themaster1970sf/TShock
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

Update i18n workflow files

Browse source 
Now, this requires some explanation.

Initially, we had the extract workflow, which did work. The problem is
that it can't commit to general-devel due to branch protection. If we
added a bypass that let it, though, it would enable anyone with write
access to this repository to write to general-devel (you can privilege
escalate easily).

Since we don't want that, this machine is setup:

1. TShock now triggers a workflow execution on a separate repo,
   hakusaro/tshock_i18n.
2. On hakusaro/tshock_i18n, a modified extraction script exists.
3. The modified extraction script, targeting tshock, downloads and runs
   itself.
4. @cardinal-system, a github user I control, creates and signs a commit
   and pushes it back to tshock, bypassing branch protection (because is
allowed to).

Now, nobody except me can modify the code that controls the system that
enables @cardinal-system to commit to tshock, preserving that security
element.

But how is the workflow in hakusaro/tshock_i18n triggered? Through
another workflow of course.

The issue is that triggering requires using...a PAT. Who's PAT? My PAT.
Github just launched fine-grained PATs, so I created a fine-grained PAT
scoped to only the hakusaro/tshock_i18n repo, and only workflow
dispatches.

There are other methods that could be used to technically perform this
triggering using a classic PAT, but they require the `repo` scope, which
would give anyone with write-access the ability to write to
hakusaro/tshock_i18n, which is clearly not-desired.

I was originally kinda stuck, thinking I'd have to make a fine-grained
PAT on @cardinal-system but that isn't supported yet (you can't scope a
fine-grained PAT to another user's repo yet -- only all of your repos or
the org's repos, not a collaborator's repo). But the new fine-grained
PAT system enables creating a PAT that just has a small, isolated set of
things tied to one user.

This is the safest option, I think.

The only catch is that the trigger PAT will expire on October 20, 2023,
so it has to be rotated yearly, like the nuget token
(https://github.com/Pryaxis/TShock/issues/2669).

Fun stuff.
This commit is contained in:
Lucas Nicodemus 2022-10-20 23:38:26 -07:00
parent 8a57190056
commit 58fa827e39
No known key found for this signature in database
4 changed files with 0 additions and 156 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.github/workflows/i18n-trigger.yaml vendored
View file

@ -2,7 +2,6 @@ name: i18n check trigger
on:
push:
branches: [ general-devel ]
workflow_dispatch:
jobs:
extract:
runs-on: ubuntu-latest