Deploy with GitHub actions

[seanbudd]

Link to issue number:

Part of #17878

Summary of the issue:

As part of migrating to GitHub actions, we need to deploy our signed snapshot/tagged builds to the server.

Description of developer facing changes:

• Releases now trigger a deployment webhook with all the information needed to deploy a release.
  The server can use that webhook to deploy releases.
• The create launcher step now publishes the SHA256 of the launcher. Currently it publishes the checksum of the zip folder, not the exe, and that is available else where in the GitHub UX. This allows people creating the release to know the SHA sum earlier, to be used in the website post.

Description of development approach:

switch to using gh release rather than a custom action for releases

Deploying

1. Create a deploy environment for GitHub actions. This enables deploy protection, and gives us a good endpoint for a GitHub webhook
2. Create a github webhook that fires when a deployment occurs.
3. From our deploy step, trigger a deployment using our deploy environment. Pass in our payload of information.
4. The GitHub webhook should fire off with our payload when the deployment happens.

Testing strategy:

• Tested releases triggered the webhook

  • Actions run: https://github.com/nvaccess/nvda-githubActionsRelease/actions/runs/15623200527
  • Webhook: https://github.com/nvaccess/nvda-githubActionsRelease/settings/hooks/551821542?tab=deliveries
  • Discussion: https://github.com/nvaccess/nvda-githubActionsRelease/discussions/4
  • Release: https://github.com/nvaccess/nvda-githubActionsRelease/releases/tag/release-2029.9.19
  • Used https://webhook.site to receive payloads

• Test a snapshot deployment to the server (locally)

• Test a tagged release deployment to the server (locally)

• Test a try build release deployment to the server (locally)

Known issues with pull request:

• Infrastructure as described in ci/README.md needs to be setup in this repo
• Infrastructure on the NV Access server to deploy from the webhook is still to be released.

Code Review Checklist:

• Documentation:
  • Change log entry
  • User Documentation
  • Developer / Technical Documentation
  • Context sensitive help for GUI changes
• Testing:
  • Unit tests
  • System (end to end) tests
  • Manual testing
• Security precautions taken.

@coderabbitai summary

[AppVeyorBot]

• PASS: Translation comments check.
• PASS: License check.
• PASS: Unit tests.
• FAIL: System tests (tags: installer NVDA). See test results for more information.
• Build (for testing PR): https://ci.appveyor.com/api/buildjobs/o3df9fq09cb55xlf/artifacts/output/nvda_snapshot_pr18244-37090,4d993609.exe
• CI timing (mins):
  INIT 0.0,
  INSTALL_START 2.3,
  INSTALL_END 1.0,
  BUILD_START 0.0,
  BUILD_END 27.2,
  TESTSETUP_START 0.0,
  TESTSETUP_END 0.4,
  TEST_START 0.0,
  TEST_END 21.2,
  FINISH_END 0.1

See test results for failed build of commit 4d993609f1

[seanbudd]

@SaschaCowley - I think this has sufficient testing now, I have tested deployments for try builds. snapshots and releases to a local server. I think we should merge this before merging the server work, to ensure we have real life payloads being sent before receiving them.

[Copilot]

Pull Request Overview

This PR enhances the GitHub Actions pipeline to trigger on release tags, surface build metadata as outputs, compute and expose a launcher SHA256 checksum, and emit deployment webhooks for snapshot and production releases.

• Enabled release-** tag triggers and switched to gh release commands
• Captured version and API metadata as job outputs
• Added steps to compute launcher SHA256 and deploy snapshots/releases via GitHub deployments API

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
ci/scripts/setBuildVersionVars.ps1	Mark tagged builds as releases by setting release=1
ci/README.md	Updated the Deploy section to reflect active steps
.github/workflows/testAndPublish.yml	Enabled release triggers, stored metadata outputs, updated artifact uploads, computed SHA256, and added snapshot/release deployment jobs

Comments suppressed due to low confidence (2)

.github/workflows/testAndPublish.yml:248

• This step needs an explicit id: uploadLauncher so that ${{ steps.uploadLauncher.outputs.artifact-id }} in outputs will resolve correctly.

      uses: actions/upload-artifact@v4

.github/workflows/testAndPublish.yml:431

• [nitpick] You're computing a SHA1 hash here but elsewhere publishing a SHA256. For consistency, either switch to sha256sum or rename this variable to indicate it is SHA1.

        NVDA_HASH=$(sha1sum "$NVDA_EXE_NAME" | cut -d ' ' -f 1)