package manager GHA init to allow workflow dispatch testing (#6129)

.github/workflows/package-managers.yml

@@ -0,0 +1,197 @@
+name: Update Package Manager Manifests
+
+on:
+  # release:
+  #   types: [released]
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version to test (e.g. 2.9.2 — no v prefix)"
+        required: true
+        type: string
+      dry_run:
+        description: "Skip the git push at the end (safe test)"
+        type: boolean
+        default: true
+
+permissions:
+  contents: read
+
+jobs:
+  get-release-info:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.info.outputs.version }}
+      dmg_arm64_sha256: ${{ steps.hashes.outputs.dmg_arm64_sha256 }}
+      dmg_x86_64_sha256: ${{ steps.hashes.outputs.dmg_x86_64_sha256 }}
+      msi_sha256: ${{ steps.hashes.outputs.msi_sha256 }}
+      deb_sha256: ${{ steps.hashes.outputs.deb_sha256 }}
+      jar_sha256: ${{ steps.hashes.outputs.jar_sha256 }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - name: Extract version from tag or manual input
+        id: info
+        env:
+          DISPATCH_VERSION: ${{ inputs.version }}
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            VERSION="$DISPATCH_VERSION"
+          else
+            VERSION="$RELEASE_TAG"
+          fi
+          VERSION="${VERSION#v}"
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Download release assets and compute SHA256
+        id: hashes
+        env:
+          VERSION: ${{ steps.info.outputs.version }}
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          BASE="https://github.com/Stirling-Tools/Stirling-PDF/releases/download/v${VERSION}"
+
+          download_sha256() {
+            local url="$1"
+            local file
+            file=$(basename "$url")
+            curl -fsSL --retry 3 -o "$file" "$url"
+            sha256sum "$file" | awk '{print $1}'
+          }
+
+          DMG_ARM64_SHA=$(download_sha256 "${BASE}/Stirling-PDF-macos-aarch64.dmg")
+          DMG_X64_SHA=$(download_sha256 "${BASE}/Stirling-PDF-macos-x86_64.dmg")
+          MSI_SHA=$(download_sha256 "${BASE}/Stirling-PDF-windows-x86_64.msi")
+          DEB_SHA=$(download_sha256 "${BASE}/Stirling-PDF-linux-x86_64.deb")
+          JAR_SHA=$(download_sha256 "${BASE}/Stirling-PDF-with-login.jar")
+
+          echo "dmg_arm64_sha256=$DMG_ARM64_SHA" >> "$GITHUB_OUTPUT"
+          echo "dmg_x86_64_sha256=$DMG_X64_SHA"  >> "$GITHUB_OUTPUT"
+          echo "msi_sha256=$MSI_SHA"              >> "$GITHUB_OUTPUT"
+          echo "deb_sha256=$DEB_SHA"              >> "$GITHUB_OUTPUT"
+          echo "jar_sha256=$JAR_SHA"              >> "$GITHUB_OUTPUT"
+
+  update-homebrew:
+    needs: get-release-info
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - name: Checkout homebrew tap
+        uses: actions/checkout@v4
+        with:
+          repository: Stirling-Tools/homebrew-stirling-pdf
+          token: ${{ secrets.HOMEBREW_TAP_TOKEN }}
+          path: homebrew-tap
+
+      - name: Update cask (stirling-pdf.rb)
+        env:
+          VERSION: ${{ needs.get-release-info.outputs.version }}
+          ARM64_SHA: ${{ needs.get-release-info.outputs.dmg_arm64_sha256 }}
+          X64_SHA: ${{ needs.get-release-info.outputs.dmg_x86_64_sha256 }}
+        run: |
+          CASK="homebrew-tap/Casks/stirling-pdf.rb"
+          sed -i "s/version \".*\"/version \"${VERSION}\"/" "$CASK"
+          # Update ARM64 sha256 (line following on_arm block)
+          awk -v arm="$ARM64_SHA" -v x64="$X64_SHA" '
+            /on_arm/     { in_arm=1 }
+            /on_intel/   { in_arm=0; in_intel=1 }
+            /end/        { in_arm=0; in_intel=0 }
+            in_arm  && /sha256/ { sub(/sha256 ".*"/, "sha256 \"" arm "\"") }
+            in_intel && /sha256/ { sub(/sha256 ".*"/, "sha256 \"" x64 "\"") }
+            { print }
+          ' "$CASK" > tmp && mv tmp "$CASK"
+
+      - name: Update formula (stirling-pdf-server.rb)
+        env:
+          VERSION: ${{ needs.get-release-info.outputs.version }}
+          JAR_SHA: ${{ needs.get-release-info.outputs.jar_sha256 }}
+        run: |
+          FORMULA="homebrew-tap/Formula/stirling-pdf-server.rb"
+          sed -i "s/version \".*\"/version \"${VERSION}\"/" "$FORMULA"
+          sed -i "s/sha256 \".*\"/sha256 \"${JAR_SHA}\"/" "$FORMULA"
+
+      - name: Show homebrew tap diff (for dry-run visibility)
+        working-directory: homebrew-tap
+        run: |
+          echo "--- diff --stat ---"
+          git diff --stat
+          echo "--- full diff ---"
+          git diff
+
+      - name: Commit and push homebrew tap updates
+        if: ${{ github.event_name == 'release' || inputs.dry_run == false }}
+        working-directory: homebrew-tap
+        run: |
+          git config user.name  "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add Casks/stirling-pdf.rb Formula/stirling-pdf-server.rb
+          git diff --cached --quiet && echo "No changes" && exit 0
+          git commit -m "chore: bump Stirling-PDF to v${{ needs.get-release-info.outputs.version }}"
+          git push
+
+  update-scoop:
+    needs: get-release-info
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - name: Checkout Scoop bucket (shared with Homebrew tap)
+        uses: actions/checkout@v4
+        with:
+          repository: Stirling-Tools/homebrew-stirling-pdf
+          token: ${{ secrets.SCOOP_BUCKET_TOKEN }}
+          path: scoop-bucket
+
+      - name: Update stirling-pdf.json
+        env:
+          VERSION: ${{ needs.get-release-info.outputs.version }}
+          MSI_SHA: ${{ needs.get-release-info.outputs.msi_sha256 }}
+        run: |
+          MANIFEST="scoop-bucket/scoop/stirling-pdf.json"
+          jq --arg v "$VERSION" --arg h "$MSI_SHA" \
+            '.version = $v | .architecture["64bit"].url = "https://github.com/Stirling-Tools/Stirling-PDF/releases/download/v\($v)/Stirling-PDF-windows-x86_64.msi" | .architecture["64bit"].hash = $h' \
+            "$MANIFEST" > tmp.json && mv tmp.json "$MANIFEST"
+
+      - name: Update stirling-pdf-server.json
+        env:
+          VERSION: ${{ needs.get-release-info.outputs.version }}
+          JAR_SHA: ${{ needs.get-release-info.outputs.jar_sha256 }}
+        run: |
+          MANIFEST="scoop-bucket/scoop/stirling-pdf-server.json"
+          jq --arg v "$VERSION" --arg h "$JAR_SHA" \
+            '.version = $v | .url = "https://github.com/Stirling-Tools/Stirling-PDF/releases/download/v\($v)/Stirling-PDF-with-login.jar" | .hash = $h' \
+            "$MANIFEST" > tmp.json && mv tmp.json "$MANIFEST"
+
+      - name: Show Scoop bucket diff (for dry-run visibility)
+        working-directory: scoop-bucket
+        run: |
+          echo "--- diff --stat ---"
+          git diff --stat
+          echo "--- full diff ---"
+          git diff
+
+      - name: Commit and push Scoop bucket updates
+        if: ${{ github.event_name == 'release' || inputs.dry_run == false }}
+        working-directory: scoop-bucket
+        run: |
+          git config user.name  "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add scoop/stirling-pdf.json scoop/stirling-pdf-server.json
+          git diff --cached --quiet && echo "No changes" && exit 0
+          git commit -m "chore: bump Stirling-PDF to v${{ needs.get-release-info.outputs.version }}"
+          git push