From 58fa827e3971103c595bb7906a46528a382e767a Mon Sep 17 00:00:00 2001 From: Lucas Nicodemus Date: Thu, 20 Oct 2022 23:38:26 -0700 Subject: [PATCH] Update i18n workflow files Now, this requires some explanation. Initially, we had the extract workflow, which did work. The problem is that it can't commit to general-devel due to branch protection. If we added a bypass that let it, though, it would enable anyone with write access to this repository to write to general-devel (you can privilege escalate easily). Since we don't want that, this machine is setup: 1. TShock now triggers a workflow execution on a separate repo, hakusaro/tshock_i18n. 2. On hakusaro/tshock_i18n, a modified extraction script exists. 3. The modified extraction script, targeting tshock, downloads and runs itself. 4. @cardinal-system, a github user I control, creates and signs a commit and pushes it back to tshock, bypassing branch protection (because is allowed to). Now, nobody except me can modify the code that controls the system that enables @cardinal-system to commit to tshock, preserving that security element. But how is the workflow in hakusaro/tshock_i18n triggered? Through another workflow of course. The issue is that triggering requires using...a PAT. Who's PAT? My PAT. Github just launched fine-grained PATs, so I created a fine-grained PAT scoped to only the hakusaro/tshock_i18n repo, and only workflow dispatches. There are other methods that could be used to technically perform this triggering using a classic PAT, but they require the `repo` scope, which would give anyone with write-access the ability to write to hakusaro/tshock_i18n, which is clearly not-desired. I was originally kinda stuck, thinking I'd have to make a fine-grained PAT on @cardinal-system but that isn't supported yet (you can't scope a fine-grained PAT to another user's repo yet -- only all of your repos or the org's repos, not a collaborator's repo). But the new fine-grained PAT system enables creating a PAT that just has a small, isolated set of things tied to one user. This is the safest option, I think. The only catch is that the trigger PAT will expire on October 20, 2023, so it has to be rotated yearly, like the nuget token (https://github.com/Pryaxis/TShock/issues/2669). Fun stuff. --- .github/scripts/check-diff.py | 71 ----------------------------- .github/scripts/i18n.sh | 61 ------------------------- .github/workflows/i18n-extract.yml | 23 ---------- .github/workflows/i18n-trigger.yaml | 1 - 4 files changed, 156 deletions(-) delete mode 100755 .github/scripts/check-diff.py delete mode 100755 .github/scripts/i18n.sh delete mode 100644 .github/workflows/i18n-extract.yml diff --git a/.github/scripts/check-diff.py b/.github/scripts/check-diff.py deleted file mode 100755 index 51296319..00000000 --- a/.github/scripts/check-diff.py +++ /dev/null @@ -1,71 +0,0 @@ -#!/usr/bin/env python3 - -# SPDX-FileCopyrightText: 2019 Corentin Noël -# -# SPDX-License-Identifier: GPL-3.0-only - -# Taken from https://github.com/elementary/actions/blob/master/gettext-template/check-diff.py - -import git -import io - -def commit_to_repo(repo): - print('There are translation changes, committing changes to repository!') - files = repo.git.diff(None, name_only=True) - for f in files.split('\n'): - if f.endswith ('.po') or f.endswith ('.pot'): - repo.git.add(f) - repo.git.commit('-m', 'Update translation template') - infos = repo.remotes.origin.push() - has_error=False - error_msg='' - for info in infos: - if info.flags & git.remote.PushInfo.ERROR == git.remote.PushInfo.ERROR: - has_error=True - error_msg += info.summary - if has_error: - raise NameError('Unable to push to repository: ' + error_msg) - -print('Checking the repository for new translations...') -repo = git.Repo('.') -t = repo.head.commit.tree -files = repo.git.diff(None, name_only=True) -needs_commit=False - -for f in files.split('\n'): - if f.endswith ('.pot'): - raw_diff = repo.git.diff(t, f) - output = io.StringIO() - for line in raw_diff.splitlines(): - if line.startswith ('+++'): - continue - if line.startswith ('---'): - continue - if line.startswith ('diff'): - continue - if line.startswith ('index'): - continue - if line.startswith ('@@'): - continue - if line.startswith (' '): - continue - if line.startswith ('+#:'): - continue - if line.startswith ('-#:'): - continue - if line.startswith ('-"'): - continue - if line.startswith ('+"'): - continue - if not line.strip(): - continue - print(line, file=output) - if output.getvalue().strip(): - print(f + " has changed!") - needs_commit = True - output.close() - -if needs_commit: - commit_to_repo(repo) -else: - print('The translations are up-to-date!') diff --git a/.github/scripts/i18n.sh b/.github/scripts/i18n.sh deleted file mode 100755 index e8670edc..00000000 --- a/.github/scripts/i18n.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/usr/bin/env bash - -# SPDX-FileCopyrightText: 2019 Corentin Noël -# SPDX-FileCopyrightText: 2022 Janet Blackquill -# -# SPDX-License-Identifier: GPL-3.0-only - -# adapted from https://github.com/elementary/actions/blob/master/gettext-template/entrypoint.sh - -set -e - -export DEBIAN_FRONTEND="noninteractive" - -# if a custom token is provided, use it instead of the default github token. -if [ -n "$GIT_USER_TOKEN" ]; then - GITHUB_TOKEN="$GIT_USER_TOKEN" -fi - -if [ -z "${GITHUB_TOKEN}" ]; then - echo "\033[0;31mERROR: The GITHUB_TOKEN environment variable is not defined.\033[0m" && exit 1 -fi - -# Git repository is owned by another user, mark it as safe -git config --global --add safe.directory /github/workspace - -# get default branch, see: https://davidwalsh.name/get-default-branch-name -DEFAULT_BRANCH="$(git remote show origin | grep 'HEAD branch' | cut -d' ' -f5)" - -if [ -z "${INPUT_TRANSLATION_BRANCH}" ]; then - TRANSLATION_BRANCH="${DEFAULT_BRANCH}" -else - TRANSLATION_BRANCH="${INPUT_TRANSLATION_BRANCH}" -fi - -# default email and username to github actions user -if [ -z "$GIT_USER_EMAIL" ]; then - GIT_USER_EMAIL="action@github.com" -fi -if [ -z "$GIT_USER_NAME" ]; then - GIT_USER_NAME="GitHub Action" -fi - -# make sure branches are up-to-date -echo "Setting up git credentials..." -git remote set-url origin https://x-access-token:"$GITHUB_TOKEN"@github.com/"$GITHUB_REPOSITORY".git -git config --global user.email "$GIT_USER_EMAIL" -git config --global user.name "$GIT_USER_NAME" -echo "Git credentials configured." - -# get the project's name: -PROJECT="$(basename "$GITHUB_REPOSITORY")" -echo "Project: $PROJECT" - -sudo apt-get -qq update -sudo apt-get -qq install python3-git - -dotnet tool install --global GetText.NET.Extractor --version 1.6.6 - -GetText.Extractor --order -s TShock.sln -t i18n/template.pot - -python3 .github/scripts/check-diff.py diff --git a/.github/workflows/i18n-extract.yml b/.github/workflows/i18n-extract.yml deleted file mode 100644 index 7ed3cdab..00000000 --- a/.github/workflows/i18n-extract.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: i18n extraction -on: - push: - branches: [ general-devel ] -jobs: - extract: - runs-on: ubuntu-latest - env: - GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}' - steps: - - uses: actions/checkout@v3 - with: - submodules: 'recursive' - - - uses: actions/setup-dotnet@v3 - with: - dotnet-version: | - 3.1.x - 6.0.100 - - - name: Run i18n checking/extraction script - run: ./.github/scripts/i18n.sh - shell: bash diff --git a/.github/workflows/i18n-trigger.yaml b/.github/workflows/i18n-trigger.yaml index 69456f41..c6290961 100644 --- a/.github/workflows/i18n-trigger.yaml +++ b/.github/workflows/i18n-trigger.yaml @@ -2,7 +2,6 @@ name: i18n check trigger on: push: branches: [ general-devel ] - workflow_dispatch: jobs: extract: runs-on: ubuntu-latest