Look, let's just be real here: GitHub needs to redo the entire
permission model for GitHub. There is no way to create a secure
combination of the following elements: post comment, edit comment, and
post status check.
If you want to be able to post comments, you have to authorize a token
or app to have full authority to do literally anything that the user can
do on a public repo. Full stop.
If you want to post a status check, you have to give the user write
access to the entire repo, which makes the first issue a problem.
You can't just explicitly make a token that says "only allow this user
to post and edit its own comments" and "allow this user to post status
checks" because write access on the repo implies authority over all
other issues/PRs opened by other people.
Now Cardinal's token is restricted to just status checks, and we're
using a different action.
Thanks a ton for the huge mess Github.
This change uses Cardinal's PAT for GitHub Actions CI. The way this
works is very convoluted, but it makes sense in theory.
1. Cardinal is a member of the Pryaxis org, in a group called "untrusted
robots." She has write access to Pryaxis/TShock, so she can create
status messages. This is because GitHub only allows status messages to
be created if a user has write access.
2. Cardinal has a PAT, and that PAT only has access to creating
repository status messages.
3. Danger requires permission to post comments and update CI status.
4. Cardinal's PAT is only authorized to create repo status messages, and
cannot privilege escalate.
5. GitHub implicitly gives everyone the ability to post comments on
public repositories.
Thus, this really interesting and weird flow should mean that Cardinal
can post comments and update status messages, by having write access but
functionally being unable to use it.
At least, that's the theory.
UsingBiomeTorches: Whether or not the player has the torchgod biometorches ability enabled
HappyFunTorchTime: Whether or not the player has fought the torchgod before (for logic that checks for torchgod spawning)
unlockedBiomeTorches: Whether or not the player has the torchgod biome torches ability unlocked
This fixes a ridiculous typo in GetDataHandlers where we were setting
the UsingBiomeTorches flag based on having unlocked biome torches,
rather than actually being used. Thanks to @Arthri for the tip!
If a player has the tshock.ignore.ssc permission, odds are that they may
want to know that their data isn't being saved or not. This change
allows users to be notified if they have SSC data stored in the DB but
they aren't having it loaded due to the aforementioned permission.
This permission causes great confusion, but we can't really change it
because we would break existing setups. This is an easy change that
gives people a reason why they suddenly "have no items."
This new option can be turned off in the config file for SSC if it's not
desired.
This change also modifies some of the log messages so that it's clear
why the SSC save didn't occur for a given player.
This commit adds Danger via GitHub Actions. Dangerfiles are ruby files
that have a DSL for interacting with GitHub. They can do arbitrary
things. See: https://danger.systems/reference.html
The point of this commit is to automate the process of asking people to
update the changelog. This is a really really annoying thing that we
have to do too often. Editing a pull request will automatically re-run
the check.
Truly trivial commits can be marked as trivial easily by using the
hashtag trivial in the PR body. This is really just useful for actually
trivial things. Most commits actually do need to have associated
changelog entries.
For the purposes of making it easier to understand, the Terraria Server
API is now being called "TShock Scaffold API." This is actually just an
elaborate measure so that TSAPI can be called TSAPI but to alleviate
some confusion.
Reverted default (when no duration is specified) buff duration to 60s, added formula instead of hard coding max duration as per Quake's recommendation, made error message more self-explanatory
