Promote: staging -> develop#645
Merged
Merged
Conversation
## What Implements #634 + its [scope-extension](#634 (comment)): drive the App Store + Play Store **listing** (metadata text, screenshots, icon, featureGraphic) from git via Fastlane `deliver`/`supply`, and make the handbook a **generated downstream export** of that same metadata. ### Store metadata (#634) - iOS `ios/fastlane/metadata/de-DE/` (10 .txt) + Android `android/fastlane/metadata/android/de-DE/` (title, short/full description, changelog, `video.txt`, `images/icon.png`). German text from Dani; subtitle trimmed to `Sicher. Einfach. Unabhängig.` (28/30). - `ios/fastlane/Deliverfile` (shared deliver defaults; team IDs stay in `Appfile`). - `beta` lanes push the listing alongside the binary; new metadata-only `store_metadata` lane per platform (Android hard-pinned to the `internal` track). - `.github/workflows/store-metadata.yaml`: push-to-`main` + `workflow_dispatch`; `preflight` job runs `scripts/check-store-metadata.sh`. Reuses existing secrets — **no new secrets**. - `release.yaml` runs the same preflight in a gating `store-metadata-preflight` job before either deploy lane, so a tag can never ship a `FIXME-`/oversize/invalid-URL field to the live consoles. - README workflow table + release section updated. - 26 screenshots + featureGraphic delivered (alpha-stripped, dimensions verified); privacy/support URLs resolved to `https://realunit.ch/datenschutz/` + `…/kontakt/`. ### Handbook export (scope-extension) - `scripts/assemble-handbook-store-listing.py` (stdlib only): copies the PNGs under `/store/…` and renders `scripts/templates/store-listing.html.tmpl` into the `<!-- BEGIN/END:store-listing -->` block of `docs/handbook/de/index.html` in place (idempotent, single-pass substitution). - New "S App Store / Play Store Listing" handbook section with a TOC entry, CSS, and a **per-element `↗` source link** on every metadata field and every image to its exact file at `…/blob/main/…`. - `Dockerfile.handbook` `store-listing-builder` stage serves the PNGs + the substituted page. - `handbook-build-check.yaml` + `handbook-deploy.yaml` triggers extended to the Fastlane metadata/screenshots/generator/template; build-check adds a **sync gate** (re-run generator → fail if the committed handbook is stale). ### Security hardening (review P0) - The Android long description is rendered **unescaped** in the handbook (Google Play allows an HTML subset). An allowlist sanitizer (`sanitize_play_html`, stdlib `html.parser`) reduces it to the Play-allowed tags, drops everything else, strips attributes except a scheme-validated `href` on `<a>`, and balances the output — so a `</details><script>…` payload can neither break the DOM nor inject script. CI regression test included. ## Local validation - `ruby -c` (both Fastfiles + Deliverfile), `python3 -m ast` (generator), `bash -n` (checks) all pass; all touched workflows are valid YAML. - Preflight passes on current metadata; verified it fails on FIXME / oversize / invalid-URL. - Sanitizer: PoC `</details><script>…<a href="javascript:…">` → neutralized; legitimate `<b>` formatting preserved byte-for-byte (handbook stays in sync). - `docker build -f Dockerfile.handbook` green; container serves `/store/…` + the rendered section; generator idempotent. Base branch: `staging` (per CONTRIBUTING.md). DE-only v1 — EN metadata is a follow-up. Refs #634
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automatic Staging PR
This PR was automatically created after changes were pushed to staging.
Commits: 1 new commit(s)
Checklist