Fix winget publish

.github/workflows/winget.yml

@@ -0,0 +1,117 @@
+name: WinGet
+
+on:
+  release:
+    types: [published]
+  pull_request:
+    types: [opened, synchronize, reopened]
+  workflow_dispatch:
+    inputs:
+      release-tag:
+        description: 'Release tag to validate (e.g. 0.14.0) — the release must already exist with the MSI asset uploaded'
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  validate:
+    name: Validate WinGet manifest (no PR submitted)
+    # On release events, skip the rolling 'latest' tag
+    if: github.event_name != 'release' || github.event.release.tag_name != 'latest'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: block
+          allowed-endpoints: >+
+            github.com:443
+            api.github.com:443
+            release-assets.githubusercontent.com:443
+            uploads.github.com:443
+
+      - name: Determine release tag
+        id: tag
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            echo "value=${{ inputs.release-tag }}" >> "$GITHUB_OUTPUT"
+          elif [[ "${{ github.event_name }}" == "release" ]]; then
+            echo "value=${{ github.event.release.tag_name }}" >> "$GITHUB_OUTPUT"
+          else
+            # PR: validate against the latest published release so there is a real installer to hash
+            TAG=$(gh api "repos/${{ github.repository }}/releases/latest" --jq '.tag_name')
+            echo "value=$TAG" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Install komac
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          KOMAC_VERSION=$(gh api repos/russellbanks/Komac/releases/latest --jq '.tag_name')
+          gh release download "$KOMAC_VERSION" \
+            --repo russellbanks/Komac \
+            --pattern '*-x86_64-unknown-linux-gnu.tar.gz' \
+            --dir /tmp/komac-install
+          mkdir -p /tmp/komac-extract
+          tar -xzf /tmp/komac-install/*.tar.gz -C /tmp/komac-extract
+          find /tmp/komac-extract -name komac -type f -exec install -m 755 {} /usr/local/bin/komac \;
+
+      - name: Generate manifest (no PR submitted)
+        run: |
+          komac update DFetch-org.DFetch \
+            --version ${{ steps.tag.outputs.value }} \
+            --urls https://github.com/${{ github.repository }}/releases/download/${{ steps.tag.outputs.value }}/dfetch-${{ steps.tag.outputs.value }}-win.msi
+
+      - name: Upload generated manifests
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: winget-manifests-${{ steps.tag.outputs.value }}
+          path: manifests/
+
+  publish:
+    name: Publish to WinGet
+    needs: [validate]
+    if: github.event_name == 'release' && github.event.release.tag_name != 'latest'
+    runs-on: ubuntu-latest
+    concurrency:
+      group: winget-publish-${{ github.event.release.tag_name }}
+      cancel-in-progress: true
+
+    environment:
+      name: winget
+      url: https://github.com/microsoft/winget-pkgs
+
+    steps:
+      - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: block
+          allowed-endpoints: >+
+            github.com:443
+            api.github.com:443
+            release-assets.githubusercontent.com:443
+            index.crates.io:443
+
+      - name: Publish to WinGet
+        # Requires WINGET_TOKEN secret in the 'winget' environment.
+        #
+        # Setup — create a fine-grained PAT:
+        #   1. GitHub → Settings → Developer settings → Personal access tokens
+        #      → Fine-grained tokens → Generate new token
+        #   2. Resource owner: DFetch-org (or your user)
+        #   3. Repository access: All repositories
+        #      (needed to fork microsoft/winget-pkgs and push the manifest branch)
+        #   4. Permissions:
+        #        Contents      → Read and write
+        #        Pull requests → Read and write
+        #   5. Store the token as secret WINGET_TOKEN in:
+        #      Repo → Settings → Environments → winget → Environment secrets
+        uses: vedantmgoyal9/winget-releaser@4ffc7888bffd451b357355dc214d43bb9f23917e # v2
+        with:
+          identifier: DFetch-org.DFetch
+          release-tag: ${{ github.event.release.tag_name }}
+          token: ${{ secrets.WINGET_TOKEN }}