From 657f631441f91634f36889a7746e5fc536c40bfe Mon Sep 17 00:00:00 2001
From: insomnia1102 <marucube35@gmail.com>
Date: Tue, 10 Feb 2026 10:12:23 +0700
Subject: [PATCH] fix: adopt caido/action-release for immutable releases
 without v-prefix tags

- Switch from tag-push trigger to workflow_dispatch
- Use caido/action-release@v1 with immutableCreate
- Extract version from manifest.json for tag name (no v prefix)
- Add branch guard and signing validation
- Update README releasing instructions

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .github/workflows/release.yml | 52 +++++++++++++++++++++++++----------
 README.md                     |  4 +--
 2 files changed, 40 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d23f147..5f57b45 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,22 +1,32 @@
 name: Release
 
 on:
-  push:
-    tags:
-      - 'v*'
+  workflow_dispatch:
+
+env:
+  NODE_VERSION: 20
 
 jobs:
   release:
+    name: Release
     runs-on: ubuntu-latest
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v4
+      - name: Verify main branch
+        run: |
+          if [[ "${{ github.ref_name }}" != "main" ]]; then
+            echo "Release can only be done on the main branch."
+            exit 1
+          fi
+
+      - name: Checkout project
+        uses: actions/checkout@v4
 
-      - name: Install Node.js
+      - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: ${{ env.NODE_VERSION }}
 
       - name: Install dependencies
         run: npm install
@@ -25,14 +35,28 @@ jobs:
         run: npm run build
 
       - name: Sign plugin
+        working-directory: dist
+        run: |
+          if [[ -z "${{ secrets.PRIVATE_KEY }}" ]]; then
+            echo "Set an ed25519 key as PRIVATE_KEY in GitHub Action secret to sign."
+            exit 1
+          fi
+          echo "${{ secrets.PRIVATE_KEY }}" > private_key.pem
+          openssl pkeyutl -sign -inkey private_key.pem -out plugin_package.zip.sig -rawin -in plugin_package.zip
+          rm private_key.pem
+
+      - name: Check version
+        id: meta
+        working-directory: dist
         run: |
-          trap 'rm private.pem' EXIT
-          echo "${{ secrets.PRIVATE_KEY }}" > private.pem
-          openssl pkeyutl -sign -inkey private.pem -out plugin_package.zip.sig -rawin -in dist/plugin_package.zip
+          VERSION=$(unzip -p plugin_package.zip manifest.json | jq -r .version)
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
 
-      - name: Create Release
-        uses: softprops/action-gh-release@v2
+      - name: Create release
+        uses: caido/action-release@v1
         with:
-          files: |
-            dist/plugin_package.zip
-            plugin_package.zip.sig
+          tag: ${{ steps.meta.outputs.version }}
+          commit: ${{ github.sha }}
+          body: 'Release ${{ steps.meta.outputs.version }}'
+          artifacts: 'dist/plugin_package.zip,dist/plugin_package.zip.sig'
+          immutableCreate: true
diff --git a/README.md b/README.md
index 8fe3ebb..b165dd2 100644
--- a/README.md
+++ b/README.md
@@ -55,8 +55,8 @@ bun run package
 
 1. Bump `version` in both `package.json` and `manifest.json`.
 2. Commit and push to `main`.
-3. Tag and push: `git tag v1.2.x && git push origin v1.2.x`.
-4. GitHub Actions builds, signs, and publishes the release.
+3. Go to **Actions** > **Release** > **Run workflow** (on `main` branch).
+4. GitHub Actions builds, signs, and publishes an immutable release tagged with the version from `manifest.json`.
 
 ## Credits