Add Github Action winget-releaser

[jo-chemla]

In relation to #66

This github action requires

• to create a Classic Github Token with public_repo scope is created, following this link
• to add the Token to the repo as a secret named WINGET_ACC_TOKEN.
• See below, that user also will have to fork the winget-pkgs repository.

Needs a classic GitHub token to submit PRs to winget-pkgs. This should be a classic token with the public_repo scope.
Whilst Komac can fully create manifests and commit with a fine-grained token, it fails to create a pull request to winget-pkgs. This may change as fine-grained tokens improve. See russellbanks/Komac#310.

[kleisauke]

I would prefer not to create a personal access token (PAT) for automatically submitting PRs on https://github.com/microsoft/winget-pkgs, as that would make me personally accountable for all automated changes and could introduce security risks. Furthermore, redistributing binaries outside this repository is beyond my scope.

[jo-chemla]

Thanks for getting back so fast. Understood that you do not want to create a PAT.
Note that

• once this token gets created you can only see it once
• and once it gets registered as a secret of the repo, it is not retrievable anymore even by you or other repo managers, and automatically obfuscated from action runs logs. It is only known to github for running the action, and they seem to enforce the rules necessary to avoid these secrets leaking.

Do you think other members of libvips team like john share the same mindset regarding using a PAT? If so, please do not hesitate to close this PR. Letting the community push manually new releases to the winget package repository would still probably end up with libvips winget package being almost up-to-date.

And thanks for all the hard work!

[lovell]

Hi Jo, thanks for the PR, would you be willing and able to become the "official" winget libvips maintainer? If so, perhaps we could do this from a separate repo?

[jo-chemla]

Thanks both for getting back.
To be fair, I've submitted this kind of PR (winget-releaser github actions) to a fair amount of packages I rely on, and this is only the second time the package author do not want to maintain the winget package updates - and I totally understand and respect that decision.

I've tried various ways of automating things on my side (building and publishing the libvips windows builds), but in the end I'd rather have the libvips winget package manifest have an installer url that points to the github release on the official libvips repo rather than my fork for various reasons, trust/security being one of them.

Since it's probably better to not make me one of the repo team member, I finally found an alternative github action workflow, winget-updater which also relies on Komac. I already have a winget-pkgs fork, and added a workflow in it, which will run periodically via cron, and pushes latest libvips github release to winget repo PR if its version is more recent than current winget package version. It's here if you want to have a look.

This means we can close this PR if you want to proceed this way!

[kleisauke]

Perhaps wingetbot could automatically submit updates for the libvips WinGet package? This would be similar to how Homebrew automates updates (see e.g. PR Homebrew/homebrew-core#252039). Discussion microsoft/winget-pkgs#306524 could be relevant here.

[jo-chemla]

Good question, I don't know about using wingetbot for submitting the package, this PR uses the winget-releaser github action in the workflow, that requires PAT. Note in the meantime I created that cron github workflow based on michidk/winget-updater that daily fetches the latest libvips builds and push release to winget-pkgs if an update is available.

Wait a minute, if I recall correctly, there were some repo/orgs that created and added a team-member to the org/repo scope specifically for creating the PAT and calling the workflow, via the fork_user option. Would this suit your needs?

Just got this from the winget-releaser docs

Option	Description	Notes
fork-user (Optional)	The GitHub user where winget-pkgs fork is present. This fork will be used to create PR at WinGet Community Repository.	Default: ${{ github.repository_owner }} # repository owner Example: dotnet-winget-bot

[kleisauke]

I'll close. The best path forward is to teach wingetbot to automatically submit updates for the libvips WinGet package.

Note to self: investigate renaming our w32 and w64 packages to x86 (or ia32) and x64, see:
https://github.com/microsoft/winget-pkgs/blob/3b481fd2274f3fc79c3cdfefac72e2e8548c872d/Tools/YamlCreate.ps1#L645-L657
(this may help avoid opening PRs like microsoft/winget-pkgs#323211)