Implement GPG signing process and refactor plugin manifest handling

.github/scripts/keys/generate-signing-key.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+set -e
+
+# Generates a GPG Ed25519 signing key for Dispatcharr manifest signing.
+# Outputs:
+#   dispatcharr-plugins.pub  - public key to bundle in the Dispatcharr app
+#   dispatcharr-plugins.key  - private key to set as the GPG_PRIVATE_KEY repo secret
+#   dispatcharr-plugins.pass - passphrase to set as the GPG_PASSPHRASE repo secret
+
+EMAIL="plugins@dispatcharr.tv"
+NAME="Dispatcharr Plugin Repo"
+PASSPHRASE=$(LC_ALL=C tr -dc 'A-Za-z0-9' </dev/urandom | head -c 128)
+KEYS_DIR="$(cd "$(dirname "$0")" && pwd)"
+
+# Use an isolated temporary keyring so the user's main keyring is never touched
+GNUPGHOME=$(mktemp -d)
+export GNUPGHOME
+trap 'rm -rf "$GNUPGHOME"' EXIT
+chmod 700 "$GNUPGHOME"
+
+echo "Generating GPG signing key..."
+echo "  Identity : $NAME <$EMAIL>"
+echo "  Algorithm: Ed25519"
+echo "  Passphrase: $PASSPHRASE"
+echo ""
+
+gpg --batch --pinentry-mode loopback --passphrase "$PASSPHRASE" --gen-key <<EOF
+Key-Type: EdDSA
+Key-Curve: ed25519
+Key-Usage: sign
+Name-Real: ${NAME}
+Name-Comment: dispatcharr-autogenerated
+Name-Email: ${EMAIL}
+Expire-Date: 0
+%commit
+EOF
+
+FPR=$(gpg --list-secret-keys --with-colons 2>/dev/null | awk -F: '/^fpr/{print $10}' | head -1)
+
+rm -f "$KEYS_DIR/dispatcharr-plugins.key" "$KEYS_DIR/dispatcharr-plugins.pub" "$KEYS_DIR/dispatcharr-plugins.pass"
+gpg --batch --pinentry-mode loopback --passphrase "$PASSPHRASE" --armor --export-secret-keys "$FPR" > "$KEYS_DIR/dispatcharr-plugins.key"
+gpg --armor --export "$FPR" > "$KEYS_DIR/dispatcharr-plugins.pub"
+echo "$PASSPHRASE" > "$KEYS_DIR/dispatcharr-plugins.pass"
+
+echo ""
+gpg --list-secret-keys --keyid-format LONG
+
+echo ""
+echo "Files written:"
+echo "  dispatcharr-plugins.pub   → bundle into Dispatcharr app (included in this repo)"
+echo "  dispatcharr-plugins.key   → set as GPG_PRIVATE_KEY repo secret (ignored by .gitignore)"
+echo "  dispatcharr-plugins.pass  → set as GPG_PASSPHRASE repo secret (ignored by .gitignore)"
+echo ""

.github/scripts/publish/build-zips.sh

@@ -2,14 +2,18 @@
 set -e
 
 # publish-build-zips.sh
-# Builds versioned ZIPs and per-version metadata files for all plugins.
-# Skips plugins whose current version already has a ZIP + metadata file.
+# Builds versioned ZIPs and per-version metadata for all plugins.
+# Per-version metadata is written to a temporary working directory (BUILD_META_DIR)
+# so generate-manifest.sh can consume it within this CI run without persisting
+# per-version JSON files to the releases branch.
+# Skips plugins whose current version already has a ZIP and an entry in the
+# existing per-plugin manifest.
 # Writes changed_plugins.txt to cwd (one "name@version" per line).
 #
 # Called from the releases branch checkout directory by publish-plugins.sh.
 # Required env: SOURCE_BRANCH, RELEASES_BRANCH, GITHUB_REPOSITORY
 
-: "${SOURCE_BRANCH:?}" "${RELEASES_BRANCH:?}" "${GITHUB_REPOSITORY:?}"
+: "${SOURCE_BRANCH:?}" "${RELEASES_BRANCH:?}" "${GITHUB_REPOSITORY:?}" "${BUILD_META_DIR:?}"
 
 > changed_plugins.txt
 
@@ -18,14 +22,18 @@ for plugin_dir in plugins/*/; do
   plugin_name=$(basename "$plugin_dir")
   version=$(jq -r '.version' "$plugin_dir/plugin.json")
 
-  mkdir -p "releases/$plugin_name" "metadata/$plugin_name"
+  mkdir -p "zips/$plugin_name"
 
-  zip_path="releases/$plugin_name/${plugin_name}-${version}.zip"
-  metadata_path="metadata/$plugin_name/${plugin_name}-${version}.json"
+  zip_path="zips/$plugin_name/${plugin_name}-${version}.zip"
+  existing_manifest="zips/$plugin_name/manifest.json"
 
-  if [[ -f "$zip_path" ]] && [[ -f "$metadata_path" ]]; then
-    echo "  $plugin_name v$version - skipping (already exists)"
-    continue
+  # Skip if ZIP exists and the version is already in the existing manifest
+  if [[ -f "$zip_path" ]]; then
+    if [[ -f "$existing_manifest" ]] && \
+       jq -e --arg v "$version" '.manifest.versions[]? | select(.version == $v)' "$existing_manifest" >/dev/null 2>&1; then
+      echo "  $plugin_name v$version - skipping (already exists)"
+      continue
+    fi
   fi
 
   echo "  $plugin_name v$version - building"
@@ -45,6 +53,7 @@ for plugin_dir in plugins/*/; do
   min_da_version=$(jq -r '.min_dispatcharr_version // ""' "$plugin_dir/plugin.json")
   max_da_version=$(jq -r '.max_dispatcharr_version // ""' "$plugin_dir/plugin.json")
 
+  mkdir -p "$BUILD_META_DIR/$plugin_name"
   jq -n \
     --arg version "$version" \
     --arg commit_sha "$commit_sha" \
@@ -65,9 +74,9 @@ for plugin_dir in plugins/*/; do
       checksum_sha256: $checksum_sha256
     } + (if $min_da_version != "" then {min_dispatcharr_version: $min_da_version} else {} end)
       + (if $max_da_version != "" then {max_dispatcharr_version: $max_da_version} else {} end)' \
-    > "$metadata_path"
+    > "$BUILD_META_DIR/$plugin_name/${plugin_name}-${version}.json"
 
-  cp "$zip_path" "releases/$plugin_name/${plugin_name}-latest.zip"
+  cp "$zip_path" "zips/$plugin_name/${plugin_name}-latest.zip"
 done
 
 changed=$(wc -l < changed_plugins.txt | tr -d ' ')

.github/scripts/publish/cleanup.sh

@@ -3,7 +3,7 @@ set -e
 
 # publish-cleanup.sh
 # Removes release artifacts for plugins that no longer exist in source,
-# prunes versioned ZIPs beyond MAX_VERSIONED_ZIPS, and removes orphaned files.
+# and prunes versioned ZIPs beyond MAX_VERSIONED_ZIPS.
 #
 # Called from the releases branch checkout directory by publish-plugins.sh.
 # Required env: SOURCE_BRANCH
@@ -13,52 +13,28 @@ set -e
 MAX_VERSIONED_ZIPS=${MAX_VERSIONED_ZIPS:-10}
 
 # Remove artifacts for deleted plugins
-if [[ -d releases ]]; then
-  for release_dir in releases/*/; do
+if [[ -d zips ]]; then
+  for release_dir in zips/*/; do
     [[ ! -d "$release_dir" ]] && continue
     plugin_name=$(basename "$release_dir")
     if [[ ! -d "plugins/$plugin_name" ]]; then
       echo "  Removing deleted plugin: $plugin_name"
-      rm -rf "$release_dir" "metadata/$plugin_name"
+      rm -rf "$release_dir"
     fi
   done
 fi
 
-# Prune old versions and orphans per plugin
+# Prune old versions per plugin
 for plugin_dir in plugins/*/; do
   [[ ! -d "$plugin_dir" ]] && continue
   plugin_name=$(basename "$plugin_dir")
-  zip_dir="releases/$plugin_name"
-  metadata_dir="metadata/$plugin_name"
+  zip_dir="zips/$plugin_name"
 
   # Remove oldest ZIPs beyond the limit
   while IFS= read -r old_zip; do
-    version=$(basename "$old_zip" | sed "s/${plugin_name}-\(.*\)\.zip/\1/")
-    rm -f "$old_zip" "$metadata_dir/${plugin_name}-${version}.json"
-    echo "  Removed $plugin_name v$version (over limit)"
+    echo "  Removed $plugin_name $(basename "$old_zip") (over limit)"
+    rm -f "$old_zip"
   done < <(ls -1t "$zip_dir/${plugin_name}-"*.zip 2>/dev/null \
     | grep -v "${plugin_name}-latest.zip" \
     | awk "NR>$MAX_VERSIONED_ZIPS")
-
-  # Remove orphaned ZIPs with no matching metadata
-  for zipfile in "$zip_dir/${plugin_name}-"*.zip; do
-    [[ ! -f "$zipfile" ]] && continue
-    zip_basename=$(basename "$zipfile")
-    [[ "$zip_basename" == "${plugin_name}-latest.zip" ]] && continue
-    version=$(echo "$zip_basename" | sed "s/${plugin_name}-\(.*\)\.zip/\1/")
-    if [[ ! -f "$metadata_dir/${plugin_name}-${version}.json" ]]; then
-      rm -f "$zipfile"
-      echo "  Removed orphaned ZIP: $zip_basename"
-    fi
-  done
-
-  # Remove orphaned metadata with no matching ZIP
-  for metafile in "$metadata_dir/${plugin_name}-"*.json; do
-    [[ ! -f "$metafile" ]] && continue
-    version=$(basename "$metafile" | sed "s/${plugin_name}-\(.*\)\.json/\1/")
-    if [[ ! -f "$zip_dir/${plugin_name}-${version}.zip" ]]; then
-      rm -f "$metafile"
-      echo "  Removed orphaned metadata: $(basename "$metafile")"
-    fi
-  done
 done