From 49b37ff1e2706f3f979f4dcebbdee7722f0e7d68 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A9lix=20Saparelli?= <felix@passcod.name>
Date: Tue, 26 Sep 2023 19:47:25 +1300
Subject: [PATCH] Revert "release: cargo-binstall v1.4.0" and fix (#1398)

* Revert "release: cargo-binstall v1.4.0 (#1397)"

This reverts commit 99e825601808dedbbfd4c2c17360f43ae5e5688c.

* --allow-dirty on publish

* Remove private key file after generation

* Write public key file to bin crate and to package

* Upload public key file to release
---
 .github/scripts/ephemeral-gen.sh    |  6 ++++++
 .github/workflows/release-build.yml | 23 +++++++++++++++++++++++
 .github/workflows/release.yml       | 12 +++++++++++-
 Cargo.lock                          |  2 +-
 crates/bin/Cargo.toml               |  2 +-
 crates/bin/windows.manifest         |  2 +-
 justfile                            |  1 +
 7 files changed, 44 insertions(+), 4 deletions(-)

diff --git a/.github/scripts/ephemeral-gen.sh b/.github/scripts/ephemeral-gen.sh
index 065b4673..806cf02c 100755
--- a/.github/scripts/ephemeral-gen.sh
+++ b/.github/scripts/ephemeral-gen.sh
@@ -11,6 +11,12 @@ algorithm = "minisign"
 pubkey = "$(tail -n1 minisign.pub)"
 EOF
 
+echo "public=$(tail -n1 minisign.pub)" >> "$GITHUB_OUTPUT"
+cp minisign.pub crates/bin/minisign.pub
+
 set +x
 echo "::add-mask::$(tail -n1 minisign.key)"
 echo "private=$(tail -n1 minisign.key)" >> "$GITHUB_OUTPUT"
+set -x
+
+rm minisign.key
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index 0b2c20a1..ae7f5f4d 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -8,6 +8,10 @@ on:
         description: "Set to the release metadata JSON to publish the release"
         required: false
         type: string
+      publickey:
+        description: "Minisign public key. Required when publishing"
+        required: false
+        type: string
       CARGO_PROFILE_RELEASE_LTO:
         description: "Set to override default release profile lto settings"
         required: false
@@ -65,6 +69,15 @@ jobs:
       if: inputs.CARGO_PROFILE_RELEASE_CODEGEN_UNITS
       run: echo "CARGO_PROFILE_RELEASE_CODEGEN_UNITS=${{ inputs.CARGO_PROFILE_RELEASE_CODEGEN_UNITS }}" >> "$GITHUB_ENV"
 
+    - name: Include public key in package
+      if: inputs.publickey
+      env:
+        PUBLIC_KEY: ${{ inputs.publickey }}
+      shell: bash
+      run: |
+        echo "untrusted comment: minisign public key" > minisign.pub
+        cat >> minisign.pub <<< "$PUBLIC_KEY"
+
     - uses: ./.github/actions/just-setup
       with:
         tools: cargo-auditable
@@ -94,6 +107,7 @@ jobs:
     - if: inputs.publish
       env:
         SIGNING_KEY: ${{ secrets.signingkey }}
+      shell: bash
       run: .github/scripts/ephemeral-sign.sh packages/cargo-binstall-*
 
     - if: inputs.publish
@@ -131,6 +145,15 @@ jobs:
     steps:
     - uses: actions/checkout@v4
 
+    - name: Include public key in package
+      if: inputs.publickey
+      env:
+        PUBLIC_KEY: ${{ inputs.publickey }}
+      shell: bash
+      run: |
+        echo "untrusted comment: minisign public key" > minisign.pub
+        cat >> minisign.pub <<< "$PUBLIC_KEY"
+
     - uses: taiki-e/install-action@v2
       with:
         tool: just
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4e694e7d..7b189b2d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -61,8 +61,17 @@ jobs:
       env:
         crate: ${{ needs.info.outputs.crate }}
         CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
-      run: cargo publish -p "$crate"
+      run: cargo publish -p "$crate" --allow-dirty
+    - name: Upload public key to release
+      uses: svenstaro/upload-release-action@v2
+      with:
+        repo_token: ${{ secrets.GITHUB_TOKEN }}
+        release_name: v${{ needs.info.outputs.version }}
+        tag: v${{ needs.info.outputs.version }}
+        body: ${{ needs.info.outputs.notes }}
+        file: minisign.pub
     outputs:
+      publickey: ${{ steps.keypair.outputs.public }}
       signingkey: ${{ steps.keypair.outputs.private }}
 
   package:
@@ -73,5 +82,6 @@ jobs:
     uses: ./.github/workflows/release-build.yml
     with:
       publish: ${{ toJSON(needs.info.outputs) }}
+      publickey: ${{ needs.clitag.publickey }}
     secrets:
       signingkey: ${{ needs.clitag.signingkey }}
diff --git a/Cargo.lock b/Cargo.lock
index 34c625dc..198d7f54 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -512,7 +512,7 @@ dependencies = [
 
 [[package]]
 name = "cargo-binstall"
-version = "1.4.0"
+version = "1.3.1"
 dependencies = [
  "binstalk",
  "binstalk-manifests",
diff --git a/crates/bin/Cargo.toml b/crates/bin/Cargo.toml
index 0f7ed0af..c339cddd 100644
--- a/crates/bin/Cargo.toml
+++ b/crates/bin/Cargo.toml
@@ -3,7 +3,7 @@ name = "cargo-binstall"
 description = "Rust binary package installer for CI integration"
 repository = "https://github.com/cargo-bins/cargo-binstall"
 documentation = "https://docs.rs/cargo-binstall"
-version = "1.4.0"
+version = "1.3.1"
 rust-version = "1.65.0"
 authors = ["ryan <ryan@kurte.nz>"]
 edition = "2021"
diff --git a/crates/bin/windows.manifest b/crates/bin/windows.manifest
index c2146eba..afd1f81e 100644
--- a/crates/bin/windows.manifest
+++ b/crates/bin/windows.manifest
@@ -3,7 +3,7 @@
 	<assemblyIdentity
 		type="win32"
 		name="Binstall.Cli.binstall"
-		version="1.4.0.0"
+		version="1.3.1.0"
 	/>
 
 	<trustInfo>
diff --git a/justfile b/justfile
index 4c654d72..dada41ef 100644
--- a/justfile
+++ b/justfile
@@ -289,6 +289,7 @@ package-dir:
     mkdir -p packages/prep
     cp crates/bin/LICENSE packages/prep
     cp README.md packages/prep
+    -cp minisign.pub packages/prep
 
 [macos]
 package-prepare: build package-dir