58fa827e39
Now, this requires some explanation. Initially, we had the extract workflow, which did work. The problem is that it can't commit to general-devel due to branch protection. If we added a bypass that let it, though, it would enable anyone with write access to this repository to write to general-devel (you can privilege escalate easily). Since we don't want that, this machine is setup: 1. TShock now triggers a workflow execution on a separate repo, hakusaro/tshock_i18n. 2. On hakusaro/tshock_i18n, a modified extraction script exists. 3. The modified extraction script, targeting tshock, downloads and runs itself. 4. @cardinal-system, a github user I control, creates and signs a commit and pushes it back to tshock, bypassing branch protection (because is allowed to). Now, nobody except me can modify the code that controls the system that enables @cardinal-system to commit to tshock, preserving that security element. But how is the workflow in hakusaro/tshock_i18n triggered? Through another workflow of course. The issue is that triggering requires using...a PAT. Who's PAT? My PAT. Github just launched fine-grained PATs, so I created a fine-grained PAT scoped to only the hakusaro/tshock_i18n repo, and only workflow dispatches. There are other methods that could be used to technically perform this triggering using a classic PAT, but they require the `repo` scope, which would give anyone with write-access the ability to write to hakusaro/tshock_i18n, which is clearly not-desired. I was originally kinda stuck, thinking I'd have to make a fine-grained PAT on @cardinal-system but that isn't supported yet (you can't scope a fine-grained PAT to another user's repo yet -- only all of your repos or the org's repos, not a collaborator's repo). But the new fine-grained PAT system enables creating a PAT that just has a small, isolated set of things tied to one user. This is the safest option, I think. The only catch is that the trigger PAT will expire on October 20, 2023, so it has to be rotated yearly, like the nuget token (https://github.com/Pryaxis/TShock/issues/2669). Fun stuff.
18 lines
482 B
YAML
18 lines
482 B
YAML
name: i18n check trigger
|
|
on:
|
|
push:
|
|
branches: [ general-devel ]
|
|
jobs:
|
|
extract:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/github-script@v6
|
|
with:
|
|
github-token: ${{ secrets.ACTIONS_REMOTE_TRIGGER_PAT }}
|
|
script: |
|
|
await github.rest.actions.createWorkflowDispatch({
|
|
owner: 'hakusaro',
|
|
repo: 'tshock_i18n',
|
|
workflow_id: 'i18n-extract.yml',
|
|
ref: 'main'
|
|
})
|