Sign CI for extensions.

.eslintignore

@@ -2,3 +2,5 @@
 react-es6-popup/**/dist
 mocha-client-tests
 store-collected-images/webextension-plain/deps
+!.web-ext
+!.web-ext/sign.js

.eslintrc.json

@@ -1,7 +1,8 @@
 {
   "root": true,
   "parserOptions": {
-    "ecmaVersion": 2017
+    "ecmaVersion": 2017,
+    "sourceType": "module"
   },
   "env": {
     "browser": true,

.github/workflows/sign.yml

@@ -0,0 +1,175 @@
+# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs
+
+name: SIGN
+
+on:
+  push:
+    branches: ["main"]
+    paths:
+      - '*/manifest.json'
+      - '*/**/manifest.json'
+      - '**/manifest.json'
+
+env:
+  OUTPUT_DIR: .web-ext
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.res.outputs.matrix }}
+      changed: ${{ steps.changed.outputs.any_changed }}
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get dirs that manifest.json-changed
+        id: changed
+        uses: tj-actions/changed-files@v37
+        with:
+          dir_names: "true"
+          json: "true"
+          files: |
+            */manifest.json
+            */**/manifest.json
+            **/manifest.json
+
+      - name: echo Changed Dirs
+        id: res
+        if: steps.changed.outputs.any_changed == 'true'
+        run: |
+          echo "matrix={\"dirs\":${{steps.changed.outputs.all_changed_files}}}" >> $GITHUB_OUTPUT
+          echo "Changed Dirs: "
+          echo "{\"dirs\":${{steps.changed.outputs.all_changed_files}}}"
+
+  sign:
+    runs-on: ubuntu-latest
+    needs: ["check"]
+    if: needs.check.outputs.changed == 'true'
+    permissions:
+      contents: write
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJSON(needs.check.outputs.matrix) }}
+    outputs:
+      done: ${{ steps.sign.outputs.done }}
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Use Node.js lts.
+        uses: actions/setup-node@v3
+        with:
+          node-version: lts/*
+          architecture: "x64"
+          cache: "npm"
+          cache-dependency-path: "**/package-lock.json"
+
+      - uses: actions/cache@v3
+        id: npm-cache
+        with:
+          path: |
+            node_modules
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+
+      - name: Install Dependences.
+        # if: steps.npm-cache.outputs.cache-hit != 'true'
+        run: npm ci
+
+      - name: Sign ${{matrix.dirs}}
+        id: sign
+        env:
+          WEB_EXT_API_KEY: ${{secrets.WEB_EXT_API_KEY}}
+          WEB_EXT_API_SECRET: ${{secrets.WEB_EXT_API_SECRET}}
+          EXT_DIR: ${{matrix.dirs}}
+        run: |
+          node ./${{env.OUTPUT_DIR}}/sign.js $EXT_DIR
+
+      - uses: actions/upload-artifact@v3
+        id: upload
+        with:
+          name: "${{env.OUTPUT_DIR}}"
+          retention-days: 1
+          path: |
+            ${{env.OUTPUT_DIR}}/**.xpi
+            ${{env.OUTPUT_DIR}}/**.json
+
+      - name: Release body Generate
+        if: ${{steps.sign.conclusion=='success' && steps.sign.outputs.done=='true'}}
+        id: body-gen
+        working-directory: ${{env.OUTPUT_DIR}}
+        env:
+          signTime: ${{fromJson(steps.sign.outputs.data).signTime}}
+          dir: ${{fromJson(steps.sign.outputs.data).dir}}
+          name: ${{fromJson(steps.sign.outputs.data).name}}
+          version: ${{fromJson(steps.sign.outputs.data).version}}
+        run: |
+          echo -e "|Name|$name|\n|-|-|\n|Version|$version|\n|Source Path|https://github.com/mdn/webextensions-examples/tree/main/$dir|\n|Sign Time|$( date -d @$signTime "+%Y-%m-%d %H:%M:%S %z")|\n|Release Time|$( date "+%Y-%m-%d %H:%M:%S %z")|" > body.md
+
+      - name: Release ${{matrix.dirs}}
+        uses: ncipollo/release-action@v1
+        if: ${{steps.sign.conclusion=='success' && steps.sign.outputs.done=='true' && steps.body-gen.conclusion=='success'}}
+        env:
+          name: ${{fromJson(steps.sign.outputs.data).name}}
+          destPath: ${{fromJson(steps.sign.outputs.data).destPath}}
+        with:
+          allowUpdates: true
+          skipIfReleaseExists: false
+          removeArtifacts: false
+          replacesArtifacts: false
+          # body: ''
+          bodyFile: ${{env.OUTPUT_DIR}}/body.md
+          tag: ${{env.name}}
+          artifacts: |
+            ${{env.destPath}}
+
+  release_ALL:
+    runs-on: ubuntu-latest
+    needs: ["sign"]
+    if: ${{ always() }}
+    permissions:
+      contents: write
+    strategy:
+      fail-fast: false
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - uses: actions/download-artifact@v3
+        id: download
+        if: ${{needs.sign.outputs.done=='true'}}
+        with:
+          name: "${{env.OUTPUT_DIR}}"
+          path: ${{env.OUTPUT_DIR}}
+
+      - name: "Echo download path"
+        working-directory: ${{env.OUTPUT_DIR}}
+        run: |
+          echo ${{steps.download.outputs.download-path}}
+          ls -R
+
+      - uses: stefanzweifel/git-auto-commit-action@v4
+        continue-on-error: true
+        with:
+          commit_message: Sign CI Automated Commit
+          branch: ${{github.ref_name}}
+          commit_options: '--no-verify --signoff'
+          skip_checkout: true
+          skip_fetch: true
+          skip_dirty_check: true
+          file_pattern: |
+            ${{env.OUTPUT_DIR}}/**.json
+          commit_user_name: Sign Bot # defaults to "github-actions[bot]"
+          commit_user_email: 41898282+github-actions[bot]@users.noreply.github.com
+          # commit_author: Author <[email protected]> # defaults to author of the commit that triggered the run
+          add_options: '-A'
+          push_options: ''

.gitignore

@@ -1 +1,6 @@
 node_modules
+**.secrets
+.web-ext/**.zip
+**.log
+**.web-extension-id
+**.xpi