Add Github Action winget-releaser

[jo-chemla]

In relation to #66

This github action requires

• to create a Classic Github Token with public_repo scope is created, following this link
• to add the Token to the repo as a secret named WINGET_ACC_TOKEN.
• See below, that user also will have to fork the winget-pkgs repository.

Needs a classic GitHub token to submit PRs to winget-pkgs. This should be a classic token with the public_repo scope.
Whilst Komac can fully create manifests and commit with a fine-grained token, it fails to create a pull request to winget-pkgs. This may change as fine-grained tokens improve. See russellbanks/Komac#310.

[kleisauke]

I would prefer not to create a personal access token (PAT) for automatically submitting PRs on https://github.com/microsoft/winget-pkgs, as that would make me personally accountable for all automated changes and could introduce security risks. Furthermore, redistributing binaries outside this repository is beyond my scope.

[jo-chemla]

Thanks for getting back so fast. Understood that you do not want to create a PAT.
Note that

• once this token gets created you can only see it once
• and once it gets registered as a secret of the repo, it is not retrievable anymore even by you or other repo managers, and automatically obfuscated from action runs logs. It is only known to github for running the action, and they seem to enforce the rules necessary to avoid these secrets leaking.

Do you think other members of libvips team like john share the same mindset regarding using a PAT? If so, please do not hesitate to close this PR. Letting the community push manually new releases to the winget package repository would still probably end up with libvips winget package being almost up-to-date.

And thanks for all the hard work!

[lovell]

Hi Jo, thanks for the PR, would you be willing and able to become the "official" winget libvips maintainer? If so, perhaps we could do this from a separate repo?

[jo-chemla]

Thanks both for getting back.
To be fair, I've submitted this kind of PR (winget-releaser github actions) to a fair amount of packages I rely on, and this is only the second time the package author do not want to maintain the winget package updates - and I totally understand and respect that decision.

I've tried various ways of automating things on my side (building and publishing the libvips windows builds), but in the end I'd rather have the libvips winget package manifest have an installer url that points to the github release on the official libvips repo rather than my fork for various reasons, trust/security being one of them.

Since it's probably better to not make me one of the repo team member, I finally found an alternative github action workflow, winget-updater which also relies on Komac. I already have a winget-pkgs fork, and added a workflow in it, which will run periodically via cron, and pushes latest libvips github release to winget repo PR if its version is more recent than current winget package version. It's here if you want to have a look.

This means we can close this PR if you want to proceed this way!