Create publish GitHub Actions workflow

.github/workflows/publish.yml

@@ -0,0 +1,159 @@
+name: Publish on AMO
+
+on:
+  push:
+    tags:
+      - v*.*.*
+
+jobs:
+  build:
+    name: Build web extension
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Node.js
+        uses: actions/setup-node@v3
+        with:
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build web extension source
+        run: npm run build
+
+      - name: Upload web extension source
+        uses: actions/upload-artifact@v4
+        with:
+          name: web-ext-source
+          path: ./web-ext-artifacts/*.zip
+
+  sign:
+    name: Sign web extension
+    runs-on: ubuntu-latest
+    needs:
+      - build
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Download web extension source
+        uses: actions/download-artifact@v4
+        with:
+          name: web-ext-source
+          path: ./web-ext-artifacts/
+
+      - name: Sign web extension source
+        run: |
+          cosign sign-blob \
+            ./web-ext-artifacts/*.zip \
+            --bundle ./web-ext-artifacts/cosign.bundle \
+            --yes
+
+      - name: Upload web extension sign
+        uses: actions/upload-artifact@v4
+        with:
+          name: cosign-bundle
+          path: ./web-ext-artifacts/cosign.bundle
+
+  helpers:
+    name: Build install helpers
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Go
+        uses: actions/setup-go@v5
+
+      - name: Build install helper
+        working-directory: ./scripts/install/
+        run: ./build.sh
+
+      - name: Upload install helper artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: install-helper
+          path: ./scripts/install/dist/*
+
+  publish:
+    name: Publish web extension
+    runs-on: ubuntu-latest
+    needs:
+      - build
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Node.js
+        uses: actions/setup-node@v3
+        with:
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Download web extension source
+        uses: actions/download-artifact@v4
+        with:
+          name: web-ext-source
+          path: ./web-ext-artifacts/
+
+      - name: Submit web extension
+        run: npx web-ext sign
+        env:
+          WEB_EXT_USE_SUBMISSION_API: true
+          WEB_EXT_CHANNEL: listed
+          WEB_EXT_API_KEY: ${{ vars.WEB_EXT_API_KEY }}
+          WEB_EXT_API_SECRET: ${{ secrets.WEB_EXT_API_SECRET }}
+          WEB_EXT_NO_INPUT: true
+
+      - name: Upload signed web extension
+        uses: actions/upload-artifact@v4
+        with:
+          name: web-ext
+          path: ./web-ext-artifacts/*.xpi
+
+  release:
+    name: Release on GitHub
+    runs-on: ubuntu-latest
+    needs:
+      - publish
+      - helpers
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: ./web-ext-artifacts/
+          merge-multiple: true
+
+      - name: Create GitHub release
+        run: |
+          if gh release view "${{ github.ref_name }}" >/dev/null 2>&1
+          then
+            echo "Release ${{ github.ref_name }} already exists, skipping..."
+            exit 0
+          fi
+
+          gh release create \
+            "${{ github.ref_name }}" \
+            --title "${{ github.ref_name }}" \
+            --verify-tag
+
+      - name: Attach artifacts to release
+        run: |
+          gh release upload \
+            "${{ github.ref_name }}" \
+            ./web-ext-artifacts/* \
+            --clobber