Okay, now we're at problem 74 with github actions. Basically, github
actions doesn't send secrets to forks because duh, that makes sense. So
even if you make a super restricted token you still can't send it to
forks because github still doesn't understand how to make a security
platform when they just copy paste azure pipelines into github and then
say "well looks good to me" and ship fucking arbitrary code execution to
the entire fucking world and then try to retroactively fix all of their
mistakes and fail miserably in the process
Look, let's just be real here: GitHub needs to redo the entire
permission model for GitHub. There is no way to create a secure
combination of the following elements: post comment, edit comment, and
post status check.
If you want to be able to post comments, you have to authorize a token
or app to have full authority to do literally anything that the user can
do on a public repo. Full stop.
If you want to post a status check, you have to give the user write
access to the entire repo, which makes the first issue a problem.
You can't just explicitly make a token that says "only allow this user
to post and edit its own comments" and "allow this user to post status
checks" because write access on the repo implies authority over all
other issues/PRs opened by other people.
Now Cardinal's token is restricted to just status checks, and we're
using a different action.
Thanks a ton for the huge mess Github.
This change uses Cardinal's PAT for GitHub Actions CI. The way this
works is very convoluted, but it makes sense in theory.
1. Cardinal is a member of the Pryaxis org, in a group called "untrusted
robots." She has write access to Pryaxis/TShock, so she can create
status messages. This is because GitHub only allows status messages to
be created if a user has write access.
2. Cardinal has a PAT, and that PAT only has access to creating
repository status messages.
3. Danger requires permission to post comments and update CI status.
4. Cardinal's PAT is only authorized to create repo status messages, and
cannot privilege escalate.
5. GitHub implicitly gives everyone the ability to post comments on
public repositories.
Thus, this really interesting and weird flow should mean that Cardinal
can post comments and update status messages, by having write access but
functionally being unable to use it.
At least, that's the theory.
This commit adds Danger via GitHub Actions. Dangerfiles are ruby files
that have a DSL for interacting with GitHub. They can do arbitrary
things. See: https://danger.systems/reference.html
The point of this commit is to automate the process of asking people to
update the changelog. This is a really really annoying thing that we
have to do too often. Editing a pull request will automatically re-run
the check.
Truly trivial commits can be marked as trivial easily by using the
hashtag trivial in the PR body. This is really just useful for actually
trivial things. Most commits actually do need to have associated
changelog entries.
This changeset fixes several problems with the github actions build. It
removes the dependency on a repo script to install msbuild + VS. It
switches the shell back to cmd.exe, so that the scripts in build.yml
continue to run. It installs nuget via chocolatey, since that's not on
the path by default. Finally, it also uses built in MSBUILD to satisfy
the first statement.
This tests out the github actions system, which is quite weird and undocumented. It says this only works with .NET core by default but also supports "4.5.1" as a version. It also says we aren't in the right github actions beta, so this shouldn't work at all.
Since we don't have any developers with GitHub sponsorships turned on, and we don't currently accept donations, this enables the sponsor button so people can donate money to very poor people.
