Skip to content

build(ci): automate winget submissions via after_release.yml#47

Merged
packetThrower merged 1 commit into
mainfrom
ci/winget-releaser-automation
May 27, 2026
Merged

build(ci): automate winget submissions via after_release.yml#47
packetThrower merged 1 commit into
mainfrom
ci/winget-releaser-automation

Conversation

@packetThrower
Copy link
Copy Markdown
Owner

@packetThrower packetThrower commented May 27, 2026

Summary

Adds the workflow that submits a winget-pkgs PR on every stable release.

Flow

  1. Tag stable (vX.Y.Z, no hyphen).
  2. release.yml builds artifacts including the per-arch .msi, then its release job publishes the GitHub Release via softprops/action-gh-release.
  3. The Release-published event fires after_release.yml::publish_winget.
  4. Job syncs the maintainer's packetThrower/winget-pkgs fork against upstream via /merge-upstream, then runs winget-releaser which renders the templates, commits under manifests/p/packetThrower/Baudrun/<version>/ on the fork, opens the PR.
  5. winget-pkgs validator runs on the PR; moderator merges.

Hands-off after the tag push.

Skip conditions

  • Pre-release tags: if: !github.event.release.prerelease (or !contains(inputs.tag_name, '-') on the dispatch path). Pre-releases already skip MSI in release.yml, so there's no MSI to submit; winget itself has no pre-release channel.
  • Forks: if: github.repository_owner == 'packetThrower'. The WINGET_TOKEN secret isn't set on a fork anyway, but fail-fast is friendlier than a mid-action 401.

Manual escape hatch

workflow_dispatch input tag_name lets us re-fire if the release-event trigger races against a slow Release publish or hits a GitHub API blip on the fork-PR step. Same flow, just manually re-entered tag.

Setup (done out-of-band)

  • Fine-grained PAT on the maintainer's packetThrower/winget-pkgs fork with Contents: read+write + Pull requests: read+write, stored as repo secret WINGET_TOKEN.

Documentation

packaging/windows/winget/README.md gets a new "automated via CI" section. The existing wingetcreate manual flow stays as the emergency-override path; the in-repo render flow stays as reference. No content lost.

Test plan

  • actionlint clean on the new workflow
  • winget-releaser SHA pin (19e706d4c9121098010096f9c495a70a7518b30f, # v2)
  • First live run on v0.13.0's stable tag — if it fails, capture the actual error and iterate (likely candidates: fork sync auth, missing fork, manifest schema drift)

Risk

  • Low for the workflow shape — winget-releaser is well-established.
  • Medium for first-run integration — never been exercised on this repo before. Fallback path stays available via manual wingetcreate if first-run fails.

🤖 Generated with Claude Code

@packetThrower @claude
build(ci): automate winget submissions via after_release.yml
15759e9 
Adds the workflow that submits a winget-pkgs PR on every stable
release. Hands-off after the tag push:

  * Separate workflow from `release.yml` so the build/release path
    stays focused on artifact production. after_release.yml fires
    on the GitHub Release publish event (downstream of
    softprops/action-gh-release running in release.yml's `release`
    job).
  * Pre-step syncs the maintainer's winget-pkgs fork against
    upstream master via GitHub's `/merge-upstream` endpoint —
    avoids non-fast-forward errors when the fork has drifted.
  * Main step: `vedantmgoyal9/winget-releaser@19e706d4c9121098010096f9c495a70a7518b30f`
    (SHA-pinned, `# v2`). Action handles manifest rendering, fork
    operations, and PR creation against `microsoft/winget-pkgs`.
  * `max-versions-to-keep: 5` bounds the per-version directories
    so the upstream tree doesn't accumulate every historical
    Baudrun release forever.
  * Stable-only gate: `if: !github.event.release.prerelease`
    (and `!contains(inputs.tag_name, '-')` on the
    workflow_dispatch path). Pre-releases already skip the MSI
    build in release.yml's existing `contains('-')` gates, so
    there's no MSI to submit anyway, and winget itself has no
    pre-release channel.
  * `workflow_dispatch` trigger with required `tag_name` input
    lets us re-fire a submission if the release-event trigger
    races against a slow Release publish or hits a transient
    GitHub API blip on the fork-PR step.
  * `if: github.repository_owner == 'packetThrower'` guards
    against forks accidentally running the publish path.

Setup (one-time, already done):

  * Fine-grained PAT scoped to `packetThrower/winget-pkgs` with
    `Contents: read and write` + `Pull requests: read and write`,
    stored as repo secret `WINGET_TOKEN`.

`packaging/windows/winget/README.md` gets a new "automated via
CI" section ahead of the existing manual paths, which are
demoted to fallback (emergency-override + reference) status.

The first automated submission will be v0.13.0's stable tag.
If it succeeds, it includes arm64 again (re-added implicitly
since the template already had it — fde581f only removed arm64
from the rendered/0.12.4/ snapshot, never the template).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@packetThrower packetThrower merged commit 56ef61f into main May 27, 2026
6 checks passed
@packetThrower packetThrower deleted the ci/winget-releaser-automation branch May 27, 2026 19:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@packetThrower