Include publish notes when releasing builds

2026-04-12 15:49:53 -04:00 · 2026-03-06 11:48:42 +01:00
parent 0f4a1f950e
commit 09ae34cb10
3 changed files with 119 additions and 156 deletions
--- a/.github/actions/extract-release-notes/action.yml
+++ b/.github/actions/extract-release-notes/action.yml
@ -0,0 +1,31 @@
+name: Extract Release Notes
+description: Extract release notes from CHANGELOG.md for a given version
+
+inputs:
+  version:
+    description: Version to extract notes for
+    required: true
+
+outputs:
+  notes:
+    description: Extracted release notes
+    value: ${{ steps.extract.outputs.notes }}
+
+runs:
+  using: composite
+  steps:
+    - id: extract
+      shell: bash
+      run: |
+        VERSION="${{ inputs.version }}"
+        MAJOR="${VERSION%%.*}"
+        # Try exact version match first, fall back to major version match
+        NOTES=$(awk "/^## ${VERSION}( |$)/{found=1; next} /^## /{if(found) exit} found{print}" CHANGELOG.md)
+        if [ -z "$NOTES" ]; then
+          NOTES=$(awk "/^## ${MAJOR}( |$)/{found=1; next} /^## /{if(found) exit} found{print}" CHANGELOG.md)
+        fi
+        {
+          echo "notes<<EOF"
+          echo "$NOTES"
+          echo "EOF"
+        } >> $GITHUB_OUTPUT
--- a/.github/actions/prepare-release-artifacts/action.yml
+++ b/.github/actions/prepare-release-artifacts/action.yml
@ -0,0 +1,61 @@
+name: Prepare Release Artifacts
+description: Download, flatten, and verify release artifacts for publishing
+
+runs:
+  using: composite
+  steps:
+    - name: Download all artifacts
+      uses: actions/download-artifact@v4
+      with:
+        path: artifacts
+
+    - name: List downloaded artifacts
+      shell: bash
+      run: |
+        echo "=== All artifacts downloaded ==="
+        ls -lR artifacts/
+        echo ""
+        echo "=== Windows artifacts only ==="
+        ls -l artifacts/windows-*/
+
+    - name: Flatten artifacts (exclude unsigned Windows installers)
+      shell: bash
+      run: |
+        mkdir -p staging
+        # Copy all files except those from unsigned Windows artifact directories
+        find artifacts -type f ! -path "*/windows-*-unsigned-*/*" -exec cp {} staging/ \;
+        echo ""
+        echo "=== Files copied to staging ==="
+        ls -lh staging/
+        echo ""
+        echo "=== Windows installers in staging ==="
+        ls -lh staging/YACReader*.exe || echo "No Windows installers found"
+
+    - name: Verify Windows installer signatures
+      shell: bash
+      run: |
+        echo "=== Installing osslsigncode to verify signatures ==="
+        sudo apt-get update
+        sudo apt-get install -y osslsigncode
+
+        echo ""
+        echo "=== Checking signatures on Windows installers ==="
+        for installer in staging/YACReader*.exe; do
+          if [ -f "$installer" ]; then
+            echo "Checking: $(basename $installer)"
+            echo "File size: $(stat -c%s $installer) bytes"
+
+            # Try to extract signature info
+            if osslsigncode verify -in "$installer" 2>&1 | grep -q "Signature verification: ok"; then
+              echo "  ✓ SIGNED - Signature verified successfully"
+              osslsigncode verify -in "$installer" 2>&1 | grep -E "(Signed|Signer|Timestamp)"
+            else
+              echo "  ✗ UNSIGNED or INVALID - No valid signature found"
+              osslsigncode verify -in "$installer" 2>&1 | head -20
+            fi
+            echo ""
+          fi
+        done
+
+        echo "=== Summary ==="
+        echo "Total installers in staging: $(ls staging/YACReader*.exe 2>/dev/null | wc -l)"