kmturley
commented
6 months ago Agree with this feedback. The manual release was a temporary solution until I fully implemented the automated solution.
My solution is to have GitHub actions for each plugin framework: https://github.com/studiorack/studiorack-workflows
Which is then run when the plugin builds, see these templates: https://github.com/orgs/studiorack/repositories?q=template
I made all of this progress to get those working, but did not get to applying the templates to each plugin.
This approach does not work if the author does not accept for their pipeline to be changed.
Instead my next approach would be to use their existing pipelines and releases, and generate the plugin metadata.json on StudioRack site.
Adding to enhancements.
RustoMCSpit
when manually looking at the forked repo of adlplug https://github.com/studiorack/adlplug there are no commits related to the build of the project, just a release, so again I dont see a way to verify the build is a good one or malicious
the lack of transparency regarding the origin of the builds/binaries is a big red flag. you are basically incentivizing users to download and run random binaries that they have no way to verify to not be malicious.
we need reproducible builds, with publicly visible logs for them.
https://github.com/DISTRHO/Cardinal/issues/653