Update i18n workflow files
Now, this requires some explanation. Initially, we had the extract workflow, which did work. The problem is that it can't commit to general-devel due to branch protection. If we added a bypass that let it, though, it would enable anyone with write access to this repository to write to general-devel (you can privilege escalate easily). Since we don't want that, this machine is setup: 1. TShock now triggers a workflow execution on a separate repo, hakusaro/tshock_i18n. 2. On hakusaro/tshock_i18n, a modified extraction script exists. 3. The modified extraction script, targeting tshock, downloads and runs itself. 4. @cardinal-system, a github user I control, creates and signs a commit and pushes it back to tshock, bypassing branch protection (because is allowed to). Now, nobody except me can modify the code that controls the system that enables @cardinal-system to commit to tshock, preserving that security element. But how is the workflow in hakusaro/tshock_i18n triggered? Through another workflow of course. The issue is that triggering requires using...a PAT. Who's PAT? My PAT. Github just launched fine-grained PATs, so I created a fine-grained PAT scoped to only the hakusaro/tshock_i18n repo, and only workflow dispatches. There are other methods that could be used to technically perform this triggering using a classic PAT, but they require the `repo` scope, which would give anyone with write-access the ability to write to hakusaro/tshock_i18n, which is clearly not-desired. I was originally kinda stuck, thinking I'd have to make a fine-grained PAT on @cardinal-system but that isn't supported yet (you can't scope a fine-grained PAT to another user's repo yet -- only all of your repos or the org's repos, not a collaborator's repo). But the new fine-grained PAT system enables creating a PAT that just has a small, isolated set of things tied to one user. This is the safest option, I think. The only catch is that the trigger PAT will expire on October 20, 2023, so it has to be rotated yearly, like the nuget token (https://github.com/Pryaxis/TShock/issues/2669). Fun stuff.
This commit is contained in:
Lucas Nicodemus
parent
8a57190056
commit
58fa827e39
4 changed files with 0 additions and 156 deletions
71
.github/scripts/check-diff.py
vendored
71
.github/scripts/check-diff.py
vendored
|
|
@ -1,71 +0,0 @@
|
|||
#!/usr/bin/env python3
|
||||
|
||||
# SPDX-FileCopyrightText: 2019 Corentin Noël <tintou@noel.tf>
|
||||
#
|
||||
# SPDX-License-Identifier: GPL-3.0-only
|
||||
|
||||
# Taken from https://github.com/elementary/actions/blob/master/gettext-template/check-diff.py
|
||||
|
||||
import git
|
||||
import io
|
||||
|
||||
def commit_to_repo(repo):
|
||||
print('There are translation changes, committing changes to repository!')
|
||||
files = repo.git.diff(None, name_only=True)
|
||||
for f in files.split('\n'):
|
||||
if f.endswith ('.po') or f.endswith ('.pot'):
|
||||
repo.git.add(f)
|
||||
repo.git.commit('-m', 'Update translation template')
|
||||
infos = repo.remotes.origin.push()
|
||||
has_error=False
|
||||
error_msg=''
|
||||
for info in infos:
|
||||
if info.flags & git.remote.PushInfo.ERROR == git.remote.PushInfo.ERROR:
|
||||
has_error=True
|
||||
error_msg += info.summary
|
||||
if has_error:
|
||||
raise NameError('Unable to push to repository: ' + error_msg)
|
||||
|
||||
print('Checking the repository for new translations...')
|
||||
repo = git.Repo('.')
|
||||
t = repo.head.commit.tree
|
||||
files = repo.git.diff(None, name_only=True)
|
||||
needs_commit=False
|
||||
|
||||
for f in files.split('\n'):
|
||||
if f.endswith ('.pot'):
|
||||
raw_diff = repo.git.diff(t, f)
|
||||
output = io.StringIO()
|
||||
for line in raw_diff.splitlines():
|
||||
if line.startswith ('+++'):
|
||||
continue
|
||||
if line.startswith ('---'):
|
||||
continue
|
||||
if line.startswith ('diff'):
|
||||
continue
|
||||
if line.startswith ('index'):
|
||||
continue
|
||||
if line.startswith ('@@'):
|
||||
continue
|
||||
if line.startswith (' '):
|
||||
continue
|
||||
if line.startswith ('+#:'):
|
||||
continue
|
||||
if line.startswith ('-#:'):
|
||||
continue
|
||||
if line.startswith ('-"'):
|
||||
continue
|
||||
if line.startswith ('+"'):
|
||||
continue
|
||||
if not line.strip():
|
||||
continue
|
||||
print(line, file=output)
|
||||
if output.getvalue().strip():
|
||||
print(f + " has changed!")
|
||||
needs_commit = True
|
||||
output.close()
|
||||
|
||||
if needs_commit:
|
||||
commit_to_repo(repo)
|
||||
else:
|
||||
print('The translations are up-to-date!')
|
||||
61
.github/scripts/i18n.sh
vendored
61
.github/scripts/i18n.sh
vendored
|
|
@ -1,61 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# SPDX-FileCopyrightText: 2019 Corentin Noël <tintou@noel.tf>
|
||||
# SPDX-FileCopyrightText: 2022 Janet Blackquill <uhhadd@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: GPL-3.0-only
|
||||
|
||||
# adapted from https://github.com/elementary/actions/blob/master/gettext-template/entrypoint.sh
|
||||
|
||||
set -e
|
||||
|
||||
export DEBIAN_FRONTEND="noninteractive"
|
||||
|
||||
# if a custom token is provided, use it instead of the default github token.
|
||||
if [ -n "$GIT_USER_TOKEN" ]; then
|
||||
GITHUB_TOKEN="$GIT_USER_TOKEN"
|
||||
fi
|
||||
|
||||
if [ -z "${GITHUB_TOKEN}" ]; then
|
||||
echo "\033[0;31mERROR: The GITHUB_TOKEN environment variable is not defined.\033[0m" && exit 1
|
||||
fi
|
||||
|
||||
# Git repository is owned by another user, mark it as safe
|
||||
git config --global --add safe.directory /github/workspace
|
||||
|
||||
# get default branch, see: https://davidwalsh.name/get-default-branch-name
|
||||
DEFAULT_BRANCH="$(git remote show origin | grep 'HEAD branch' | cut -d' ' -f5)"
|
||||
|
||||
if [ -z "${INPUT_TRANSLATION_BRANCH}" ]; then
|
||||
TRANSLATION_BRANCH="${DEFAULT_BRANCH}"
|
||||
else
|
||||
TRANSLATION_BRANCH="${INPUT_TRANSLATION_BRANCH}"
|
||||
fi
|
||||
|
||||
# default email and username to github actions user
|
||||
if [ -z "$GIT_USER_EMAIL" ]; then
|
||||
GIT_USER_EMAIL="action@github.com"
|
||||
fi
|
||||
if [ -z "$GIT_USER_NAME" ]; then
|
||||
GIT_USER_NAME="GitHub Action"
|
||||
fi
|
||||
|
||||
# make sure branches are up-to-date
|
||||
echo "Setting up git credentials..."
|
||||
git remote set-url origin https://x-access-token:"$GITHUB_TOKEN"@github.com/"$GITHUB_REPOSITORY".git
|
||||
git config --global user.email "$GIT_USER_EMAIL"
|
||||
git config --global user.name "$GIT_USER_NAME"
|
||||
echo "Git credentials configured."
|
||||
|
||||
# get the project's name:
|
||||
PROJECT="$(basename "$GITHUB_REPOSITORY")"
|
||||
echo "Project: $PROJECT"
|
||||
|
||||
sudo apt-get -qq update
|
||||
sudo apt-get -qq install python3-git
|
||||
|
||||
dotnet tool install --global GetText.NET.Extractor --version 1.6.6
|
||||
|
||||
GetText.Extractor --order -s TShock.sln -t i18n/template.pot
|
||||
|
||||
python3 .github/scripts/check-diff.py
|
||||
23
.github/workflows/i18n-extract.yml
vendored
23
.github/workflows/i18n-extract.yml
vendored
|
|
@ -1,23 +0,0 @@
|
|||
name: i18n extraction
|
||||
on:
|
||||
push:
|
||||
branches: [ general-devel ]
|
||||
jobs:
|
||||
extract:
|
||||
runs-on: ubuntu-latest
|
||||
env:
|
||||
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
submodules: 'recursive'
|
||||
|
||||
- uses: actions/setup-dotnet@v3
|
||||
with:
|
||||
dotnet-version: |
|
||||
3.1.x
|
||||
6.0.100
|
||||
|
||||
- name: Run i18n checking/extraction script
|
||||
run: ./.github/scripts/i18n.sh
|
||||
shell: bash
|
||||
1
.github/workflows/i18n-trigger.yaml
vendored
1
.github/workflows/i18n-trigger.yaml
vendored
|
|
@ -2,7 +2,6 @@ name: i18n check trigger
|
|||
on:
|
||||
push:
|
||||
branches: [ general-devel ]
|
||||
workflow_dispatch:
|
||||
jobs:
|
||||
extract:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue