('gorhill/uBlock');
+    const our_release = await getLatestRelease(process.env.GITHUB_REPOSITORY || 'dumbmoron/ublock-origin-crx');
+
+    const needs_release = !our_release || new Date(ublock_release.created_at) > new Date(our_release.created_at);
+    const sources = ublock_release.assets.find(a => a.name.endsWith('chromium.zip'));
+    if (needs_release && sources) {
+        console.log('TAG_NAME=' + ublock_release.tag_name);
+    }
+}
+
+checkNewRelease();

.github/generate-updatexml.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+echo "<?xml version='1.0' encoding='UTF-8'?>"
+echo "<gupdate xmlns='http://www.google.com/update2/response' protocol='2.0'>"
+echo "  <app appid='$APP_ID'>"
+echo "    <updatecheck codebase='$DOWNLOAD_URL' version='$VERSION' />"
+echo "  </app>"
+echo "</gupdate>"

.github/make-release-body.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+echo "Upstream release: https://github.com/gorhill/uBlock/releases/tag/$TAG"
+echo
+echo "Hashes:"
+echo '```'
+sha256sum *.crx
+echo '```'

.github/patch-update-url.js

@@ -0,0 +1,9 @@
+import * as fs from 'fs';
+
+const data = JSON.parse(fs.readFileSync(process.argv[2]));
+
+data.update_url = 'https://raw.githubusercontent.com/'
+    + (process.env.GITHUB_REPOSITORY || 'dumbmoron/ublock-origin-crx')
+    + '/refs/heads/main/update.xml';
+
+fs.writeFileSync(process.argv[2], JSON.stringify(data, null, 2));

.github/workflows/build-release.yml

@@ -0,0 +1,87 @@
+name: Build release
+permissions:
+  id-token: write
+  attestations: write
+  contents: write
+
+on:
+  workflow_dispatch:
+    inputs:
+      release-tag:
+        required: true
+        description: "Upstream release tag"
+        type: string
+
+  workflow_call:
+    inputs:
+      release-tag:
+        required: true
+        type: string
+
+jobs:
+  prep:
+    runs-on: ubuntu-latest
+    env:
+      TAG: ${{ inputs.release-tag }}
+      OUT_FILENAME: "uBlock0_${{ inputs.release-tag }}.crx"
+      DIST_DIR: "./uBlock/dist/build/uBlock0.chromium"
+    steps:
+      - name: Checkout ublock-origin-crx
+        uses: actions/checkout@v4
+      - name: Checkout uBlock
+        uses: actions/checkout@v4
+        with:
+          repository: gorhill/uBlock
+          ref: ${{ inputs.release-tag }}
+          path: uBlock
+      - uses: pnpm/action-setup@v4
+      - run: pnpm i --frozen-lockfile
+      - name: Build uBlock Origin sources
+        run: cd uBlock && make chromium
+      - name: Patch update URL
+        run: node .github/patch-update-url.js "$DIST_DIR/manifest.json"
+      - name: Build .crx
+        env:
+          CRX3_PRIVATE_KEY: ${{ secrets.CRX3_PRIVATE_KEY }}
+        run: |
+          echo "$CRX3_PRIVATE_KEY" \
+          | pnpm exec crx3 \
+            -p /dev/stdin \
+            -o "$OUT_FILENAME" \
+            "$DIST_DIR/"
+      - name: Get extension ID
+        id: crxid
+        run: |
+          echo -en "crx_id=" >> $GITHUB_OUTPUT
+          pnpm exec crx3-info < "$OUT_FILENAME" \
+          | grep ^id \
+          | sed 's/.* //' >> $GITHUB_OUTPUT
+      - name: Attest
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: ${{ env.OUT_FILENAME }}
+      - name: Make release body
+        run: ./.github/make-release-body.sh > release.md
+      - name: Release
+        uses: softprops/action-gh-release@4634c16e79c963813287e889244c50009e7f0981
+        id: release
+        with:
+          body_path: ./release.md
+          draft: false
+          prerelease: false
+          files: ${{ env.OUT_FILENAME }}
+          name: ${{ inputs.release-tag }}
+          tag_name: ${{ inputs.release-tag }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Update update.xml
+        env:
+          APP_ID: ${{ steps.crxid.outputs.crx_id }}
+          DOWNLOAD_URL: ${{ fromJSON(steps.release.outputs.assets)[0].browser_download_url }}
+          VERSION: ${{ inputs.release-tag }}
+        run: |
+          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config --local user.name "github-actions[bot]"
+          ./.github/generate-updatexml.sh > update.xml
+          git add update.xml
+          git commit -m 'update.xml: refresh'
+          git push

.github/workflows/check-need-release.yml

@@ -0,0 +1,27 @@
+name: Check for new upstream release
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * *"
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    outputs:
+      TAG_NAME: ${{ steps.needs-release.outputs.TAG_NAME }}
+    steps:
+      - name: Checkout ublock-origin-crx
+        uses: actions/checkout@v4
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 20
+      - run: ./.github/check-needs-release.js | tee -a "$GITHUB_OUTPUT"
+        id: needs-release
+  build:
+    needs: check
+    if: needs.check.outputs.TAG_NAME
+    uses: ./.github/workflows/build-release.yml
+    secrets: inherit
+    with:
+      release-tag: ${{ needs.check.outputs.TAG_NAME }}

.gitignore

@@ -0,0 +1 @@
+node_modules

package.json

@@ -0,0 +1,17 @@
+{
+  "name": "ublock-origin-crx",
+  "type": "module",
+  "version": "1.0.0",
+  "description": "",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "keywords": [],
+  "packageManager": "[email protected]",
+  "author": "jj <[email protected]>",
+  "license": "GPL-3.0",
+  "devDependencies": {
+    "crx3": "^1.1.3",
+    "crx3-utils": "^0.0.3"
+  }
+}