[build] Workflow to automate GitHub releases when a version tag is pushed.

Author: hackademix

.github/workflows/manage-releases.yml

@@ -0,0 +1,250 @@
+# .github/workflows/manage-releases.yml
+
+# Copyright (C) 2005-2026 Giorgio Maone <https://maone.net>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Triggered by *1984 tags pushed by tools/deploy2tor.sh.
+#
+# For the current tag:
+#   - Creates a GitHub Release named after the regular version (no 1984 suffix)
+#   - Attaches the XPI from dist.torproject.org              (always present)
+#   - Attaches the AMO XPI from secure.informaction.com     (if already uploaded)
+#   - Attaches the Chrome ZIP from secure.informaction.com  (if already uploaded)
+#
+# Additionally, for pre-release tags only:
+#   - Derives the corresponding stable version (strips trailing .9xx from VER)
+#     and finds its GitHub release
+#   - If it is missing the AMO XPI, checks informaction.com and uploads
+#     it if now available
+#
+# Required secrets: only the automatic GITHUB_TOKEN.
+
+name: Manage releases
+
+on:
+  push:
+    tags:
+      - '*1984'
+
+jobs:
+  release:
+    name: Create / update current release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    outputs:
+      version:    ${{ steps.meta.outputs.version }}
+      prerelease: ${{ steps.meta.outputs.prerelease }}
+
+    steps:
+      - name: Derive version and pre-release flag
+        id: meta
+        run: |
+          TOR_TAG="${GITHUB_REF_NAME}"
+          echo "tor_tag=${TOR_TAG}" >> "$GITHUB_OUTPUT"
+
+          # Strip the Tor suffix to obtain the regular version.
+          # Stable:     13.6.15.1984     → 13.6.15   (strip .1984)
+          # Pre:        13.6.15.90101984 → 13.6.15.901 (strip 01984)
+          # Both cases share "01984" at the tail; stable also has a leading dot.
+          VER="${TOR_TAG%01984}"
+          VER="${VER%.1984}"
+          echo "version=${VER}" >> "$GITHUB_OUTPUT"
+
+          # Stable = suffix is exactly ".1984" or ".01984"; anything else is pre.
+          SUFFIX="${TOR_TAG#"${VER}"}"
+          if [[ "$SUFFIX" =~ ^\.0?1984$ ]]; then
+            echo "prerelease=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "prerelease=true"  >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Extract changelog from regular tag annotation
+        id: changelog
+        env:
+          VER: ${{ steps.meta.outputs.version }}
+        run: |
+          COMMIT=$(git rev-parse HEAD)
+
+          # Try VER as-is, then with trailing .0 components stripped
+          # (handles the 13.5.0.1984 → regular tag "13.5" case).
+          VER_SHORT="${VER%.0}"
+          VER_SHORTER="${VER_SHORT%.0}"
+
+          REG_TAG=""
+          for candidate in "$VER" "v$VER" "$VER_SHORT" "v$VER_SHORT" \
+                           "$VER_SHORTER" "v$VER_SHORTER"; do
+            if git tag --points-at "$COMMIT" | grep -qxF "$candidate"; then
+              REG_TAG="$candidate"
+              break
+            fi
+          done
+
+          if [[ -z "$REG_TAG" ]]; then
+            echo "No regular tag found on this commit for '$VER'; changelog will be empty." >&2
+            touch /tmp/changelog.md
+          else
+            git tag -l --format='%(contents)' "$REG_TAG" > /tmp/changelog.md
+            echo "Using annotation from tag '$REG_TAG'."
+          fi
+
+      - name: Download XPI from dist.torproject.org
+        id: tor_xpi
+        env:
+          TOR_TAG: ${{ steps.meta.outputs.tor_tag }}
+        run: |
+          FILE="noscript-${TOR_TAG}.xpi"
+          URL="https://dist.torproject.org/torbrowser/noscript/${FILE}"
+          echo "Downloading ${URL}"
+          curl -fsSL --retry 3 -o "$FILE" "$URL"
+          ls -lh "$FILE"
+          echo "file=${FILE}" >> "$GITHUB_OUTPUT"
+          echo "label=${FILE}#auto-updated from torproject.org" >> "$GITHUB_OUTPUT"
+
+      - name: Download AMO XPI from informaction.com
+        id: amo_xpi
+        env:
+          VER:        ${{ steps.meta.outputs.version }}
+          PRERELEASE: ${{ steps.meta.outputs.prerelease }}
+        run: |
+          FILE="noscript-${VER}.xpi"
+          if [[ "$PRERELEASE" == "true" ]]; then
+            SUBPATH="betas"
+            LABEL_SOURCE="mozilla.org"
+          else
+            SUBPATH="releases"
+            LABEL_SOURCE="informaction.com"
+          fi
+          URL="https://secure.informaction.com/download/${SUBPATH}/${FILE}"
+          echo "Trying ${URL}"
+          if curl -fsSL --retry 3 -o "$FILE" "$URL" 2>/dev/null; then
+            ls -lh "$FILE"
+            echo "found=true"                                          >> "$GITHUB_OUTPUT"
+            echo "file=${FILE}"                                        >> "$GITHUB_OUTPUT"
+            echo "label=${FILE}#auto-updated from ${LABEL_SOURCE}"    >> "$GITHUB_OUTPUT"
+          else
+            echo "AMO XPI not yet available at ${URL}, skipping."
+            echo "found=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Download Chrome ZIP from informaction.com
+        id: chrome_zip
+        env:
+          VER:        ${{ steps.meta.outputs.version }}
+          PRERELEASE: ${{ steps.meta.outputs.prerelease }}
+        run: |
+          FILE="noscript-${VER}-chrome.zip"
+          if [[ "$PRERELEASE" == "true" ]]; then
+            SUBPATH="betas"
+          else
+            SUBPATH="releases"
+          fi
+          URL="https://secure.informaction.com/download/${SUBPATH}/${FILE}"
+          echo "Trying ${URL}"
+          if curl -fsSL --retry 3 -o "$FILE" "$URL" 2>/dev/null; then
+            ls -lh "$FILE"
+            echo "found=true"  >> "$GITHUB_OUTPUT"
+            echo "file=${FILE}" >> "$GITHUB_OUTPUT"
+          else
+            echo "Chrome ZIP not yet available at ${URL}, skipping."
+            echo "found=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Create / update GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name:   ${{ steps.meta.outputs.tor_tag }}
+          name:       ${{ steps.meta.outputs.version }}
+          prerelease: ${{ steps.meta.outputs.prerelease }}
+          body_path:  /tmp/changelog.md
+          files: |
+            ${{ steps.tor_xpi.outputs.file }}
+            ${{ steps.amo_xpi.outputs.found == 'true' && steps.amo_xpi.outputs.file || '' }}
+            ${{ steps.chrome_zip.outputs.found == 'true' && steps.chrome_zip.outputs.file || '' }}
+
+  # ── Backfill AMO XPI on the corresponding stable release ─────────────────
+  #
+  # Only runs for pre-release tags. For a tag like 13.5.2.90101984, VER is
+  # "13.5.2.901" — the trailing .9xx is stripped to derive the stable base
+  # version "13.5.2", whose release is then checked and patched if needed.
+  # Stable tags are excluded because the release job already handles attaching
+  # the AMO XPI (if available) at creation time.
+  backfill-stable-amo:
+    name: Backfill AMO XPI on corresponding stable release
+    needs: release
+    if: needs.release.outputs.prerelease == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+      - name: Check and backfill AMO XPI if missing
+        env:
+          GH_TOKEN:   ${{ secrets.GITHUB_TOKEN }}
+          VER:        ${{ needs.release.outputs.version }}
+          PRERELEASE: ${{ needs.release.outputs.prerelease }}
+        run: |
+          # Derive the stable base version:
+          # - stable tag   (13.5.2.1984)    → VER=13.5.2       → STABLE_VER=13.5.2
+          # - pre tag      (13.5.2.90101984) → VER=13.5.2.901  → STABLE_VER=13.5.2
+          # Strip any trailing .9xx component to reach the stable version.
+          LAST_COMPONENT="${VER##*.}"
+          if [[ "$LAST_COMPONENT" =~ ^9[0-9]{2,}$ ]]; then
+            STABLE_VER="${VER%.*}"
+          else
+            STABLE_VER="$VER"
+          fi
+
+          echo "Stable base version to check: ${STABLE_VER}"
+
+          # Find the GitHub release whose name matches STABLE_VER.
+          STABLE_TAG=$(gh release list \
+                         --repo "$GITHUB_REPOSITORY" \
+                         --limit 100 \
+                         --json tagName,name,isPrerelease \
+                         --jq \
+                           --arg sv "$STABLE_VER" \
+                           '[.[] | select(.isPrerelease == false)
+                                 | select(.name == $sv)] | first | .tagName' \
+                       2>/dev/null || true)
+
+          if [[ -z "$STABLE_TAG" || "$STABLE_TAG" == "null" ]]; then
+            echo "No stable GitHub release found for version '${STABLE_VER}', nothing to backfill."
+            exit 0
+          fi
+
+          echo "Stable release tag: ${STABLE_TAG}"
+
+          # Check whether it already has the AMO XPI asset.
+          HAS_AMO=$(gh release view "$STABLE_TAG" \
+                      --repo "$GITHUB_REPOSITORY" \
+                      --json assets \
+                      --jq \
+                        --arg f "noscript-${STABLE_VER}.xpi" \
+                        '.assets[] | select(.name == $f) | .name' \
+                    2>/dev/null || true)
+
+          if [[ -n "$HAS_AMO" ]]; then
+            echo "Release '${STABLE_TAG}' already has the AMO XPI, nothing to do."
+            exit 0
+          fi
+
+          FILE="noscript-${STABLE_VER}.xpi"
+          URL="https://secure.informaction.com/download/releases/${FILE}"
+          echo "AMO XPI missing from '${STABLE_TAG}', checking ${URL} ..."
+
+          if curl -fsSL --retry 3 -o "$FILE" "$URL" 2>/dev/null; then
+            ls -lh "$FILE"
+            gh release upload "$STABLE_TAG" "$FILE" \
+              --repo "$GITHUB_REPOSITORY" \
+              --clobber
+            echo "Uploaded ${FILE} to release ${STABLE_TAG}."
+          else
+            echo "AMO XPI for '${STABLE_VER}' not yet available at ${URL}, skipping."
+          fi

build.sh

@@ -4,7 +4,7 @@
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-BASE="$PWD"
+BASE="$(git rev-parse --show-toplevel)"
 SRC="$BASE/src"
 BUILD="$BASE/build"
 MANIFEST_IN="$SRC/manifest.json"

tools/backfill-tor-tags.sh

@@ -0,0 +1,123 @@
+#! /usr/bin/env bash
+# backfill-tor-tags.sh
+#
+
+# Copyright (C) 2005-2026 Giorgio Maone <https://maone.net>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+#!/usr/bin/env bash
+# backfill-tor-tags.sh
+#
+# For every XPI on dist.torproject.org/torbrowser/noscript/ that does NOT
+# already have a corresponding *1984 git tag in this repo, find the commit
+# that matches the regular version tag and push a new *1984 tag to origin.
+#
+# Run from the root of the noscript git repo.
+# Usage: bash tools/backfill-tor-tags.sh [--dry-run]
+
+set -euo pipefail
+
+DRY_RUN=0
+[[ "${1:-}" == "--dry-run" ]] && DRY_RUN=1
+
+BASE="$(git rev-parse --show-toplevel)"
+TOR_INDEX_URL="https://dist.torproject.org/torbrowser/noscript/"
+
+echo "Fetching Tor dist index..."
+INDEX=$(curl -fsSL "$TOR_INDEX_URL")
+
+TOR_TAGS=$(echo "$INDEX" \
+  | grep -oP '(?<=noscript-)[\d.]+1984(?=\.xpi)' \
+  | sort -V \
+  | uniq)
+
+if [[ -z "$TOR_TAGS" ]]; then
+  echo "ERROR: No *1984 XPI versions found in index. Check URL or page format." >&2
+  exit 1
+fi
+
+echo "Found $(echo "$TOR_TAGS" | wc -l) Tor XPI version(s) on dist.torproject.org."
+
+git -C "$BASE" fetch --tags --quiet origin 2>/dev/null || true
+EXISTING_TAGS=$(git -C "$BASE" tag -l)
+
+skipped=0; tagged=0; missing_regular=0; already=0
+
+for TOR_TAG in $TOR_TAGS; do
+
+  if echo "$EXISTING_TAGS" | grep -qxF "$TOR_TAG"; then
+    echo "SKIP (already tagged): $TOR_TAG"
+    (( already++ )) || true
+    continue
+  fi
+
+  # Derive the regular version from the Tor tag.
+  # The Tor suffix is always "0?1984" where the boundary with the regular
+  # version is:
+  #   - a dot for stable releases:     13.6.15.1984     → 13.6.15
+  #                                    13.5.902.1984    → 13.5.902
+  #   - a literal 0 for pre-releases:  13.6.15.90101984 → 13.6.15.901
+  #                                    13.5.1.90201984  → 13.5.1.902
+  # Pre-release tags end in 0…1984 (e.g. 90101984); stable tags end in .1984.
+  # Two suffix strips cover both; each is a no-op on the other case.
+  VER="${TOR_TAG%01984}"
+  VER="${VER%.1984}"
+
+  if [[ "$VER" == "$TOR_TAG" ]]; then
+    echo "SKIP (unexpected format, could not derive regular version): $TOR_TAG" >&2
+    (( skipped++ )) || true
+    continue
+  fi
+
+  # The regular tag may omit trailing .0 components (e.g. tor "13.5.0.1984"
+  # → VER "13.5.0" but regular tag is just "13.5"), so also try with those stripped.
+  VER_SHORT="${VER%.0}"  # strip one trailing .0; repeat for pathological cases
+  VER_SHORTER="${VER_SHORT%.0}"
+
+  REG_TAG=""
+  for candidate in "$VER" "v$VER" "$VER_SHORT" "v$VER_SHORT" "$VER_SHORTER" "v$VER_SHORTER"; do
+    if echo "$EXISTING_TAGS" | grep -qxF "$candidate"; then
+      REG_TAG="$candidate"
+      break
+    fi
+  done
+
+  if [[ -z "$REG_TAG" ]]; then
+    echo "SKIP (no regular tag for '$VER'): $TOR_TAG"
+    (( missing_regular++ )) || true
+    continue
+  fi
+
+  COMMIT=$(git -C "$BASE" rev-list -n1 "$REG_TAG" 2>/dev/null || true)
+  if [[ -z "$COMMIT" ]]; then
+    echo "SKIP (cannot resolve commit for tag '$REG_TAG'): $TOR_TAG" >&2
+    (( skipped++ )) || true
+    continue
+  fi
+
+  echo "TAGGING $TOR_TAG → $COMMIT (regular tag: $REG_TAG)"
+
+  if [[ $DRY_RUN -eq 1 ]]; then
+    echo "  [dry-run] git tag '$TOR_TAG' '$COMMIT'"
+    echo "  [dry-run] git push origin '$TOR_TAG'"
+  else
+    git -C "$BASE" tag "$TOR_TAG" "$COMMIT"
+    git -C "$BASE" push origin "$TOR_TAG"
+    echo "  ✓ pushed $TOR_TAG"
+  fi
+
+  (( tagged++ )) || true
+
+done
+
+echo ""
+echo "Done."
+echo "  Already had tag : $already"
+echo "  Newly tagged    : $tagged"
+echo "  No regular tag  : $missing_regular"
+echo "  Skipped (other) : $skipped"
+
+if [[ $missing_regular -gt 0 ]]; then
+  echo "$missing_regular Tor version(s) had no matching regular git tag (likely pre-repo history)."
+fi