twibster · twibster · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,24 @@
+# Dependabot configuration.
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+#
+# Pairs with the SHA-pinned third-party actions in .github/workflows/ — we pin
+# third-party actions to exact commits for supply-chain integrity, and Dependabot
+# surfaces new upstream releases as reviewable PRs so the SHAs stay current
+# without manual re-resolution.
+#
+# Every auto-bump PR carries the `release:skip` label so the auto-release
+# workflow (.github/workflows/auto-release.yml) doesn't attempt to cut a
+# version for a CI-only change. Mirror the same label convention on any
+# future ecosystems added here (e.g. nuget for the .csproj package refs).
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    # Root "/" tells Dependabot to scan .github/workflows/ automatically — it's
+    # the only path convention GitHub Actions supports, so no per-workflow
+    # config is needed.
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "release:skip"
diff --git a/.github/workflows/winget.yml b/.github/workflows/winget.yml
@@ -0,0 +1,80 @@
+name: Publish to Winget
+
+# Submits each new ScreenSound release to the Windows Package Manager
+# Community Repository (microsoft/winget-pkgs) as `twibster.ScreenSound`.
+# Once the first submission is merged upstream by Microsoft's reviewers,
+# users can install with:
+#
+#   winget install twibster.ScreenSound
+#
+# Trigger: `release: released` fires once, when release.yml publishes a
+# non-draft, non-prerelease GitHub Release. softprops/action-gh-release
+# in release.yml sets both flags to false, so every cut release kicks
+# this flow. Workflow_dispatch is additionally provided as an operational
+# retry lane — if the upstream PR needs to be re-opened (e.g. after the
+# PAT rotates or reviewers request changes), a maintainer can rerun
+# against any past tag without re-cutting the release.
+#
+# Required one-time setup (see README of the feat/winget-release PR):
+#   1. Fork microsoft/winget-pkgs to the twibster account.
+#   2. Create a classic PAT with `public_repo` scope.
+#   3. Add the PAT as repo secret `WINGET_TOKEN`.
+#
+# Why a classic PAT instead of GITHUB_TOKEN: GITHUB_TOKEN is scoped to
+# this repo, so it can't push manifest commits to twibster/winget-pkgs
+# (our fork) nor open a PR targeting microsoft/winget-pkgs. The action
+# needs a token tied to a user account with write access to both. A
+# fine-grained PAT works too but requires explicitly granting access to
+# the fork and to contents/pull-requests scopes; classic with public_repo
+# is the documented, low-friction path.
+
+on:
+  release:
+    types: [released]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Release tag to submit (e.g. v2.1.0). Leave blank to submit the latest release.'
+        required: false
+        default: ''
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    name: Submit to winget-pkgs
+    runs-on: ubuntu-latest
+    steps:
+      - name: Submit manifests to winget-pkgs
+        # Pinned to a commit SHA rather than the @v2 major tag for supply-chain
+        # hardening — the upstream v2 tag tracks main and moves on every merge,
+        # so referencing @v2 would silently pull in whatever's latest whenever
+        # this workflow runs. The pinned SHA is v2 as of 2026-04-15 (release
+        # "v2", published 2025-01-27, last moved to this commit 2026-03-15).
+        #
+        # To bump: check https://github.com/vedantmgoyal9/winget-releaser/releases,
+        # review the changelog since this SHA, then run:
+        #   gh api repos/vedantmgoyal9/winget-releaser/git/refs/tags/v2 --jq '.object.sha'
+        # and replace the SHA below. Consider adding .github/dependabot.yml with
+        # the `github-actions` ecosystem so these bumps arrive as PRs instead.
+        uses: vedantmgoyal9/winget-releaser@4ffc7888bffd451b357355dc214d43bb9f23917e
+        with:
+          # PackageIdentifier follows the <Publisher>.<PackageName> convention.
+          # Must match the casing winget expects — it's case-sensitive in the
+          # repo's folder structure (manifests/t/twibster/ScreenSound/…).
+          identifier: twibster.ScreenSound
+
+          # Installer-only filter: our releases include both a setup .exe and
+          # a portable .zip; winget only installs the Inno Setup executable,
+          # and submitting the zip as an installer would fail validation.
+          installers-regex: '^ScreenSound-Setup-.*\.exe$'
+
+          # Empty string = "use the release that triggered this workflow"
+          # (the action's default). On workflow_dispatch runs, the input is
+          # passed through so the maintainer can target any past tag.
+          release-tag: ${{ inputs.tag }}
+
+          # Token must be a PAT with `public_repo` scope (not GITHUB_TOKEN).
+          # See the file header for the why and the one-time setup steps.
+          token: ${{ secrets.WINGET_TOKEN }}