PowerToys/.github/workflows/msstore-submissions.yml

name: Store submission on release

on:
  workflow_dispatch:
  release:
    types: [published]

permissions:
  id-token: write

jobs:

  microsoft_store:
    name: Publish Microsoft Store
    environment: store
    runs-on: ubuntu-latest
    steps:
      - name: BODGY - Set up Gnome Keyring for future Cert Auth
        run: |-
          sudo apt-get update && sudo apt-get install -y gnome-keyring
          export $(dbus-launch --sh-syntax)
          export $(echo 'anypass_just_to_unlock' | gnome-keyring-daemon --unlock)
          export $(echo 'anypass_just_to_unlock' | gnome-keyring-daemon --start --components=gpg,pkcs11,secrets,ssh)

      - name: Log in to Azure
        uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
          enable-AzPSSession: true

      - name: Get latest URL from public releases
        id: releaseVars
        run: |
          release=$(curl https://api.github.com/repos/Microsoft/PowerToys/releases | jq '[.[]|select(.name | contains("Release"))][0]')
          assets=$(jq -n "$release" | jq '.assets')
          powerToysSetup=$(jq -n "$assets" | jq '[.[]|select(.name | contains("PowerToysUserSetup"))]')
          echo powerToysInstallerX64Url=$(jq -n "$powerToysSetup" | jq -r '[.[]|select(.name | contains("x64"))][0].browser_download_url') >> $GITHUB_OUTPUT
          echo powerToysInstallerArm64Url=$(jq -n "$powerToysSetup" | jq -r '[.[]|select(.name | contains("arm64"))][0].browser_download_url') >> $GITHUB_OUTPUT

      - name: Setup .NET 9.0
        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: '9.0.x'

      - uses: microsoft/setup-msstore-cli@v1

      - name: Fetch Store Credential
        uses: azure/cli@v2
        with:
          azcliversion: latest
          inlineScript: |-
            az keyvault secret download --vault-name ${{ secrets.AZURE_KEYVAULT_NAME }} -n ${{ secrets.AZURE_AUTH_CERT_NAME }} -f cert.pfx.b64
            base64 -d < cert.pfx.b64 > cert.pfx

      - name: Configure Store Credentials
        run: |-
          msstore reconfigure -cfp cert.pfx -c ${{ secrets.AZURE_CLIENT_ID }} -t ${{ secrets.AZURE_TENANT_ID }} -s ${{ secrets.SELLER_ID }}

      - name: Update draft submission
        run: |-
          msstore submission update ${{ secrets.PRODUCT_ID }} '{
            "packages":[
                {
                  "packageUrl":"${{ steps.releaseVars.outputs.powerToysInstallerX64Url }}",
                  "languages":["zh-hans", "zh-hant", "en", "cs", "nl", "fr", "pt", "pt-br", "de", "hu", "it", "ja", "ko", "pl", "ru", "es", "tr"],
                  "architectures":["X64"],
                  "installerParameters":"/quiet /norestart",
                  "isSilentInstall":true
                },
                {
                  "packageUrl":"${{ steps.releaseVars.outputs.powerToysInstallerArm64Url }}",
                  "languages":["zh-hans", "zh-hant", "en", "cs", "nl", "fr", "pt", "pt-br", "de", "hu", "it", "ja", "ko", "pl", "ru", "es", "tr"],
                  "architectures":["Arm64"],
                  "installerParameters":"/quiet /norestart",
                  "isSilentInstall":true
                }
            ]
          }'

      - name: Publish Submission
        run: |-
          msstore submission publish ${{ secrets.PRODUCT_ID }}

      - name: Clean up auth certificate
        if: always()
        run: |-
          rm -f cert.pfx cert.pfx.b64