From 18f45864b78abece153f487d7e29902d90ef23cd Mon Sep 17 00:00:00 2001 From: Seth Van Niekerk Date: Sun, 22 Mar 2026 13:47:30 -0400 Subject: [PATCH 1/2] Add public key change detection --- .github/scripts/validate/detect-changes.sh | 5 +++++ .github/workflows/validate-plugin.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/scripts/validate/detect-changes.sh b/.github/scripts/validate/detect-changes.sh index 7a11ac4..bcf2298 100755 --- a/.github/scripts/validate/detect-changes.sh +++ b/.github/scripts/validate/detect-changes.sh @@ -69,12 +69,17 @@ if [[ -z "$PLUGIN_LIST" ]]; then fi if [[ "$(has_write_access "$PR_AUTHOR")" -eq 1 ]]; then # Repo maintainer with no plugin changes - skip plugin validation entirely and pass + PUB_KEY_CHANGED=false + if echo "$OUTSIDE_CHANGES" | grep -q "^\.github/scripts/keys/dispatcharr-plugins\.pub$"; then + PUB_KEY_CHANGED=true + fi echo "matrix=[]" >> "$GITHUB_OUTPUT" echo "plugin_count=0" >> "$GITHUB_OUTPUT" echo "close_pr=false" >> "$GITHUB_OUTPUT" echo "close_reason=" >> "$GITHUB_OUTPUT" echo "skip_validation=true" >> "$GITHUB_OUTPUT" echo "outside_violation=false" >> "$GITHUB_OUTPUT" + echo "pub_key_changed=$PUB_KEY_CHANGED" >> "$GITHUB_OUTPUT" echo "No plugin changes detected - skipping plugin validation (author has write access)." exit 0 fi diff --git a/.github/workflows/validate-plugin.yml b/.github/workflows/validate-plugin.yml index 903e3f8..719c02c 100644 --- a/.github/workflows/validate-plugin.yml +++ b/.github/workflows/validate-plugin.yml @@ -401,7 +401,7 @@ jobs: # -------------------------------------------------------------------------- report: needs: [detect-changes, validate-plugin, codeql-analyze] - if: always() && needs.detect-changes.result == 'success' && needs.detect-changes.outputs.close_pr == 'false' && needs.detect-changes.outputs.skip_validation != 'true' + if: always() && needs.detect-changes.result == 'success' && needs.detect-changes.outputs.close_pr == 'false' && (needs.detect-changes.outputs.skip_validation != 'true' || needs.detect-changes.outputs.pub_key_changed == 'true') runs-on: ubuntu-latest timeout-minutes: 5 steps: From fd7c4122677b07b87f5b13038f7aad506ea98b07 Mon Sep 17 00:00:00 2001 From: Seth Van Niekerk Date: Sun, 22 Mar 2026 13:54:08 -0400 Subject: [PATCH 2/2] Update report script to clarify regeneration of embedded signatures in manifest.json --- .github/scripts/validate/report.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/scripts/validate/report.sh b/.github/scripts/validate/report.sh index 39ce957..6f0d417 100755 --- a/.github/scripts/validate/report.sh +++ b/.github/scripts/validate/report.sh @@ -135,7 +135,7 @@ done echo "**Before merging, confirm:**" echo "- The corresponding private key and passphrase secrets (\`GPG_PRIVATE_KEY\`, \`GPG_PASSPHRASE\`) have been updated in the repository settings." echo "- The new public key has been bundled into the Dispatcharr application." - echo "- Existing \`.sig\` files on the \`releases\` branch will be regenerated on next publish." + echo "- Existing embedded signatures in \`manifest.json\` files on the \`releases\` branch will be regenerated on next publish." echo "" fi