v2.1.0: security hardening + cross-browser parity + release CI (#15)

Cherry-picks @anthonyonazure's closed PR #11 onto master post-Firefox port, adds Firefox parity for the nonce-validated interceptor bridge, and ships GH Actions for tag-driven releases plus PR validation. Closes #11 Co-Authored-By: Anthony <anthony@anthonyonazure.com>
2026-06-07 16:43:55 +02:00 · 2026-05-15 00:50:48 +03:00
parent 8d2f3fc1e4
commit fdd3be3d99
12 changed files with 395 additions and 31 deletions
@@ -0,0 +1,71 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Tag to build (e.g. v2.1.0). Leave blank to build current ref."
+        required: false
+
+permissions:
+  contents: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.inputs.tag || github.ref }}
+
+      - name: Read version from manifest
+        id: meta
+        run: |
+          VERSION=$(grep '"version"' manifest.json | head -1 | sed 's/.*: *"\([^"]*\)".*/\1/')
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          echo "tag=v$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Verify tag matches manifest version
+        if: startsWith(github.ref, 'refs/tags/v')
+        run: |
+          TAG="${GITHUB_REF#refs/tags/}"
+          if [ "$TAG" != "${{ steps.meta.outputs.tag }}" ] && [ "$TAG" != "${{ steps.meta.outputs.tag }}-firefox" ]; then
+            echo "Tag $TAG does not match manifest version ${{ steps.meta.outputs.tag }}"
+            exit 1
+          fi
+
+      - name: Build Chrome + Firefox zips
+        run: bash scripts/build.sh
+
+      - name: Compute checksums
+        working-directory: dist
+        run: |
+          shasum -a 256 keyfinder-v${{ steps.meta.outputs.version }}-chrome.zip > keyfinder-v${{ steps.meta.outputs.version }}-chrome.zip.sha256
+          shasum -a 256 keyfinder-v${{ steps.meta.outputs.version }}-firefox.zip > keyfinder-v${{ steps.meta.outputs.version }}-firefox.zip.sha256
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: keyfinder-v${{ steps.meta.outputs.version }}
+          path: |
+            dist/keyfinder-v${{ steps.meta.outputs.version }}-chrome.zip
+            dist/keyfinder-v${{ steps.meta.outputs.version }}-firefox.zip
+            dist/keyfinder-v${{ steps.meta.outputs.version }}-chrome.zip.sha256
+            dist/keyfinder-v${{ steps.meta.outputs.version }}-firefox.zip.sha256
+          if-no-files-found: error
+
+      - name: Attach to GitHub Release
+        if: startsWith(github.ref, 'refs/tags/v')
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            dist/keyfinder-v${{ steps.meta.outputs.version }}-chrome.zip
+            dist/keyfinder-v${{ steps.meta.outputs.version }}-firefox.zip
+            dist/keyfinder-v${{ steps.meta.outputs.version }}-chrome.zip.sha256
+            dist/keyfinder-v${{ steps.meta.outputs.version }}-firefox.zip.sha256
+          generate_release_notes: true
+          fail_on_unmatched_files: true