chore: prepare verified CRX uploads and release 0.15.4

- Add helper scripts for Chrome Web Store verified CRX uploads using a dedicated RSA upload key protected by GPG. - Document the verified upload packaging flow and ignore local signing secrets. - Add npm packaging entry point for signed webstore CRX artifacts. - Chunk large SDK tab close batches to avoid native-host response timeouts. - Bump project and extension versions to 0.15.4 with matching tests.
2026-06-17 16:54:20 +02:00
parent 0ac652beee
commit 371b794170
10 changed files with 247 additions and 7 deletions
@@ -0,0 +1,102 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+usage() {
+  cat <<'EOF'
+Usage: scripts/package_verified_crx.sh [--key FILE.gpg] [--browser COMMAND] [--out FILE.crx]
+
+Builds the Chrome Web Store package and creates a CRX signed with the dedicated
+verified-upload RSA key. The RSA private key is expected to be GPG-encrypted.
+
+Environment alternatives:
+  VERIFIED_CRX_KEY_GPG   Path to encrypted RSA private key
+  CHROME_FOR_PACKING     Browser command with --pack-extension support
+EOF
+}
+
+key_gpg="${VERIFIED_CRX_KEY_GPG:-secrets/verified-crx/chrome-webstore-verified-crx-private-key.pem.gpg}"
+browser_cmd="${CHROME_FOR_PACKING:-}"
+out=""
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --key)
+      key_gpg="${2:-}"
+      shift 2
+      ;;
+    --browser)
+      browser_cmd="${2:-}"
+      shift 2
+      ;;
+    --out)
+      out="${2:-}"
+      shift 2
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "Unknown argument: $1" >&2
+      usage >&2
+      exit 2
+      ;;
+  esac
+done
+
+if [[ ! -f "$key_gpg" ]]; then
+  echo "Encrypted verified CRX key not found: $key_gpg" >&2
+  echo "Create it with: scripts/setup_verified_crx_key.sh --recipient '<your GPG key>'" >&2
+  exit 1
+fi
+
+if [[ -z "$browser_cmd" ]]; then
+  for candidate in google-chrome chrome chromium chromium-browser brave-browser brave; do
+    if command -v "$candidate" >/dev/null 2>&1; then
+      browser_cmd="$candidate"
+      break
+    fi
+  done
+fi
+
+if [[ -z "$browser_cmd" ]]; then
+  echo "No Chromium-based browser with --pack-extension found. Pass --browser or set CHROME_FOR_PACKING." >&2
+  exit 1
+fi
+
+version="$(python - <<'PY'
+import json
+from pathlib import Path
+print(json.loads(Path('extension/manifest.json').read_text())['version'])
+PY
+)"
+out="${out:-dist/browser-cli-extension-webstore-verified-v${version}.crx}"
+
+npm run build:extension
+python scripts/package_extension.py --webstore --out "dist/browser-cli-extension-webstore-v${version}.zip" >/dev/null
+
+staging="$PWD/dist/extension-package-webstore"
+if [[ ! -d "$staging" ]]; then
+  echo "Missing webstore staging directory: $staging" >&2
+  exit 1
+fi
+
+tmp_dir="$(mktemp -d)"
+private_key="$tmp_dir/verified-crx-private-key.pem"
+trap 'rm -rf "$tmp_dir"' EXIT
+
+gpg --decrypt --output "$private_key" "$key_gpg"
+chmod 600 "$private_key"
+
+rm -f "$staging.crx"
+"$browser_cmd" \
+  --pack-extension="$staging" \
+  --pack-extension-key="$private_key" \
+  --no-message-box \
+  --disable-gpu \
+  --no-sandbox >/dev/null
+
+mkdir -p "$(dirname "$out")"
+mv "$staging.crx" "$out"
+
+echo "$out"