feat: Allow source code submission and metadata changes

.github/workflows/ci.yml

@@ -1,3 +1,4 @@
+---
 name: "Build"
 on:
   push:
@@ -6,23 +7,22 @@ on:
   pull_request:
 
 jobs:
-  test:
-    name: "Build and Test"
+  build:
+    name: "Build"
     runs-on: ubuntu-latest
-    env:
-      HAS_AMO_SIGN_KEY: ${{ secrets.AMO_SIGN_KEY != '' && secrets.AMO_SIGN_KEY != null }}
-      HAS_ATN_SIGN_KEY: ${{ secrets.ATN_SIGN_KEY != '' && secrets.ATN_SIGN_KEY != null }}
+    outputs:
+      name: ${{ steps.web-ext-build.outputs.name }}
     steps:
       - name: "Checkout"
         uses: actions/checkout@v4
 
-      - name: "npm ci"
-        run: npm ci
-
-      - name: "Run Linters"
+      - name: "Code Lint"
         run: npm run lint
 
-      - name: "Bump version"
+      - name: "Yamllint"
+        run: yamllint -c .yamllint.yml .
+
+      - name: "Bump version with run id"
         run: |
           export VERSION="1.$((10#${GITHUB_RUN_ID:0:4})).$((10#${GITHUB_RUN_ID:4}))"
           jq ".version = \"$VERSION\"" test/extension/manifest.json > manifest.json~
@@ -49,38 +49,102 @@ jobs:
           source: test/extension
           channel: unlisted
 
-      - name: "Self-test: AMO release"
-        if: env.HAS_AMO_SIGN_KEY == 'true'
+      - name: "Upload unsigned build"
+        uses: actions/upload-artifact@v4
+        with:
+          name: unsigned.xpi
+          path: ${{ steps.web-ext-build.outputs.target }}
+          if-no-files-found: error
+
+  amo:
+    name: "Self-test: AMO release"
+    runs-on: ubuntu-latest
+    needs: build
+    env:
+      HAS_SIGN_KEY: ${{ secrets.AMO_SIGN_KEY != '' && secrets.AMO_SIGN_SECRET != '' }}
+    steps:
+      - name: "Checkout"
+        if: env.HAS_SIGN_KEY
+        uses: actions/checkout@v4
+
+      - name: "Get release build"
+        if: env.HAS_SIGN_KEY
+        uses: actions/download-artifact@v4
+        with:
+          name: unsigned.xpi
+          path: web-ext-artifacts
+
+      - name: "Bump version with attempt id"
+        if: env.HAS_SIGN_KEY
+        working-directory: web-ext-artifacts
+        run: |
+          unzip -p ${{ needs.build.outputs.name }} manifest.json | \
+            jq ".version += \".$GITHUB_RUN_ATTEMPT\"" > manifest.json
+          zip -u ${{ needs.build.outputs.name }} manifest.json
+          rm manifest.json
+
+      - name: "Collect sources"
+        if: env.HAS_SIGN_KEY
+        run: git archive --format=zip --output=sources.zip HEAD
+
+      - name: "Release"
+        if: env.HAS_SIGN_KEY
         id: web-ext-sign-amo
         uses: "./"
         with:
           cmd: sign
-          source: ${{ steps.web-ext-build.outputs.target }}
+          source: web-ext-artifacts/${{ needs.build.outputs.name }}
+          sourceCode: sources.zip
           channel: unlisted
+          metaDataFile: test/amo_metadata.json
+          approvalNotes: "Please find more information at https://github.com/kewisch/action-web-ext"
+          releaseNotes: "Triggered by ${{ github.event_name }} for ${{ github.sha }}"
+          license: MPL-2.0
           apiKey: ${{ secrets.AMO_SIGN_KEY }}
           apiSecret: ${{ secrets.AMO_SIGN_SECRET }}
 
+      - name: "Upload AMO signed"
+        if: env.HAS_SIGN_KEY
+        uses: actions/upload-artifact@v4
+        with:
+          name: amo-signed.xpi
+          path: ${{ steps.web-ext-sign-amo.outputs.target }}
+          if-no-files-found: error
+
+  atn:
+    name: "Self-test: ATN release"
+    runs-on: ubuntu-latest
+    needs: build
+    env:
+      HAS_SIGN_KEY: ${{ secrets.ATN_SIGN_KEY != '' && secrets.ATN_SIGN_SECRET != '' }}
+    steps:
+      - name: "Checkout"
+        if: env.HAS_SIGN_KEY
+        uses: actions/checkout@v4
+
+      - name: "Get release build"
+        if: env.HAS_SIGN_KEY
+        uses: actions/download-artifact@v4
+        with:
+          name: unsigned.xpi
+          path: web-ext-artifacts
+
+      - name: "Bump version with attempt id"
+        if: env.HAS_SIGN_KEY
+        working-directory: web-ext-artifacts
+        run: |
+          unzip -p ${{ needs.build.outputs.name }} manifest.json | \
+            jq ".version += \".$GITHUB_RUN_ATTEMPT\"" > manifest.json
+          zip -u ${{ needs.build.outputs.name }} manifest.json
+          rm manifest.json
+
       - name: "Self-test: ATN release"
-        if: env.HAS_ATN_SIGN_KEY == 'true'
-        id: web-ext-sign-atn
+        if: env.HAS_SIGN_KEY
         uses: "./"
         with:
           cmd: sign
-          source: ${{ steps.web-ext-build.outputs.target }}
+          source: web-ext-artifacts/${{ needs.build.outputs.name }}
           channel: unlisted
-          apiUrlPrefix: "https://addons.thunderbird.net/api/v3"
+          apiUrlPrefix: "https://addons.thunderbird.net/api/v4"
           apiKey: ${{ secrets.ATN_SIGN_KEY }}
           apiSecret: ${{ secrets.ATN_SIGN_SECRET }}
-
-      - name: "Upload Unsigned"
-        uses: actions/upload-artifact@v4
-        with:
-          name: unsigned.xpi
-          path: ${{ steps.web-ext-build.outputs.target }}
-
-      - name: "Upload AMO signed"
-        if: env.HAS_AMO_SIGN_KEY == 'true'
-        uses: actions/upload-artifact@v4
-        with:
-          name: amo-signed.xpi
-          path: ${{ steps.web-ext-sign-amo.outputs.target }}

.gitignore

@@ -1 +1,2 @@
 !node_modules
+test/extension/web-ext-artifacts

.yamllint.yml

@@ -0,0 +1,11 @@
+---
+
+ignore: |
+  node_modules/
+
+extends: default
+rules:
+  line-length:
+    max: 120
+
+  truthy: disable

README.md

@@ -12,7 +12,6 @@ Generally you can use these inputs:
 * `source`: The directory the add-on is in. For `sign`, this should be the xpi file instead
 * `artifacts`: The output directory, defaults to web-ext-artifacts
 * `verbose`: Output more debugging if set to true
-* `progressBar`: Enable the console progress bar
 * `channel`: The channel to use, `listed` or `unlisted`
 * `ignoreFiles`: A json string containing an array of files to be ignored. Web-ext by default already ignores the most frequently ignored files.
 
@@ -22,7 +21,7 @@ lint
 ----
 
 Linting supports annotations, this is great for pull requests. A token is not required for this action, though if
-`GITHUB_TOKEN` is in the environment, it will be used to create a check run.
+`GITHUB_TOKEN` is in the environment, it will be used to create a check run that gives you more detailed information.
 
 ```yaml
 name: "Lint"
@@ -38,7 +37,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout"
-        uses: actions/checkout@v1
+        uses: actions/checkout@v4
 
       - name: "web-ext lint"
         uses: kewisch/action-web-ext@v1
@@ -71,7 +70,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout"
-        uses: actions/checkout@v1
+        uses: actions/checkout@v4
 
       - name: "web-ext build"
         id: web-ext-build
@@ -83,7 +82,7 @@ jobs:
           ignoreFiles: '[ "package.json","package-lock.json","yarn.lock" ]'
 
       - name: "Upload Artifact"
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: target.xpi
           path: ${{ steps.web-ext-build.outputs.target }}
@@ -94,36 +93,56 @@ sign
 
 Send the add-on for signature to AMO. To reduce the load on AMO servers, please don't use this for
 on-commit or nightly builds. If you want to test your add-on you can do so in `about:debugging`.
-Using this for betas or releases is great though, especially in combination with
-[softprops/action-gh-release](https://github.com/softprops/action-gh-release). Under the hood, the
-action uses [mozilla/sign-addon](https://github.com/mozilla/sign-addon). Please note that listed
-add-ons will not be signed immediately, this is indicated during the build process but is not
-counted as a failure.
+Using this for betas or releases is great though. Please note that listed add-ons will not be signed
+immediately, this is indicated during the build process but is not counted as a failure.
 
 You can use the following extra options:
-* `apiKey`: The API key used for signing
-* `apiSecret`: The API secret used for signing
-* `apiUrlPrefix`: The URL of the signing API, defaults to AMO production
+* `sourceCode`: Submit a zip with source code to adhere to the source code submission policy.
+* `metaDataFile`: A JSON file with additional metadata for the version release. See example below
+   for details.
+* `approvalNotes`: A shortcut to set .version.approval_notes in the submitted metadata.
+* `releaseNotes`: A shortcut to set .version.release_notes in the submitted metadata.
+* `license`: The license for the version. See example below for details.
+* `licenseFile`: If using a custom license, the license file to submit.
+* `apiKey`: The API key used for signing.
+* `apiSecret`: The API secret used for signing.
+* `apiUrlPrefix`: The URL of the signing API, defaults to AMO production.
 * `timeout`: The number of milliseconds to wait before giving up on a response from Mozilla's web
    service. Defaults to 900000 ms (15 minutes).
 
-Changing `apiUrlPrefix` will allow you to submit to
-[addons.thunderbird.net](https://addons.thunderbird.net) or using the staging/dev instance.
+Changing `apiUrlPrefix` to https://addons.thunderbird.net/api/v4 will allow you to submit to
+[addons.thunderbird.net](https://addons.thunderbird.net), or you can make use of the
+[staging/dev instances](https://mozilla.github.io/addons-server/topics/api/index.html#external-api).
+
+Please see the example below on how to use the sign command.
+
+Complete example
+----------------
+
+This is a complete example of a publish script. It is triggered when you create and publish a
+release on GitHub. You can of course also turn things around and trigger on tag creation, and
+subsequently create the release if the upload succeeds.
 
 ```yaml
-name: "Release"
+name: "Publish"
 on:
-  push:
-    tags:
-      - 'v*.*.*'
+  release:
+    types: [published]
 
 jobs:
   sign:
     name: "Release"
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout"
-        uses: actions/checkout@v1
+        uses: actions/checkout@v4
+
+      - name: "web-ext lint"
+        uses: kewisch/action-web-ext@v1
+        with:
+          cmd: lint
+          source: src
+          channel: listed
 
       - name: "web-ext build"
         id: web-ext-build
@@ -132,21 +151,66 @@ jobs:
           cmd: build
           source: src
 
-      - name: "web-ext sign"
+      - name: "Collect sources"
+        run: git archive --format=zip --output=sources.zip ${{ github.ref }}
+
+      - name: "Collect metadata"
+        id: metadata
+        run: echo "json=$(jq -c . < amo_metadata.json)" >> $GITHUB_OUTPUT
+
+      - name: "web-ext sign AMO"
         id: web-ext-sign
         uses: kewisch/action-web-ext@v1
         with:
           cmd: sign
+
+          # Source must be the zip/xpi file of the add-on. If your add-on is required to submit
+          # source as per https://extensionworkshop.com/documentation/publish/source-code-submission/
+          # policy, you can use sourceCode with a zip file of the original sources. Submitting
+          # source code is not always required, don't do so if you don't need to.
           source: ${{ steps.web-ext-build.outputs.target }}
+          sourceCode: sources.zip
           channel: unlisted
+
+          # Various metadata you can set through the API. See the documentation for the
+          # --amo-metadata parameter to web-ext sign at
+          # https://extensionworkshop.com/documentation/develop/web-ext-command-reference/#web-ext-sign
+          # for more information. You can leave out metaDataFile if all you want to set is approval
+          # notes, release notes, or a license.
+          metaDataFile: amo_metadata.json
+          approvalNotes: "Please find more information at https://github.com/kewisch/action-web-ext"
+          releaseNotes: ${{ github.event.release.body }}
+
+          # You can set one of the known licenses from
+          # https://mozilla.github.io/addons-server/topics/api/licenses.html#license-list
+          # by just passing the license property. If you have a custsom license, read it from a
+          # file as follows.
+          license: Apache-2.0       # You only need to specify a license file if you are using a
+          licenseFile: LICENSE.md   # custom license. Please see action.yml for details.
+
+          # Specify API secrets. No need to specify apiUrlPrefix, it defaults to AMO production
           apiKey: ${{ secrets.AMO_SIGN_KEY }}
           apiSecret: ${{ secrets.AMO_SIGN_SECRET }}
           timeout: 900000
 
-      - name: "Create Release"
-        uses: softprops/action-gh-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: "web-ext sign ATN"
+        id: web-ext-sign
+        uses: kewisch/action-web-ext@v1
         with:
-          files: ${{ steps.web-ext-sign.outputs.target }}
+          # This is how to sign for Thunderbird. Note that Thunderbird uses API v4, where many
+          # metadata fields are not supported.
+          cmd: sign
+          source: ${{ steps.web-ext-build.outputs.target }}
+          channel: listed
+          apiUrlPrefix: "https://addons.thunderbird.net/api/v4"
+          apiKey: ${{ secrets.ATN_SIGN_KEY }}
+          apiSecret: ${{ secrets.ATN_SIGN_SECRET }}
+
+      - name: "Attach release assets to release"
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh release upload ${{ github.event.release.tag_name }} \
+            ${{ steps.web-ext-sign.outputs.target }}
+
 ```