From 3e8c19969f451715ccae67a42909ec6e54df733e Mon Sep 17 00:00:00 2001 From: Ben Date: Sun, 14 Jun 2026 20:17:45 +0000 Subject: [PATCH 1/2] Fix winget publish --- .github/workflows/winget-publish.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/winget-publish.yml b/.github/workflows/winget-publish.yml index 70e5194c..e8c528e0 100644 --- a/.github/workflows/winget-publish.yml +++ b/.github/workflows/winget-publish.yml @@ -31,6 +31,7 @@ jobs: api.github.com:443 release-assets.githubusercontent.com:443 uploads.github.com:443 + index.crates.io:443 - name: Publish to WinGet # Requires WINGET_TOKEN secret in the 'winget' environment. From 5a754c8ffd0b436dd837945a21f3740099356d80 Mon Sep 17 00:00:00 2001 From: Ben Date: Sun, 14 Jun 2026 20:31:44 +0000 Subject: [PATCH 2/2] Add test for winget --- .github/workflows/winget-publish.yml | 54 ------------- .github/workflows/winget.yml | 117 +++++++++++++++++++++++++++ 2 files changed, 117 insertions(+), 54 deletions(-) delete mode 100644 .github/workflows/winget-publish.yml create mode 100644 .github/workflows/winget.yml diff --git a/.github/workflows/winget-publish.yml b/.github/workflows/winget-publish.yml deleted file mode 100644 index e8c528e0..00000000 --- a/.github/workflows/winget-publish.yml +++ /dev/null @@ -1,54 +0,0 @@ -name: Publish to WinGet - -on: - release: - types: [published] - -permissions: - contents: read - -jobs: - publish: - name: Publish to WinGet - # Only publish versioned releases — skip the rolling 'latest' tag on main - if: github.event.release.tag_name != 'latest' - runs-on: ubuntu-latest - concurrency: - group: winget-publish-${{ github.event.release.tag_name }} - cancel-in-progress: true - - environment: - name: winget - url: https://github.com/microsoft/winget-pkgs - - steps: - - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 - with: - egress-policy: block - allowed-endpoints: >+ - github.com:443 - api.github.com:443 - release-assets.githubusercontent.com:443 - uploads.github.com:443 - index.crates.io:443 - - - name: Publish to WinGet - # Requires WINGET_TOKEN secret in the 'winget' environment. - # - # Setup — create a fine-grained PAT: - # 1. GitHub → Settings → Developer settings → Personal access tokens - # → Fine-grained tokens → Generate new token - # 2. Resource owner: DFetch-org (or your user) - # 3. Repository access: All repositories - # (needed to fork microsoft/winget-pkgs and push the manifest branch) - # 4. Permissions: - # Contents → Read and write - # Pull requests → Read and write - # 5. Store the token as secret WINGET_TOKEN in: - # Repo → Settings → Environments → winget → Environment secrets - uses: vedantmgoyal9/winget-releaser@4ffc7888bffd451b357355dc214d43bb9f23917e # v2 - with: - identifier: DFetch-org.DFetch - release-tag: ${{ github.event.release.tag_name }} - token: ${{ secrets.WINGET_TOKEN }} diff --git a/.github/workflows/winget.yml b/.github/workflows/winget.yml new file mode 100644 index 00000000..9747c62a --- /dev/null +++ b/.github/workflows/winget.yml @@ -0,0 +1,117 @@ +name: WinGet + +on: + release: + types: [published] + pull_request: + types: [opened, synchronize, reopened] + workflow_dispatch: + inputs: + release-tag: + description: 'Release tag to validate (e.g. 0.14.0) — the release must already exist with the MSI asset uploaded' + required: true + +permissions: + contents: read + +jobs: + validate: + name: Validate WinGet manifest (no PR submitted) + # On release events, skip the rolling 'latest' tag + if: github.event_name != 'release' || github.event.release.tag_name != 'latest' + runs-on: ubuntu-latest + + steps: + - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: block + allowed-endpoints: >+ + github.com:443 + api.github.com:443 + release-assets.githubusercontent.com:443 + uploads.github.com:443 + + - name: Determine release tag + id: tag + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then + echo "value=${{ inputs.release-tag }}" >> "$GITHUB_OUTPUT" + elif [[ "${{ github.event_name }}" == "release" ]]; then + echo "value=${{ github.event.release.tag_name }}" >> "$GITHUB_OUTPUT" + else + # PR: validate against the latest published release so there is a real installer to hash + TAG=$(gh api "repos/${{ github.repository }}/releases/latest" --jq '.tag_name') + echo "value=$TAG" >> "$GITHUB_OUTPUT" + fi + + - name: Install komac + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + KOMAC_VERSION=$(gh api repos/russellbanks/Komac/releases/latest --jq '.tag_name') + gh release download "$KOMAC_VERSION" \ + --repo russellbanks/Komac \ + --pattern '*-x86_64-unknown-linux-gnu.tar.gz' \ + --dir /tmp/komac-install + mkdir -p /tmp/komac-extract + tar -xzf /tmp/komac-install/*.tar.gz -C /tmp/komac-extract + find /tmp/komac-extract -name komac -type f -exec install -m 755 {} /usr/local/bin/komac \; + + - name: Generate manifest (no PR submitted) + run: | + komac update DFetch-org.DFetch \ + --version ${{ steps.tag.outputs.value }} \ + --urls https://github.com/${{ github.repository }}/releases/download/${{ steps.tag.outputs.value }}/dfetch-${{ steps.tag.outputs.value }}-win.msi + + - name: Upload generated manifests + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: winget-manifests-${{ steps.tag.outputs.value }} + path: manifests/ + + publish: + name: Publish to WinGet + needs: [validate] + if: github.event_name == 'release' && github.event.release.tag_name != 'latest' + runs-on: ubuntu-latest + concurrency: + group: winget-publish-${{ github.event.release.tag_name }} + cancel-in-progress: true + + environment: + name: winget + url: https://github.com/microsoft/winget-pkgs + + steps: + - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: block + allowed-endpoints: >+ + github.com:443 + api.github.com:443 + release-assets.githubusercontent.com:443 + index.crates.io:443 + + - name: Publish to WinGet + # Requires WINGET_TOKEN secret in the 'winget' environment. + # + # Setup — create a fine-grained PAT: + # 1. GitHub → Settings → Developer settings → Personal access tokens + # → Fine-grained tokens → Generate new token + # 2. Resource owner: DFetch-org (or your user) + # 3. Repository access: All repositories + # (needed to fork microsoft/winget-pkgs and push the manifest branch) + # 4. Permissions: + # Contents → Read and write + # Pull requests → Read and write + # 5. Store the token as secret WINGET_TOKEN in: + # Repo → Settings → Environments → winget → Environment secrets + uses: vedantmgoyal9/winget-releaser@4ffc7888bffd451b357355dc214d43bb9f23917e # v2 + with: + identifier: DFetch-org.DFetch + release-tag: ${{ github.event.release.tag_name }} + token: ${{ secrets.WINGET_TOKEN }}