name: Build images on: push: branches: [dev, main] # Requires repo secret RELEASE_TOKEN — a Forgejo PAT with scopes: # - write:package, read:package (for docker push to git.fabledsword.com) # - write:release (for ext- release asset cache) # - write:issue (for future issue-management automation) # The injected GITHUB_TOKEN cannot be used — it lacks write:package. jobs: # Sign-or-fetch-from-cache: signs the extension via AMO if no ext- # Forgejo release exists yet, otherwise downloads the cached signed XPI. # Result is uploaded as an Actions artifact for build-web to consume. # # Why this lives in build.yml (not a separate workflow): the merge-commit's # docker image tagged `:latest` MUST carry the XPI. A separate sign workflow # racing build.yml leaves `:latest` without the XPI for ~5min (until the # commit-back triggers another build). Inline ordering eliminates the race. # Cache strategy: Forgejo Release Assets — picked 2026-05-25 over Generic # Packages (cleaner API surface) and commit-back-to-side-branch (no extra # branch to manage). AMO blocks re-signing the same version (returns 409), # so signing is intentionally one-shot per version bump. sign-extension: if: github.ref == 'refs/heads/main' runs-on: python-ci container: image: git.fabledsword.com/bvandeusen/ci-python:3.14 steps: - uses: actions/checkout@v4 - name: Resolve extension version id: extver run: | VERSION=$(grep -E '"version"' extension/package.json | head -1 | sed -E 's/.*"version"[[:space:]]*:[[:space:]]*"([^"]+)".*/\1/') echo "version=$VERSION" >> "$GITHUB_OUTPUT" echo "Resolved extension version: $VERSION" - name: Check Forgejo release-asset cache id: cache env: TOKEN: ${{ secrets.RELEASE_TOKEN }} run: | set -eu VERSION=${{ steps.extver.outputs.version }} STATUS=$(curl -s -o release.json -w "%{http_code}" \ -H "Authorization: token $TOKEN" \ "https://git.fabledsword.com/api/v1/repos/bvandeusen/FabledCurator/releases/tags/ext-$VERSION" || echo 000) echo "Tag lookup HTTP status: $STATUS" # JSON parsing via python (ci-python:3.14 has stdlib json; jq is # not in the image and adding it per ci-requirements.md is not # warranted for a single consumer — operator-flagged 2026-05-26 # after a sign job failed with `jq: not found`). if [ "$STATUS" = "200" ]; then ASSET_ID=$(python3 -c "import json; r=json.load(open('release.json')); xpis=[a for a in r.get('assets', []) if a.get('name','').endswith('.xpi')]; print(xpis[0]['id'] if xpis else '')") if [ -n "$ASSET_ID" ]; then echo "cached=true" >> "$GITHUB_OUTPUT" echo "asset_id=$ASSET_ID" >> "$GITHUB_OUTPUT" echo "Cached XPI exists at ext-$VERSION (asset id $ASSET_ID); skipping AMO sign" else echo "cached=false" >> "$GITHUB_OUTPUT" echo "Release ext-$VERSION exists but has no .xpi asset; will re-sign + re-upload" fi else echo "cached=false" >> "$GITHUB_OUTPUT" echo "No release named ext-$VERSION; will sign via AMO and upload" fi # No "download cached XPI in sign-extension" step: build-web # fetches directly from the Forgejo ext- release asset # (removed 2026-05-26 alongside the actions/upload-artifact # removal — sign-extension's job is just to ensure the cache # exists on Forgejo; the build-web side reads it independently). - name: Sign via AMO (cache miss) if: steps.cache.outputs.cached != 'true' run: | cd extension && npm install --no-save --no-audit --no-fund && npm run sign env: WEB_EXT_API_KEY: ${{ secrets.MOZILLA_AMO_JWT_KEY }} WEB_EXT_API_SECRET: ${{ secrets.MOZILLA_AMO_JWT_SECRET }} - name: Upload signed XPI to ext- release (cache miss) if: steps.cache.outputs.cached != 'true' env: TOKEN: ${{ secrets.RELEASE_TOKEN }} run: | set -eux VERSION=${{ steps.extver.outputs.version }} # AMO renames signed XPIs with its internal addon-id-safe-string; # canonicalize to fabledcurator-.xpi so the FC server's # whitelist (backend/app/frontend.py expects 'fabledcurator-*.xpi') # keeps working. SIGNED=$(ls extension/web-ext-artifacts/*.xpi | head -1) XPI="extension/web-ext-artifacts/fabledcurator-$VERSION.xpi" cp "$SIGNED" "$XPI" # Find-or-create the ext- release. Track whether WE # created it so an upload failure below can roll back (don't # leave an empty release tombstone that the next run's # cache-check mistakes for a partial-failure state). STATUS=$(curl -s -o release.json -w "%{http_code}" \ -H "Authorization: token $TOKEN" \ "https://git.fabledsword.com/api/v1/repos/bvandeusen/FabledCurator/releases/tags/ext-$VERSION" || echo 000) if [ "$STATUS" = "200" ]; then CREATED_BY_US=false else curl -s -X POST -H "Authorization: token $TOKEN" -H "Content-Type: application/json" \ -d "{\"tag_name\":\"ext-$VERSION\",\"name\":\"Extension $VERSION (signed XPI cache)\",\"body\":\"Internal cache for the signed XPI consumed by build.yml's build-web job. Not a user-facing FC release.\",\"target_commitish\":\"main\"}" \ -o release.json \ "https://git.fabledsword.com/api/v1/repos/bvandeusen/FabledCurator/releases" CREATED_BY_US=true fi RELEASE_ID=$(python3 -c "import json; print(json.load(open('release.json'))['id'])") test -n "$RELEASE_ID" # Rollback-on-failure: if the asset upload fails AND we just # created the release in this run, delete it. Prevents an empty # ext- release from poisoning the next workflow run # (operator-flagged 2026-05-26 — without rollback the next run # saw 'release exists, no asset → cache miss → sign' which AMO # then rejected with 409 'Version already exists'). rollback_if_we_created() { if [ "$CREATED_BY_US" = "true" ]; then echo "Rolling back: deleting just-created release $RELEASE_ID" curl -s -X DELETE -H "Authorization: token $TOKEN" \ "https://git.fabledsword.com/api/v1/repos/bvandeusen/FabledCurator/releases/$RELEASE_ID" || true curl -s -X DELETE -H "Authorization: token $TOKEN" \ "https://git.fabledsword.com/api/v1/repos/bvandeusen/FabledCurator/tags/ext-$VERSION" || true fi } trap 'rollback_if_we_created' EXIT HTTP_CODE=$(curl -s -X POST -H "Authorization: token $TOKEN" \ -F "attachment=@$XPI" \ -o /dev/null -w "%{http_code}" \ "https://git.fabledsword.com/api/v1/repos/bvandeusen/FabledCurator/releases/$RELEASE_ID/assets?name=fabledcurator-$VERSION.xpi") if [ "$HTTP_CODE" != "201" ] && [ "$HTTP_CODE" != "200" ]; then echo "Asset upload failed with HTTP $HTTP_CODE" exit 1 fi # Upload succeeded — clear the rollback trap. trap - EXIT echo "Uploaded fabledcurator-$VERSION.xpi to ext-$VERSION release" # No actions/upload-artifact step: Forgejo Actions (and our # act_runner) doesn't support upload-artifact@v4+ (GHES limitation # surfaced 2026-05-26). Instead build-web reads the signed XPI # straight from the ext- Forgejo release we just uploaded # to. Same source of truth; no double-store. build-web: needs: [sign-extension] # sign-extension is main-only; on dev it's skipped, build-web still runs. if: always() && (needs.sign-extension.result == 'success' || needs.sign-extension.result == 'skipped') runs-on: python-ci container: image: git.fabledsword.com/bvandeusen/ci-python:3.14 steps: - uses: actions/checkout@v4 - name: Download signed XPI from Forgejo release asset (main only) if: github.ref == 'refs/heads/main' env: TOKEN: ${{ secrets.RELEASE_TOKEN }} run: | set -eux VERSION=$(grep -E '"version"' extension/package.json | head -1 | sed -E 's/.*"version"[[:space:]]*:[[:space:]]*"([^"]+)".*/\1/') # Look up the ext- release; extract the .xpi asset's # browser_download_url (Forgejo's /releases/assets/ endpoint # returns ASSET METADATA, not the binary blob — operator-flagged # 2026-05-26: my prior code curl'd the metadata endpoint without # -f and wrote the resulting 404-page-not-found text into # fabledcurator-*.xpi, which Firefox then rejected as "corrupt"). # browser_download_url is the canonical binary endpoint and is # also publicly accessible (no token needed) but we pass the # token anyway for symmetry with private-repo support. curl -sf -H "Authorization: token $TOKEN" \ "https://git.fabledsword.com/api/v1/repos/bvandeusen/FabledCurator/releases/tags/ext-$VERSION" \ -o release.json DOWNLOAD_URL=$(python3 -c "import json; r=json.load(open('release.json')); xpis=[a for a in r.get('assets', []) if a.get('name','').endswith('.xpi')]; print(xpis[0]['browser_download_url'])") test -n "$DOWNLOAD_URL" echo "Downloading XPI from: $DOWNLOAD_URL" mkdir -p frontend/public/extension DEST="frontend/public/extension/fabledcurator-$VERSION.xpi" # -f = fail on HTTP error (prevents silent corruption like the # 2026-05-26 incident); -L = follow redirects. curl -sfL -H "Authorization: token $TOKEN" -o "$DEST" "$DOWNLOAD_URL" # Sanity check: the binary should start with the ZIP magic (PK\x03\x04). # If it's anything else, the next docker build will ship a corrupt XPI. MAGIC=$(head -c 2 "$DEST" | od -An -c | tr -d ' \n') if [ "$MAGIC" != "PK" ]; then echo "ERROR: downloaded XPI does not start with ZIP magic 'PK' (got '$MAGIC')" echo "File contents preview:" head -c 200 "$DEST" exit 1 fi cp "$DEST" "frontend/public/extension/fabledcurator-latest.xpi" ls -la frontend/public/extension/ - name: Determine tag id: tag run: | if [ "${GITHUB_REF##*/}" = "main" ]; then echo "tags=git.fabledsword.com/bvandeusen/fabledcurator:main,git.fabledsword.com/bvandeusen/fabledcurator:latest" >> "$GITHUB_OUTPUT" else echo "tags=git.fabledsword.com/bvandeusen/fabledcurator:dev" >> "$GITHUB_OUTPUT" fi - name: Login to Forgejo registry uses: docker/login-action@v3 with: registry: git.fabledsword.com username: ${{ github.actor }} password: ${{ secrets.RELEASE_TOKEN }} - name: Build and push web image uses: docker/build-push-action@v5 with: context: . file: Dockerfile push: true tags: ${{ steps.tag.outputs.tags }} build-ml: runs-on: python-ci container: image: git.fabledsword.com/bvandeusen/ci-python:3.14 steps: - uses: actions/checkout@v4 - name: Determine tag id: tag run: | if [ "${GITHUB_REF##*/}" = "main" ]; then echo "tags=git.fabledsword.com/bvandeusen/fabledcurator-ml:main,git.fabledsword.com/bvandeusen/fabledcurator-ml:latest" >> "$GITHUB_OUTPUT" else echo "tags=git.fabledsword.com/bvandeusen/fabledcurator-ml:dev" >> "$GITHUB_OUTPUT" fi - name: Login to Forgejo registry uses: docker/login-action@v3 with: registry: git.fabledsword.com username: ${{ github.actor }} password: ${{ secrets.RELEASE_TOKEN }} - name: Build and push ml image uses: docker/build-push-action@v5 with: context: . file: Dockerfile.ml push: true tags: ${{ steps.tag.outputs.tags }}