Update i18n workflow files

Now, this requires some explanation. Initially, we had the extract workflow, which did work. The problem is that it can't commit to general-devel due to branch protection. If we added a bypass that let it, though, it would enable anyone with write access to this repository to write to general-devel (you can privilege escalate easily). Since we don't want that, this machine is setup: 1. TShock now triggers a workflow execution on a separate repo, hakusaro/tshock_i18n. 2. On hakusaro/tshock_i18n, a modified extraction script exists. 3. The modified extraction script, targeting tshock, downloads and runs itself. 4. @cardinal-system, a github user I control, creates and signs a commit and pushes it back to tshock, bypassing branch protection (because is allowed to). Now, nobody except me can modify the code that controls the system that enables @cardinal-system to commit to tshock, preserving that security element. But how is the workflow in hakusaro/tshock_i18n triggered? Through another workflow of course. The issue is that triggering requires using...a PAT. Who's PAT? My PAT. Github just launched fine-grained PATs, so I created a fine-grained PAT scoped to only the hakusaro/tshock_i18n repo, and only workflow dispatches. There are other methods that could be used to technically perform this triggering using a classic PAT, but they require the `repo` scope, which would give anyone with write-access the ability to write to hakusaro/tshock_i18n, which is clearly not-desired. I was originally kinda stuck, thinking I'd have to make a fine-grained PAT on @cardinal-system but that isn't supported yet (you can't scope a fine-grained PAT to another user's repo yet -- only all of your repos or the org's repos, not a collaborator's repo). But the new fine-grained PAT system enables creating a PAT that just has a small, isolated set of things tied to one user. This is the safest option, I think. The only catch is that the trigger PAT will expire on October 20, 2023, so it has to be rotated yearly, like the nuget token (https://github.com/Pryaxis/TShock/issues/2669). Fun stuff.
2022-10-20 23:38:26 -07:00 · 2022-10-20 23:38:26 -07:00 · 58fa827e39
commit 58fa827e39
parent 8a57190056
4 changed files with 0 additions and 156 deletions
--- a/.github/scripts/check-diff.py
+++ b/.github/scripts/check-diff.py
@ -1,71 +0,0 @@
 #!/usr/bin/env python3
 # SPDX-FileCopyrightText: 2019 Corentin Noël <tintou@noel.tf>
 #
 # SPDX-License-Identifier: GPL-3.0-only
 # Taken from https://github.com/elementary/actions/blob/master/gettext-template/check-diff.py
 import git
 import io
 def commit_to_repo(repo):
    print('There are translation changes, committing changes to repository!')
    files = repo.git.diff(None, name_only=True)
    for f in files.split('\n'):
        if f.endswith ('.po') or f.endswith ('.pot'):
            repo.git.add(f)
    repo.git.commit('-m', 'Update translation template')
    infos = repo.remotes.origin.push()
    has_error=False
    error_msg=''
    for info in infos:
        if info.flags & git.remote.PushInfo.ERROR == git.remote.PushInfo.ERROR:
            has_error=True
            error_msg += info.summary
    if has_error:
        raise NameError('Unable to push to repository: ' + error_msg)
 print('Checking the repository for new translations...')
 repo = git.Repo('.')
 t = repo.head.commit.tree
 files = repo.git.diff(None, name_only=True)
 needs_commit=False
 for f in files.split('\n'):
    if f.endswith ('.pot'):
        raw_diff = repo.git.diff(t, f)
        output = io.StringIO()
        for line in raw_diff.splitlines():
            if line.startswith ('+++'):
                continue
            if line.startswith ('---'):
                continue
            if line.startswith ('diff'):
                continue
            if line.startswith ('index'):
                continue
            if line.startswith ('@@'):
                continue
            if line.startswith (' '):
                continue
            if line.startswith ('+#:'):
                continue
            if line.startswith ('-#:'):
                continue
            if line.startswith ('-"'):
                continue
            if line.startswith ('+"'):
                continue
            if not line.strip():
                continue
            print(line, file=output)
        if output.getvalue().strip():
            print(f + " has changed!")
            needs_commit = True
        output.close()
 if needs_commit:
    commit_to_repo(repo)
 else:
    print('The translations are up-to-date!')
--- a/.github/scripts/i18n.sh
+++ b/.github/scripts/i18n.sh
@ -1,61 +0,0 @@
 #!/usr/bin/env bash
 # SPDX-FileCopyrightText: 2019 Corentin Noël <tintou@noel.tf>
 # SPDX-FileCopyrightText: 2022 Janet Blackquill <uhhadd@gmail.com>
 #
 # SPDX-License-Identifier: GPL-3.0-only
 # adapted from https://github.com/elementary/actions/blob/master/gettext-template/entrypoint.sh
 set -e
 export DEBIAN_FRONTEND="noninteractive"
 # if a custom token is provided, use it instead of the default github token.
 if [ -n "$GIT_USER_TOKEN" ]; then
  GITHUB_TOKEN="$GIT_USER_TOKEN"
 fi
 if [ -z "${GITHUB_TOKEN}" ]; then
  echo "\033[0;31mERROR: The GITHUB_TOKEN environment variable is not defined.\033[0m"  && exit 1
 fi
 # Git repository is owned by another user, mark it as safe
 git config --global --add safe.directory /github/workspace
 # get default branch, see: https://davidwalsh.name/get-default-branch-name
 DEFAULT_BRANCH="$(git remote show origin | grep 'HEAD branch' | cut -d' ' -f5)"
 if [ -z "${INPUT_TRANSLATION_BRANCH}" ]; then
  TRANSLATION_BRANCH="${DEFAULT_BRANCH}"
 else
  TRANSLATION_BRANCH="${INPUT_TRANSLATION_BRANCH}"
 fi
 # default email and username to github actions user
 if [ -z "$GIT_USER_EMAIL" ]; then
  GIT_USER_EMAIL="action@github.com"
 fi
 if [ -z "$GIT_USER_NAME" ]; then
  GIT_USER_NAME="GitHub Action"
 fi
 # make sure branches are up-to-date
 echo "Setting up git credentials..."
 git remote set-url origin https://x-access-token:"$GITHUB_TOKEN"@github.com/"$GITHUB_REPOSITORY".git
 git config --global user.email "$GIT_USER_EMAIL"
 git config --global user.name "$GIT_USER_NAME"
 echo "Git credentials configured."
 # get the project's name:
 PROJECT="$(basename "$GITHUB_REPOSITORY")"
 echo "Project: $PROJECT"
 sudo apt-get -qq update
 sudo apt-get -qq install python3-git
 dotnet tool install --global GetText.NET.Extractor --version 1.6.6
 GetText.Extractor --order -s TShock.sln -t i18n/template.pot
 python3 .github/scripts/check-diff.py
--- a/.github/workflows/i18n-extract.yml
+++ b/.github/workflows/i18n-extract.yml
@ -1,23 +0,0 @@
 name: i18n extraction
 on:
  push:
    branches: [ general-devel ]
 jobs:
  extract:
    runs-on: ubuntu-latest
    env:
      GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
    steps:
      - uses: actions/checkout@v3
        with:
          submodules: 'recursive'
      - uses: actions/setup-dotnet@v3
        with:
          dotnet-version: | 
            3.1.x
            6.0.100
      - name: Run i18n checking/extraction script
        run: ./.github/scripts/i18n.sh
        shell: bash
--- a/.github/workflows/i18n-trigger.yaml
+++ b/.github/workflows/i18n-trigger.yaml
@ -2,7 +2,6 @@ name: i18n check trigger
 on:
  push:
    branches: [ general-devel ]
  workflow_dispatch:
 jobs:
  extract:
    runs-on: ubuntu-latest