Update i18n workflow files
Now, this requires some explanation. Initially, we had the extract workflow, which did work. The problem is that it can't commit to general-devel due to branch protection. If we added a bypass that let it, though, it would enable anyone with write access to this repository to write to general-devel (you can privilege escalate easily). Since we don't want that, this machine is setup: 1. TShock now triggers a workflow execution on a separate repo, hakusaro/tshock_i18n. 2. On hakusaro/tshock_i18n, a modified extraction script exists. 3. The modified extraction script, targeting tshock, downloads and runs itself. 4. @cardinal-system, a github user I control, creates and signs a commit and pushes it back to tshock, bypassing branch protection (because is allowed to). Now, nobody except me can modify the code that controls the system that enables @cardinal-system to commit to tshock, preserving that security element. But how is the workflow in hakusaro/tshock_i18n triggered? Through another workflow of course. The issue is that triggering requires using...a PAT. Who's PAT? My PAT. Github just launched fine-grained PATs, so I created a fine-grained PAT scoped to only the hakusaro/tshock_i18n repo, and only workflow dispatches. There are other methods that could be used to technically perform this triggering using a classic PAT, but they require the `repo` scope, which would give anyone with write-access the ability to write to hakusaro/tshock_i18n, which is clearly not-desired. I was originally kinda stuck, thinking I'd have to make a fine-grained PAT on @cardinal-system but that isn't supported yet (you can't scope a fine-grained PAT to another user's repo yet -- only all of your repos or the org's repos, not a collaborator's repo). But the new fine-grained PAT system enables creating a PAT that just has a small, isolated set of things tied to one user. This is the safest option, I think. The only catch is that the trigger PAT will expire on October 20, 2023, so it has to be rotated yearly, like the nuget token (https://github.com/Pryaxis/TShock/issues/2669). Fun stuff.
This commit is contained in:
Lucas Nicodemus
parent
8a57190056
commit
58fa827e39
4 changed files with 0 additions and 156 deletions
23
.github/workflows/i18n-extract.yml
vendored
23
.github/workflows/i18n-extract.yml
vendored
|
|
@ -1,23 +0,0 @@
|
|||
name: i18n extraction
|
||||
on:
|
||||
push:
|
||||
branches: [ general-devel ]
|
||||
jobs:
|
||||
extract:
|
||||
runs-on: ubuntu-latest
|
||||
env:
|
||||
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
submodules: 'recursive'
|
||||
|
||||
- uses: actions/setup-dotnet@v3
|
||||
with:
|
||||
dotnet-version: |
|
||||
3.1.x
|
||||
6.0.100
|
||||
|
||||
- name: Run i18n checking/extraction script
|
||||
run: ./.github/scripts/i18n.sh
|
||||
shell: bash
|
||||
1
.github/workflows/i18n-trigger.yaml
vendored
1
.github/workflows/i18n-trigger.yaml
vendored
|
|
@ -2,7 +2,6 @@ name: i18n check trigger
|
|||
on:
|
||||
push:
|
||||
branches: [ general-devel ]
|
||||
workflow_dispatch:
|
||||
jobs:
|
||||
extract:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue