From 931fd0cabf442759c1bc7065b47cc48e82dd0967 Mon Sep 17 00:00:00 2001
From: Ryan Bas <ryanbas21@gmail.com>
Date: Tue, 12 May 2026 10:42:11 -0600
Subject: [PATCH] fix: replace CWS upload action with direct API calls

The mnao305/chrome-extension-upload action swallows the Chrome Web
Store publish API response body, making it impossible to diagnose why
publish returns 400. Replace with direct curl calls that log both the
upload and publish responses so the actual error reason is visible in
CI logs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish-extension.yml | 42 +++++++++++++++++++------
 .github/workflows/release.yml           | 41 ++++++++++++++++++------
 2 files changed, 65 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/publish-extension.yml b/.github/workflows/publish-extension.yml
index 655af03..2311959 100644
--- a/.github/workflows/publish-extension.yml
+++ b/.github/workflows/publish-extension.yml
@@ -28,15 +28,39 @@ jobs:
         working-directory: packages/devtools-extension
         run: cd dist && zip -r ../extension-chrome.zip .
 
-      - name: Upload to Chrome Web Store
-        uses: mnao305/chrome-extension-upload@4008e29e13c144d0f6725462cbd49b7c291b4928 # v5.0.0
-        with:
-          file-path: packages/devtools-extension/extension-chrome.zip
-          extension-id: ${{ secrets.CHROME_EXTENSION_ID }}
-          client-id: ${{ secrets.CHROME_CLIENT_ID }}
-          client-secret: ${{ secrets.CHROME_CLIENT_SECRET }}
-          refresh-token: ${{ secrets.CHROME_REFRESH_TOKEN }}
-          publish: true
+      - name: Upload and publish to Chrome Web Store
+        env:
+          EXTENSION_ID: ${{ secrets.CHROME_EXTENSION_ID }}
+          CLIENT_ID: ${{ secrets.CHROME_CLIENT_ID }}
+          CLIENT_SECRET: ${{ secrets.CHROME_CLIENT_SECRET }}
+          REFRESH_TOKEN: ${{ secrets.CHROME_REFRESH_TOKEN }}
+        run: |
+          # Get access token
+          TOKEN=$(curl -s -X POST https://oauth2.googleapis.com/token \
+            -d "client_id=$CLIENT_ID" \
+            -d "client_secret=$CLIENT_SECRET" \
+            -d "refresh_token=$REFRESH_TOKEN" \
+            -d "grant_type=refresh_token" | jq -r '.access_token')
+
+          # Upload
+          UPLOAD=$(curl -s \
+            -H "Authorization: Bearer $TOKEN" \
+            -H "x-goog-api-version: 2" \
+            -X PUT \
+            -T packages/devtools-extension/extension-chrome.zip \
+            "https://www.googleapis.com/upload/chromewebstore/v1.1/items/$EXTENSION_ID")
+          echo "Upload response: $UPLOAD"
+          echo "$UPLOAD" | jq -e '.uploadState == "SUCCESS"' || exit 1
+
+          # Publish to default (public)
+          PUBLISH=$(curl -s \
+            -H "Authorization: Bearer $TOKEN" \
+            -H "x-goog-api-version: 2" \
+            -H "Content-Length: 0" \
+            -X POST \
+            "https://www.googleapis.com/chromewebstore/v1.1/items/$EXTENSION_ID/publish")
+          echo "Publish response: $PUBLISH"
+          echo "$PUBLISH" | jq -e '.status[0] == "OK"' || { echo "::error::Publish failed — see response above"; exit 1; }
 
   publish-firefox:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4f0f456..ee87fd4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -54,15 +54,38 @@ jobs:
 
       - name: Publish Chrome extension to testers
         if: inputs.extension
-        uses: mnao305/chrome-extension-upload@4008e29e13c144d0f6725462cbd49b7c291b4928 # v5.0.0
-        with:
-          file-path: packages/devtools-extension/extension-chrome.zip
-          extension-id: ${{ secrets.CHROME_EXTENSION_ID }}
-          client-id: ${{ secrets.CHROME_CLIENT_ID }}
-          client-secret: ${{ secrets.CHROME_CLIENT_SECRET }}
-          refresh-token: ${{ secrets.CHROME_REFRESH_TOKEN }}
-          publish: true
-          publish-target: trustedTesters
+        env:
+          EXTENSION_ID: ${{ secrets.CHROME_EXTENSION_ID }}
+          CLIENT_ID: ${{ secrets.CHROME_CLIENT_ID }}
+          CLIENT_SECRET: ${{ secrets.CHROME_CLIENT_SECRET }}
+          REFRESH_TOKEN: ${{ secrets.CHROME_REFRESH_TOKEN }}
+        run: |
+          # Get access token
+          TOKEN=$(curl -s -X POST https://oauth2.googleapis.com/token \
+            -d "client_id=$CLIENT_ID" \
+            -d "client_secret=$CLIENT_SECRET" \
+            -d "refresh_token=$REFRESH_TOKEN" \
+            -d "grant_type=refresh_token" | jq -r '.access_token')
+
+          # Upload
+          UPLOAD=$(curl -s \
+            -H "Authorization: Bearer $TOKEN" \
+            -H "x-goog-api-version: 2" \
+            -X PUT \
+            -T packages/devtools-extension/extension-chrome.zip \
+            "https://www.googleapis.com/upload/chromewebstore/v1.1/items/$EXTENSION_ID")
+          echo "Upload response: $UPLOAD"
+          echo "$UPLOAD" | jq -e '.uploadState == "SUCCESS"' || exit 1
+
+          # Publish to trusted testers
+          PUBLISH=$(curl -s \
+            -H "Authorization: Bearer $TOKEN" \
+            -H "x-goog-api-version: 2" \
+            -H "Content-Length: 0" \
+            -X POST \
+            "https://www.googleapis.com/chromewebstore/v1.1/items/$EXTENSION_ID/publish?publishTarget=trustedTesters")
+          echo "Publish response: $PUBLISH"
+          echo "$PUBLISH" | jq -e '.status[0] == "OK"' || { echo "::error::Publish failed — see response above"; exit 1; }
 
       - name: Build Firefox extension
         if: inputs.extension