Merge branch 'master' into dependabot/github_actions/cardinalby/schema-validator-action-3.0.0

10 files changed, 161 insertions, 33 deletions

diff --git a/.github/workflows/auto-approve-run.yml b/.github/workflows/auto-approve-run.yml
new file mode 100644
index 00000000..7ea82489
--- /dev/null
+++ b/.github/workflows/auto-approve-run.yml
@@ -0,0 +1,30 @@
+name: Auto-Approve Safe PRs (workflow-run)
+on:
+  workflow_run:
+    workflows: [Auto-Approve Safe PRs]
+    types:
+      - completed
+permissions: {}
+jobs:
+  auto-approve-run:
+    runs-on: ubuntu-latest
+    environment: themoeway-bot
+    permissions:
+      pull-requests: write
+    if: github.actor == 'djahandarie'
+    steps:
+      - name: Download workflow artifact
+        uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # v2.28.0
+        with:
+            github_token: ${{ secrets.GITHUB_TOKEN }}
+            workflow: auto-approve.yml
+            run_id: ${{ github.event.workflow_run.id }}
+      - name: Read the pr_num file
+        id: pr_num_reader
+        uses: juliangruber/read-file-action@02bbba9876a8f870efd4ad64e3b9088d3fb94d4b # v1.1.6
+        with:
+            path: ./pr_num/pr_num.txt
+      - uses: hmarr/auto-approve-action@44888193675f29a83e04faf4002fa8c0b537b1e4 # v3.2.1
+        with:
+          pull-request-number: ${{ steps.pr_num_reader.outputs.content }}
+          github-token: ${{ secrets.THEMOEWAY_BOT_PAT }}
diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml
new file mode 100644
index 00000000..7e67a92b
--- /dev/null
+++ b/.github/workflows/auto-approve.yml
@@ -0,0 +1,17 @@
+name: Auto-Approve Safe PRs
+on: pull_request
+permissions: {}
+jobs:
+  auto-approve:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Save the PR number in an artifact
+        shell: bash
+        env:
+          PR_NUM: ${{ github.event.number }}
+        run: echo $PR_NUM > pr_num.txt
+      - name: Upload the PR number
+        uses: actions/upload-artifact@v3
+        with:
+          name: pr_num
+          path: ./pr_num.txt
\ No newline at end of file
diff --git a/.github/workflows/broken-links.yml b/.github/workflows/broken-links.yml
index bb2028c6..45043e79 100644
--- a/.github/workflows/broken-links.yml
+++ b/.github/workflows/broken-links.yml
@@ -16,7 +16,7 @@ jobs:
   link-checker:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: lycheeverse/lychee-action@ec3ed119d4f44ad2673a7232460dc7dff59d2421
         with:
           fail: true
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index aee22e44..18189b6d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,7 +11,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup node
         uses: actions/setup-node@v3
@@ -41,17 +41,12 @@ jobs:
         env:
           CI: true
 
-      - name: Manifest
-        run: npm run test-manifest
-        env:
-          CI: true
+      - name: Build
+        run: npm run build
 
       - name: Validate manifest.json of the extension
         uses: cardinalby/schema-validator-action@8407573c2627c5159428cf9fa3770d13b2360a27 # v3
         with:
           file: ext/manifest.json
           schema: "https://json.schemastore.org/chrome-manifest.json"
-          mode: lax
-
-      - name: Build
-        run: npm run test-build
+          mode: lax
\ No newline at end of file
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 00000000..bac2d4b8
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,82 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+  schedule:
+    - cron: '31 13 * * 3'
+
+jobs:
+  analyze:
+    name: Analyze
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners
+    # Consider using larger runners for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'javascript' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
+        # Use only 'java' to analyze code written in Java, Kotlin or both
+        # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+
+    # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
+    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+    # - run: |
+    #     echo "Run, Build Application using script"
+    #     ./location_of_script_within_repo/buildscript.sh
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/create-prerelease-on-tag.yml b/.github/workflows/create-prerelease-on-tag.yml
index 06cb8c7e..0061ed2a 100644
--- a/.github/workflows/create-prerelease-on-tag.yml
+++ b/.github/workflows/create-prerelease-on-tag.yml
@@ -13,7 +13,7 @@ jobs:
       actions: write
       contents: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Setup node
         uses: actions/setup-node@v3
@@ -21,7 +21,7 @@ jobs:
           node-version-file: ".node-version"
 
       - name: Lint
-        run: npm run-script build
+        run: npm run-script build -- --all --yomitan-version ${{ github.ref_name }}
         shell: bash
 
       - name: Release
diff --git a/.github/workflows/playwright.yml b/.github/workflows/playwright.yml
index 9397e4fa..8d4adca8 100644
--- a/.github/workflows/playwright.yml
+++ b/.github/workflows/playwright.yml
@@ -13,14 +13,14 @@ jobs:
       - name: Remove all fonts
         run: rm -rf /usr/share/fonts
 
-      - uses: actions/checkout@v3
-      
+      - uses: actions/checkout@v4
+
       - name: Install CJK fonts
         uses: awalsh128/cache-apt-pkgs-action@1850ee53f6e706525805321a3f2f863dcf73c962 # v1.3.0
         with:
           packages: fonts-ipafont-mincho
           execute_install_scripts: true
-        
+
       - uses: actions/setup-node@v3
         with:
           cache: "npm"
@@ -29,6 +29,9 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
+      - name: Build
+        run: npm run build
+
       - name: Cache playwright browsers
         id: cache-playwright
         uses: actions/cache@v3
@@ -39,17 +42,17 @@ jobs:
 
       - if: ${{ steps.cache-playwright.outputs.cache-hit != 'true' }}
         name: Install Playwright Browsers
-        run: npx playwright install --with-deps chromium
-        
+        run: npx playwright install chromium
+
       - name: Grab latest dictionaries from dictionaries branch
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           repository: themoeway/yomitan # so that this works on forks
           ref: dictionaries
           path: dictionaries
 
       - name: Grab latest screenshots from master branch
-        uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # pin@v2
+        uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # pin@v2
         continue-on-error: true
         id: master-screenshots
         with:
diff --git a/.github/workflows/playwright_comment.yml b/.github/workflows/playwright_comment.yml
index d5a6727b..60b3c693 100644
--- a/.github/workflows/playwright_comment.yml
+++ b/.github/workflows/playwright_comment.yml
@@ -16,7 +16,7 @@ jobs:
       github.event.workflow_run.conclusion == 'success'
     steps:
       - name: Grab playwright-output from PR run
-        uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # pin@v2
+        uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # pin@v2
         continue-on-error: true
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -24,7 +24,7 @@ jobs:
           name: playwright-output
 
       - name: Grab master-screenshots-outcome from PR run
-        uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # pin@v2
+        uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # pin@v2
         continue-on-error: true
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/publish-firefox-development.yml b/.github/workflows/publish-firefox-development.yml
index 6a4e6ce8..f704e365 100644
--- a/.github/workflows/publish-firefox-development.yml
+++ b/.github/workflows/publish-firefox-development.yml
@@ -49,19 +49,19 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ inputs.upload_url }}
-          asset_path: yomitan-firefox.xpi
-          asset_name: yomitan-firefox.xpi
+          asset_path: yomitan-firefox-dev.xpi
+          asset_name: yomitan-firefox-dev.xpi
           asset_content_type: application/x-xpinstall
 
-      # update update.json so that all people who have the dev version installed get the new update
+      # update updates.json so that all people who have the dev version installed get the new update
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: metadata
 
-      - name: Recreate update.json
+      - name: Recreate updates.json
         run: |
-          cat > update.json << EOF
+          cat > updates.json << EOF
           {
               "addons": {
                   "{2d13e145-294e-4ead-9bce-b4644b203a00}": {
@@ -83,6 +83,6 @@ jobs:
           git commit -a -m "${{ github.event.release.name }} - ${{ github.event.release.html_url }}"
 
       - name: Push changes
-        uses: ad-m/github-push-action@0fafdd62b84042d49ec0cb92d9cac7f7ce4ec79e # pin@master
+        uses: ad-m/github-push-action@29f05e01bb17e6f28228b47437e03a7b69e1f9ef # pin@master
         with:
           branch: metadata
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index ac07d2d7..4db56a60 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -16,6 +16,7 @@ permissions: read-all
 jobs:
   analysis:
     name: Scorecard analysis
+    environment: scorecard
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload the results to code-scanning dashboard.
@@ -28,12 +29,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3
+        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -41,7 +42,7 @@ jobs:
           # - you want to enable the Branch-Protection check on a *public* repository, or
           # - you are installing Scorecard on a *private* repository
           # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
 
           # Public repositories:
           #   - Publish results to OpenSSF REST API for easy access by consumers
@@ -55,7 +56,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        uses: actions/upload-artifact@v3
         with:
           name: SARIF file
           path: results.sarif
@@ -63,6 +64,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@04df1262e6247151b5ac09cd2c303ac36ad3f62b # v2.2.9
+        uses: github/codeql-action/upload-sarif@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4
         with:
           sarif_file: results.sarif