fix: SHA-256 checksums in updates.xml + centralized auto-bump

2026-05-26 17:30:43 -05:00
parent 415e58d06c a07d93b6fc
commit 5a8b18ea8d
4 changed files with 51 additions and 21 deletions
@@ -249,25 +249,7 @@ jobs:
          php /tmp/moko-platform-api/cli/badge_update.php --path . --version "${VERSION}" 2>/dev/null || true
          php /tmp/moko-platform-api/cli/version_check.php --path . --fix 2>/dev/null || true

-      - name: "Step 5: Write update stream"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.platform.outputs.platform == 'joomla'
-        run: |
-          VERSION="${{ steps.version.outputs.version }}"
-
-          # Fetch latest updates.xml from main so preserve logic has all channels
-          GA_TOKEN="${{ secrets.GA_TOKEN }}"
-          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
-          curl -sf -H "Authorization: token ${GA_TOKEN}" \
-            "${API}/contents/updates.xml?ref=main" 2>/dev/null | \
-            python3 -c "import sys,json,base64; print(base64.b64decode(json.load(sys.stdin)['content']).decode())" \
-            > updates.xml 2>/dev/null || true
-
-          php /tmp/moko-platform-api/cli/updates_xml_build.php \
-            --path . --version "${VERSION}" --stability stable \
-            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
-            --github-output
+      # Step 5 (updates.xml) moved after Step 8 to include SHA-256 checksum

      - name: Commit release changes
        if: >-
@@ -336,6 +318,7 @@ jobs:

      # -- STEP 8: Build packages and upload to release ----------------------------
      - name: "Step 8: Build package and upload"
+        id: package
        if: >-
          steps.version.outputs.skip != 'true' &&
          steps.rc.outputs.promote != 'true'
@@ -348,6 +331,40 @@ jobs:
            --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
            --repo "${GITEA_REPO}" --output /tmp || true

+      # -- STEP 5: Write update stream (after build so SHA-256 is available) -----
+      - name: "Step 5: Write update stream"
+        if: steps.version.outputs.skip != 'true'
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          SHA256="${{ steps.package.outputs.sha256_zip }}"
+
+          # Fetch latest updates.xml from main so preserve logic has all channels
+          GA_TOKEN="${{ secrets.GA_TOKEN }}"
+          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
+          curl -sf -H "Authorization: token ${GA_TOKEN}" \
+            "${API}/contents/updates.xml?ref=main" 2>/dev/null | \
+            python3 -c "import sys,json,base64; print(base64.b64decode(json.load(sys.stdin)['content']).decode())" \
+            > updates.xml 2>/dev/null || true
+
+          SHA_FLAG=""
+          [ -n "$SHA256" ] && SHA_FLAG="--sha ${SHA256}"
+
+          php /tmp/moko-platform-api/cli/updates_xml_build.php \
+            --path . --version "${VERSION}" --stability stable \
+            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
+            ${SHA_FLAG} --github-output
+
+          # Commit updates.xml if changed
+          if ! git diff --quiet updates.xml 2>/dev/null; then
+            git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+            git config --local user.name "gitea-actions[bot]"
+            git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+            git add updates.xml
+            git commit -m "chore: update stable channel ${VERSION} [skip ci]" \
+              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
+            git push origin HEAD 2>&1 || true
+          fi
+
      # -- STEP 8b: Update release description with changelog ----------------------
      - name: "Step 8b: Update release body"
        if: steps.version.outputs.skip != 'true'
@@ -245,15 +245,20 @@ jobs:
        run: |
          VERSION="${{ steps.meta.outputs.version }}"
          STABILITY="${{ steps.meta.outputs.stability }}"
+          SHA256="${{ steps.zip.outputs.sha256 }}"

          if [ ! -f "updates.xml" ]; then
            echo "No updates.xml -- skipping"
            exit 0
          fi

+          SHA_FLAG=""
+          [ -n "$SHA256" ] && SHA_FLAG="--sha ${SHA256}"
+
          php ${MOKO_CLI}/updates_xml_build.php \
            --path . --version "${VERSION}" --stability "${STABILITY}" \
-            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}"
+            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
+            ${SHA_FLAG}

          # Commit and push
          if ! git diff --quiet updates.xml 2>/dev/null; then
@@ -6,7 +6,7 @@ DEFGROUP: MokoStandards.Root
 INGROUP: MokoStandards
 REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 PATH: /README.md
-VERSION: 09.03.00
+VERSION: 09.02.02
 BRIEF: Project overview and documentation
 -->

@@ -485,6 +485,14 @@ file_put_contents($tarSha, "{$tarHash}  {$baseName}.tar.gz\n");

 echo "SHA-256 (ZIP): {$zipHash}\n";
 echo "SHA-256 (TAR): {$tarHash}\n";
+echo "sha256_zip={$zipHash}\n";
+echo "zip_name={$baseName}.zip\n";
+
+// Write to GITHUB_OUTPUT if available
+$ghOutput = getenv('GITHUB_OUTPUT');
+if ($ghOutput) {
+    file_put_contents($ghOutput, "sha256_zip={$zipHash}\nzip_name={$baseName}.zip\n", FILE_APPEND);
+}

 // ── Get release ID from tag ──────────────────────────────────────────────────