verstak/scripts/sign-firefox-xpi.sh

#!/usr/bin/env bash
# sign-firefox-xpi.sh
# Signs the Firefox extension with AMO (Mozilla Add-ons).
# Run from repo root. Reads .env for AMO credentials.
set -euo pipefail

ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
cd "$ROOT_DIR"

if [[ -f ".env" ]]; then
  set -a
  source ".env"
  set +a
fi

SOURCE_DIR="${WEB_EXT_SOURCE_DIR:-extension-firefox}"
ARTIFACTS_DIR="${WEB_EXT_ARTIFACTS_DIR:-web-ext-artifacts}"
CHANNEL="${WEB_EXT_CHANNEL:-unlisted}"

if [[ -z "${WEB_EXT_API_KEY:-}" ]]; then
  echo "ERROR: WEB_EXT_API_KEY is not set. Put AMO JWT issuer into .env" >&2
  exit 1
fi

if [[ -z "${WEB_EXT_API_SECRET:-}" ]]; then
  echo "ERROR: WEB_EXT_API_SECRET is not set. Put AMO JWT secret into .env" >&2
  exit 1
fi

if [[ "$CHANNEL" != "unlisted" ]]; then
  echo "ERROR: only WEB_EXT_CHANNEL=unlisted is allowed for self-distributed Verstak Firefox builds" >&2
  exit 1
fi

if [[ ! -f "$SOURCE_DIR/manifest.json" ]]; then
  echo "ERROR: manifest.json not found in $SOURCE_DIR" >&2
  exit 1
fi

mkdir -p "$ARTIFACTS_DIR"

echo "Linting Firefox extension..."
npx web-ext lint \
  --source-dir "$SOURCE_DIR" \
  --self-hosted

echo "Signing Firefox extension as unlisted/self-distributed XPI..."

SIGN_ARGS=(
  sign
  --source-dir "$SOURCE_DIR"
  --artifacts-dir "$ARTIFACTS_DIR"
  --channel "$CHANNEL"
  --self-hosted
  --api-key "$WEB_EXT_API_KEY"
  --api-secret "$WEB_EXT_API_SECRET"
)

if [[ -n "${WEB_EXT_API_PROXY:-}" ]]; then
  SIGN_ARGS+=(--api-proxy "$WEB_EXT_API_PROXY")
fi

npx web-ext "${SIGN_ARGS[@]}"

SIGNED_XPI="$(find "$ARTIFACTS_DIR" -maxdepth 1 -type f -name '*.xpi' | sort | tail -n 1 || true)"

if [[ -z "$SIGNED_XPI" ]]; then
  echo "ERROR: signed XPI was not created in $ARTIFACTS_DIR" >&2
  exit 1
fi

echo "Signed XPI created:"
echo "$SIGNED_XPI"