feat: local release workflow (signing + version sync); track updates.json; add .env.example

scripts/release-sign.js

@@ -0,0 +1,63 @@
+#!/usr/bin/env node
+/*
+ * Signs an unlisted release via AMO using web-ext and outputs artifacts to releases/<version>/
+ * Requires env: AMO_JWT_ISSUER, AMO_JWT_SECRET
+ */
+const fs = require('fs');
+const path = require('path');
+const { execSync } = require('child_process');
+
+const root = path.join(__dirname, '..');
+const pkg = require(path.join(root, 'package.json'));
+const manifest = require(path.join(root, 'manifest.json'));
+
+const issuer = process.env.AMO_JWT_ISSUER;
+const secret = process.env.AMO_JWT_SECRET;
+
+if (!issuer || !secret) {
+  console.error('Missing AMO credentials. Set AMO_JWT_ISSUER and AMO_JWT_SECRET.');
+  process.exit(1);
+}
+
+const addonId = manifest?.applications?.gecko?.id;
+if (!addonId || addonId.includes('example')) {
+  console.error('Invalid add-on id. Set applications.gecko.id in manifest.json to your stable ID.');
+  process.exit(1);
+}
+
+const version = pkg.version;
+if (!version) {
+  console.error('package.json is missing version');
+  process.exit(1);
+}
+
+const outDir = path.join(root, 'releases', version);
+fs.mkdirSync(outDir, { recursive: true });
+
+function run(cmd) {
+  console.log(`> ${cmd}`);
+  execSync(cmd, { stdio: 'inherit' });
+}
+
+try {
+  // Lint before signing
+  run('npx --yes web-ext lint --source-dir .');
+
+  // Sign (unlisted) and place artifacts in releases/<version>
+  const signCmd = [
+    'npx --yes web-ext sign',
+    '--channel=unlisted',
+    `--api-key="${issuer}"`,
+    `--api-secret="${secret}"`,
+    `--id="${addonId}"`,
+    `--artifacts-dir "${outDir}"`,
+  ].join(' ');
+  run(signCmd);
+
+  console.log('\nSigned artifacts written to:', outDir);
+  console.log('Next: host .xpi and update updates.json (if self-hosting updates).');
+} catch (err) {
+  console.error('Release signing failed:', err.message);
+  process.exit(1);
+}
+