Document that we use SignPath code signing #301
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Extension CI/CD | |
on: | |
push: | |
paths: | |
- .github/workflows/extension.yaml | |
- extension/** | |
tags: | |
- v* | |
branches-ignore: | |
- crowdin-* | |
pull_request: | |
paths: | |
- .github/workflows/extension.yaml | |
- extension/** | |
defaults: | |
run: | |
working-directory: extension | |
shell: bash | |
jobs: | |
lint: | |
name: Lint | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Configure cache | |
uses: actions/cache@v4 | |
with: | |
path: | | |
~/.cache/yarn | |
~/.config/yarn | |
key: ${{ runner.os }}-yarn-lint-${{ hashFiles('**/yarn.lock') }} | |
restore-keys: ${{ runner.os }}-yarn- | |
- name: Install Node.js | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 20 | |
- name: Install dependencies | |
run: yarn install --frozen-lockfile | |
- name: Lint the extension | |
run: yarn lint | |
build: | |
name: Build | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
attestations: write | |
id-token: write | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Configure cache | |
uses: actions/cache@v4 | |
with: | |
path: | | |
~/.cache/yarn | |
~/.config/yarn | |
key: ${{ runner.os }}-yarn-build-${{ hashFiles('**/yarn.lock') }} | |
restore-keys: ${{ runner.os }}-yarn- | |
- name: Set the version | |
run: | | |
if [[ $GITHUB_REF == refs/tags/v* ]] | |
then | |
VERSION=${GITHUB_REF/refs\/tags\/v} | |
echo "VERSION=$VERSION" >> $GITHUB_ENV | |
sed -i "s/\"version\": \"0.0.0\"/\"version\": \"$VERSION\"/g" package.json | |
sed -i "s/\"version\": \"0.0.0\"/\"version\": \"$VERSION\"/g" src/manifest.json | |
else | |
echo "VERSION=0.0.0" >> $GITHUB_ENV | |
fi | |
- name: Package the extension source | |
run: 7z a "dist/firefoxpwa-${{ env.VERSION }}-source.zip" "." -bd -mx9 -xr@"../.gitignore" | |
- name: Upload the extension source | |
uses: actions/upload-artifact@v4 | |
with: | |
name: firefoxpwa-extension-source | |
path: extension/dist/firefoxpwa-*-source.zip | |
compression-level: 0 | |
- name: Attest the extension source | |
if: startsWith(github.ref, 'refs/tags/v') | |
uses: actions/attest-build-provenance@v1 | |
with: | |
subject-path: extension/dist/firefoxpwa-*-source.zip | |
- name: Install Node.js | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 20 | |
- name: Install dependencies | |
run: yarn install --frozen-lockfile | |
- name: Build the extension | |
run: yarn build | |
- name: Upload the compiled extension | |
uses: actions/upload-artifact@v4 | |
with: | |
name: firefoxpwa-extension-compiled | |
path: extension/dist/firefoxpwa-*-compiled.zip | |
compression-level: 0 | |
- name: Attest the compiled extension | |
if: startsWith(github.ref, 'refs/tags/v') | |
uses: actions/attest-build-provenance@v1 | |
with: | |
subject-path: extension/dist/firefoxpwa-*-compiled.zip | |
# Add auto-publishing to AMO once web-ext supports submitting extensions from ZIP files | |
# This also includes uploading source code and AMO release notes | |
# See: https://github.com/mozilla/web-ext/issues/3242 |