diff options
Diffstat (limited to '.github/workflows')
| -rw-r--r-- | .github/workflows/broken-links.yml | 23 | ||||
| -rw-r--r-- | .github/workflows/ci.yml | 77 | ||||
| -rw-r--r-- | .github/workflows/create-prerelease-on-tag.yml | 46 | ||||
| -rw-r--r-- | .github/workflows/delay.yml | 44 | ||||
| -rw-r--r-- | .github/workflows/playwright.yml | 109 | ||||
| -rw-r--r-- | .github/workflows/publish-chrome-development.yml | 97 | ||||
| -rw-r--r-- | .github/workflows/publish-chrome.yml | 99 | ||||
| -rw-r--r-- | .github/workflows/publish-firefox-development.yml | 84 | ||||
| -rw-r--r-- | .github/workflows/publish-firefox.yml | 32 | ||||
| -rw-r--r-- | .github/workflows/scorecard.yml | 68 | ||||
| -rw-r--r-- | .github/workflows/touch-google-refresh-token.yml | 16 |
11 files changed, 665 insertions, 30 deletions
diff --git a/.github/workflows/broken-links.yml b/.github/workflows/broken-links.yml new file mode 100644 index 00000000..3d318005 --- /dev/null +++ b/.github/workflows/broken-links.yml @@ -0,0 +1,23 @@ +name: Broken Link Checker + +permissions: + contents: read + +# runs on prs containing markdown or html changes, as well as every monday at 9 am +on: + pull_request: + paths: + - "**.md" + - "**.html" + schedule: + - cron: "0 9 * * 1" + +jobs: + link-checker: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: lycheeverse/lychee-action@9ace499fe66cee282a29eaa628fdac2c72fa087f + with: + fail: true + jobSummary: false diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c1c491f4..c62c9893 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,5 +1,8 @@ name: CI +permissions: + contents: read + on: [push, pull_request] jobs: @@ -7,33 +10,47 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Setup node - uses: actions/setup-node@v1 - with: - node-version: '16.x' - - name: Install dependencies - run: npm ci - - name: Lint - run: npm run test-lint - env: - CI: true - - name: Lint CSS - run: npm run test-lint-css - env: - CI: true - - name: Lint HTML - run: npm run test-lint-html - env: - CI: true - - name: Tests - run: npm run test-code - env: - CI: true - - name: Manifest - run: npm run test-manifest - env: - CI: true - - name: Build - run: npm run test-build + - name: Checkout + uses: actions/checkout@v3 + + - name: Setup node + uses: actions/setup-node@v3 + with: + node-version-file: ".node-version" + + - name: Install dependencies + run: npm ci + + - name: Lint + run: npm run test-lint + env: + CI: true + + - name: Lint CSS + run: npm run test-lint-css + env: + CI: true + + - name: Lint HTML + run: npm run test-lint-html + env: + CI: true + + - name: Tests + run: npm run test-code + env: + CI: true + + - name: Manifest + run: npm run test-manifest + env: + CI: true + + - name: Validate manifest.json of the extension + uses: cardinalby/schema-validator-action@c2da05377e89dd0c9b7be9420da0b3534b1efcce # pin@v1 + with: + file: ext/manifest.json + schema: "https://json.schemastore.org/chrome-manifest.json" + + - name: Build + run: npm run test-build diff --git a/.github/workflows/create-prerelease-on-tag.yml b/.github/workflows/create-prerelease-on-tag.yml new file mode 100644 index 00000000..3d749c58 --- /dev/null +++ b/.github/workflows/create-prerelease-on-tag.yml @@ -0,0 +1,46 @@ +name: Create prerelease on tag +on: + push: + tags: + - "*.*.*.*" + workflow_dispatch: +permissions: + contents: read +jobs: + build-release-publish: + runs-on: ubuntu-latest + permissions: + actions: write + contents: write + steps: + - uses: actions/checkout@v3 + + - name: Setup node + uses: actions/setup-node@v3 + with: + node-version-file: ".node-version" + + - name: Lint + run: npm run-script build + shell: bash + + - name: Release + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # pin@v0.1.15 + with: + generate_release_notes: true + prerelease: true + files: builds/* + + - name: Dispatch publish-chrome-development + uses: aurelien-baudet/workflow-dispatch@93e95b157d791ae7f42aef8f8a0d3d723eba1c31 # pin@v2 + with: + workflow: publish-chrome-development + token: ${{ secrets.GITHUB_TOKEN }} + wait-for-completion: false + + - name: Dispatch publish-firefox-development + uses: aurelien-baudet/workflow-dispatch@93e95b157d791ae7f42aef8f8a0d3d723eba1c31 # pin@v2 + with: + workflow: publish-firefox-development + token: ${{ secrets.GITHUB_TOKEN }} + wait-for-completion: false diff --git a/.github/workflows/delay.yml b/.github/workflows/delay.yml new file mode 100644 index 00000000..11d29bd9 --- /dev/null +++ b/.github/workflows/delay.yml @@ -0,0 +1,44 @@ +# This workflow is used to delay the execution of workflows that need to use an environment. +# The delay occurs thanks to the usage of the 12hoursDelay environment. +# +# It is used to delay the execution of the publish-chrome(-development) workflow to avoid the +# Google Web Store rejecting the upload of a new version because it is still in review. +# +# The reason we can't directly do a workflow-dispatch is because the 12hoursDelay +# environment does not include our secrets, so instead we chain two workflow-dispatch calls. + +name: delay +on: + workflow_dispatch: + inputs: + workflow: + description: "Workflow name" + required: true + attemptNumber: + description: "Attempt number" + required: false + default: "1" + maxAttempts: + description: "Max attempts" + required: false + default: "10" +permissions: {} +jobs: + delay: + runs-on: ubuntu-latest + environment: 12hoursDelay + permissions: + actions: write + steps: + - name: Start the next attempt + uses: aurelien-baudet/workflow-dispatch@93e95b157d791ae7f42aef8f8a0d3d723eba1c31 # pin@v2 + with: + workflow: ${{ github.event.inputs.workflow }} + token: ${{ secrets.GITHUB_TOKEN }} + wait-for-completion: false + inputs: | + { + "attemptNumber": "${{ github.event.inputs.attemptNumber }}", + "maxAttempts": "${{ github.event.inputs.maxAttempts }}", + "environment": "${{ github.event.inputs.environment }}" + } diff --git a/.github/workflows/playwright.yml b/.github/workflows/playwright.yml new file mode 100644 index 00000000..5ee786ef --- /dev/null +++ b/.github/workflows/playwright.yml @@ -0,0 +1,109 @@ +name: Playwright Tests +on: + push: + branches: [master] + pull_request: +permissions: + contents: read +jobs: + playwright: + timeout-minutes: 60 + runs-on: ubuntu-latest + permissions: + pull-requests: write + contents: write + steps: + - uses: actions/checkout@v3 + + - uses: actions/setup-node@v3 + with: + cache: "npm" + node-version-file: ".node-version" + + - name: Install dependencies + run: npm ci + + - name: Cache playwright browsers + id: cache-playwright + uses: actions/cache@v3 + with: + path: | + ~/.cache/ms-playwright + key: cache-playwright-${{ hashFiles('package-lock.json') }} # playwright version is included in package-lock, so this serves as a reasonable cache key + + - if: ${{ steps.cache-playwright.outputs.cache-hit != 'true' }} + name: Install Playwright Browsers + run: npx playwright install --with-deps chromium + + - name: Grab latest dictionaries from dictionaries branch + uses: actions/checkout@v3 + with: + ref: dictionaries + path: dictionaries + + - name: Grab latest screenshots from master branch + uses: dawidd6/action-download-artifact@5e780fc7bbd0cac69fc73271ed86edf5dcb72d67 # pin@v2 + continue-on-error: true + id: download-screenshots + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + name: playwright-screenshots + branch: master + workflow: playwright.yml + workflow_conclusion: success + path: test/playwright/__screenshots__/ + + - name: "[PR] Generate new screenshots & compare against master" + id: playwright + run: | + EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) + echo "PLAYWRIGHT_OUTPUT<<$EOF" >> $GITHUB_OUTPUT + npx playwright test 2>&1 | tee $GITHUB_OUTPUT || true + echo "$EOF" >> $GITHUB_OUTPUT + echo "NUM_FAILED=$(grep -c 'Screenshot comparison failed' $GITHUB_OUTPUT)" >> $GITHUB_OUTPUT + continue-on-error: true + if: github.event_name == 'pull_request' && steps.download-screenshots.outcome != 'failure' + + - name: "[Push] Generate new authoritative screenshots for master" + id: playwright-master + run: npx playwright test -u + if: github.event_name == 'push' + + - uses: actions/upload-artifact@v3 + with: + name: playwright-screenshots + path: test/playwright/__screenshots__/ + + - uses: actions/upload-artifact@v3 + with: + name: playwright-report + path: playwright-report/ + + - name: "[Couldn't download screenshots] Comment results on PR" + uses: mshick/add-pr-comment@a65df5f64fc741e91c59b8359a4bc56e57aaf5b1 # pin@v2 + if: github.event_name == 'pull_request' && steps.download-screenshots.outcome == 'failure' + with: + message: | + :heavy_exclamation_mark: Could not fetch screenshots from master branch, so had nothing to make a visual comparison against; please check the "download-screenshots" step in the workflow run and rerun it before merging. + + - name: "[Success] Comment results on PR" + uses: mshick/add-pr-comment@a65df5f64fc741e91c59b8359a4bc56e57aaf5b1 # pin@v2 + if: github.event_name == 'pull_request' && steps.download-screenshots.outcome != 'failure' && steps.playwright.outputs.NUM_FAILED == 0 + with: + message: | + :heavy_check_mark: No visual differences introduced by this PR. + [View Playwright Report](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}#artifacts) (note: open the "playwright-report" artifact) + + - name: "[Failure] Comment results on PR" + uses: mshick/add-pr-comment@a65df5f64fc741e91c59b8359a4bc56e57aaf5b1 # pin@v2 + if: github.event_name == 'pull_request' && steps.download-screenshots.outcome != 'failure' && steps.playwright.outputs.NUM_FAILED != 0 + with: + message: | + :warning: {{ steps.playwright.outputs.NUM_FAILED }} visual differences introduced by this PR; please validate if they are desirable. + <details> + <summary>Playwright Test Results</summary> + <pre> + ${{ steps.playwright.outputs.PLAYWRIGHT_OUTPUT }} + </pre> + </details> + [View Playwright Report](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}#artifacts) (note: open the "playwright-report" artifact) diff --git a/.github/workflows/publish-chrome-development.yml b/.github/workflows/publish-chrome-development.yml new file mode 100644 index 00000000..bf866f67 --- /dev/null +++ b/.github/workflows/publish-chrome-development.yml @@ -0,0 +1,97 @@ +name: publish-chrome-development +on: + workflow_dispatch: + inputs: + attemptNumber: + description: "Attempt number" + required: false + default: "1" + maxAttempts: + description: "Max attempts" + required: false + default: "10" +permissions: + contents: read +jobs: + upload-on-webstore: + runs-on: ubuntu-latest + environment: cd + outputs: + result: ${{ steps.webStorePublish.outcome }} + releaseUploadUrl: ${{ steps.getZipAsset.outputs.releaseUploadUrl }} + permissions: + actions: write + steps: + - name: Get the next attempt number + id: getNextAttemptNumber + uses: cardinalby/js-eval-action@b34865f1d9cfdf35356013627474857cfe0d5091 # pin@v1.0.7 + env: + attemptNumber: ${{ github.event.inputs.attemptNumber }} + maxAttempts: ${{ github.event.inputs.maxAttempts }} + with: + expression: | + { + const + attempt = parseInt(env.attemptNumber), + max = parseInt(env.maxAttempts); + assert(attempt && max && max >= attempt); + return attempt < max ? attempt + 1 : ''; + } + + - uses: robinraju/release-downloader@768b85c8d69164800db5fc00337ab917daf3ce68 # pin@v1.7 + with: + tag: ${{ github.ref_name }} + fileName: "*" + + - name: Fetch Google API access token + id: fetchAccessToken + uses: cardinalby/google-api-fetch-token-action@24c99245e2a2494cc4c4b1037203d319a184b15b # pin@v1.0.3 + with: + clientId: ${{ secrets.G_CLIENT_ID }} + clientSecret: ${{ secrets.G_CLIENT_SECRET }} + refreshToken: ${{ secrets.G_REFRESH_TOKEN }} + + - name: Upload to Google Web Store + id: webStoreUpload + continue-on-error: true + uses: cardinalby/webext-buildtools-chrome-webstore-upload-action@8db7a005529498d95d3e2e0166f6f4050d2b96a5 # pin@v1.0.10 + with: + zipFilePath: yomitan-chrome-dev.zip + extensionId: ${{ secrets.G_DEVELOPMENT_EXTENSION_ID }} + apiAccessToken: ${{ steps.fetchAccessToken.outputs.accessToken }} + waitForUploadCheckCount: 10 + waitForUploadCheckIntervalMs: 180000 # 3 minutes + + # Schedule a next attempt if store refused to accept new version because it + # still has a previous one in review + - name: Start the next attempt with the delay + uses: aurelien-baudet/workflow-dispatch@93e95b157d791ae7f42aef8f8a0d3d723eba1c31 # pin@v2 + if: | + steps.getNextAttemptNumber.outputs.result && + steps.webStoreUpload.outputs.inReviewError == 'true' + with: + workflow: delay + token: ${{ secrets.GITHUB_TOKEN }} + wait-for-completion: false + inputs: | + { + "attemptNumber": "${{ steps.getNextAttemptNumber.outputs.result }}", + "maxAttempts": "${{ github.event.inputs.maxAttempts }}", + "workflow": "${{ github.workflow }}" + } + + - name: Abort on unrecoverable upload error + if: | + !steps.webStoreUpload.outputs.newVersion && + steps.webStoreUpload.outputs.sameVersionAlreadyUploadedError != 'true' + run: exit 1 + + - name: Publish on Google Web Store + id: webStorePublish + if: | + steps.webStoreUpload.outputs.newVersion || + steps.webStoreUpload.outputs.sameVersionAlreadyUploadedError == 'true' + uses: cardinalby/webext-buildtools-chrome-webstore-publish-action@d39ebd4ab4ea4b44498bf5fc34d4b3db7706f1ed # pin@v1.0.7 + with: + extensionId: ${{ secrets.G_DEVELOPMENT_EXTENSION_ID }} + apiAccessToken: ${{ steps.fetchAccessToken.outputs.accessToken }} diff --git a/.github/workflows/publish-chrome.yml b/.github/workflows/publish-chrome.yml new file mode 100644 index 00000000..e1502165 --- /dev/null +++ b/.github/workflows/publish-chrome.yml @@ -0,0 +1,99 @@ +name: publish-chrome +on: + release: + types: [released] + workflow_dispatch: + inputs: + attemptNumber: + description: "Attempt number" + required: false + default: "1" + maxAttempts: + description: "Max attempts" + required: false + default: "10" +permissions: + contents: read +jobs: + upload-on-webstore: + runs-on: ubuntu-latest + environment: cd + outputs: + result: ${{ steps.webStorePublish.outcome }} + releaseUploadUrl: ${{ steps.getZipAsset.outputs.releaseUploadUrl }} + permissions: + actions: write + steps: + - name: Get the next attempt number + id: getNextAttemptNumber + uses: cardinalby/js-eval-action@b34865f1d9cfdf35356013627474857cfe0d5091 # pin@v1.0.7 + env: + attemptNumber: ${{ github.event.inputs.attemptNumber }} + maxAttempts: ${{ github.event.inputs.maxAttempts }} + with: + expression: | + { + const + attempt = parseInt(env.attemptNumber), + max = parseInt(env.maxAttempts); + assert(attempt && max && max >= attempt); + return attempt < max ? attempt + 1 : ''; + } + + - uses: robinraju/release-downloader@768b85c8d69164800db5fc00337ab917daf3ce68 # pin@v1.7 + with: + tag: ${{ github.ref_name }} + fileName: "*" + + - name: Fetch Google API access token + id: fetchAccessToken + uses: cardinalby/google-api-fetch-token-action@24c99245e2a2494cc4c4b1037203d319a184b15b # pin@v1.0.3 + with: + clientId: ${{ secrets.G_CLIENT_ID }} + clientSecret: ${{ secrets.G_CLIENT_SECRET }} + refreshToken: ${{ secrets.G_REFRESH_TOKEN }} + + - name: Upload to Google Web Store + id: webStoreUpload + continue-on-error: true + uses: cardinalby/webext-buildtools-chrome-webstore-upload-action@8db7a005529498d95d3e2e0166f6f4050d2b96a5 # pin@v1.0.10 + with: + zipFilePath: yomitan-chrome.zip + extensionId: ${{ secrets.G_STABLE_EXTENSION_ID }} + apiAccessToken: ${{ steps.fetchAccessToken.outputs.accessToken }} + waitForUploadCheckCount: 10 + waitForUploadCheckIntervalMs: 180000 # 3 minutes + + # Schedule a next attempt if store refused to accept new version because it + # still has a previous one in review + - name: Start the next attempt with the delay + uses: aurelien-baudet/workflow-dispatch@93e95b157d791ae7f42aef8f8a0d3d723eba1c31 # pin@v2 + if: | + steps.getNextAttemptNumber.outputs.result && + steps.webStoreUpload.outputs.inReviewError == 'true' + with: + workflow: delay + token: ${{ secrets.GITHUB_TOKEN }} + wait-for-completion: false + inputs: | + { + "attemptNumber": "${{ steps.getNextAttemptNumber.outputs.result }}", + "maxAttempts": "${{ github.event.inputs.maxAttempts }}", + "workflow": "${{ github.workflow }}" + } + + - name: Abort on unrecoverable upload error + if: | + !steps.webStoreUpload.outputs.newVersion && + steps.webStoreUpload.outputs.sameVersionAlreadyUploadedError != 'true' + run: exit 1 + + - name: Publish on Google Web Store + id: webStorePublish + if: | + steps.webStoreUpload.outputs.newVersion || + steps.webStoreUpload.outputs.sameVersionAlreadyUploadedError == 'true' + uses: cardinalby/webext-buildtools-chrome-webstore-publish-action@d39ebd4ab4ea4b44498bf5fc34d4b3db7706f1ed # pin@v1.0.7 + with: + extensionId: ${{ secrets.G_STABLE_EXTENSION_ID }} + apiAccessToken: ${{ steps.fetchAccessToken.outputs.accessToken }} diff --git a/.github/workflows/publish-firefox-development.yml b/.github/workflows/publish-firefox-development.yml new file mode 100644 index 00000000..6ce61dc5 --- /dev/null +++ b/.github/workflows/publish-firefox-development.yml @@ -0,0 +1,84 @@ +# For the Firefox development addon, people install it manually, +# and updates are distributed via the JSON file created in this +# action which is stored in the metadata branch of this repo. + +name: publish-firefox-development +on: + workflow_dispatch: +permissions: + contents: read +jobs: + build-signed-xpi-asset: + runs-on: ubuntu-latest + environment: cd + permissions: + contents: write + steps: + - uses: robinraju/release-downloader@768b85c8d69164800db5fc00337ab917daf3ce68 # pin@v1.7 + with: + tag: ${{ github.ref_name }} + fileName: "*" + + - name: Sign Firefox xpi for offline distribution + id: ffSignXpi + continue-on-error: true + uses: cardinalby/webext-buildtools-firefox-sign-xpi-action@94a2e58141e33c4306a72a93f191e8540189df92 # pin@v1.0.6 + with: + timeoutMs: 1200000 + extensionId: ${{ secrets.FF_OFFLINE_EXT_ID }} + zipFilePath: yomitan-firefox-dev.zip + xpiFilePath: yomitan-firefox-dev.xpi + jwtIssuer: ${{ secrets.FF_JWT_ISSUER }} + jwtSecret: ${{ secrets.FF_JWT_SECRET }} + + - name: Abort on sign error + if: | + steps.ffSignXpi.outcome == 'failure' && + steps.ffSignXpi.outputs.sameVersionAlreadyUploadedError != 'true' + run: exit 1 + + - name: Upload offline xpi release asset + id: uploadReleaseAsset + if: steps.ffSignXpi.outcome == 'success' + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ github.event.release.upload_url }} + asset_path: yomitan-firefox.xpi + asset_name: yomitan-firefox.xpi + asset_content_type: application/x-xpinstall + + # update update.json so that all people who have the dev version installed get the new update + + - uses: actions/checkout@v3 + with: + ref: metadata + + - name: Recreate update.json + run: | + cat > update.json << EOF + { + "addons": { + "{2d13e145-294e-4ead-9bce-b4644b203a00}": { + "updates": [ + { + "version": "${{ github.event.release.name }}", + "update_link": "${{ steps.uploadReleaseAsset.browser_download_url }}" + } + ] + } + } + } + EOF + + - name: Commit files + run: | + git config --local user.email "github-actions[bot]@users.noreply.github.com" + git config --local user.name "github-actions[bot]" + git commit -a -m "${{ github.event.release.name }} - ${{ github.event.release.html_url }}" + + - name: Push changes + uses: ad-m/github-push-action@0fafdd62b84042d49ec0cb92d9cac7f7ce4ec79e # pin@master + with: + branch: metadata diff --git a/.github/workflows/publish-firefox.yml b/.github/workflows/publish-firefox.yml new file mode 100644 index 00000000..1dd6d260 --- /dev/null +++ b/.github/workflows/publish-firefox.yml @@ -0,0 +1,32 @@ +name: publish-firefox +on: + release: + types: [released] +permissions: + contents: read +jobs: + publish: + runs-on: ubuntu-latest + environment: cd + steps: + - uses: robinraju/release-downloader@768b85c8d69164800db5fc00337ab917daf3ce68 # pin@v1.7 + with: + tag: ${{ github.ref_name }} + fileName: "*" + + - name: Deploy to Firefox Addons + id: addonsDeploy + uses: cardinalby/webext-buildtools-firefox-addons-action@924ad87df7e4af50a654c164ad9e498dce260ffa # pin@v1.0.9 + continue-on-error: true + with: + zipFilePath: yomitan-firefox.zip + extensionId: ${{ secrets.FF_EXTENSION_ID }} + jwtIssuer: ${{ secrets.FF_JWT_ISSUER }} + jwtSecret: ${{ secrets.FF_JWT_SECRET }} + + - name: Abort on upload error + if: | + steps.addonsDeploy.outcome == 'failure' && + steps.addonsDeploy.outputs.sameVersionAlreadyUploadedError != 'true' && + steps.addonsDeploy.outputs.timeoutError != 'true' + run: exit 1 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000..c39c52bb --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,68 @@ +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: "34 17 * * 1" + push: + branches: ["master"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + with: + sarif_file: results.sarif diff --git a/.github/workflows/touch-google-refresh-token.yml b/.github/workflows/touch-google-refresh-token.yml new file mode 100644 index 00000000..9c4e2ec9 --- /dev/null +++ b/.github/workflows/touch-google-refresh-token.yml @@ -0,0 +1,16 @@ +name: Touch google token +on: + schedule: + - cron: "0 3 2 * *" # At 03:00 on day-of-month 2 + workflow_dispatch: +permissions: {} +jobs: + fetchToken: + runs-on: ubuntu-latest + environment: cd + steps: + - uses: cardinalby/google-api-fetch-token-action@24c99245e2a2494cc4c4b1037203d319a184b15b # pin@v1.0.3 + with: + clientId: ${{ secrets.G_CLIENT_ID }} + clientSecret: ${{ secrets.G_CLIENT_SECRET }} + refreshToken: ${{ secrets.G_REFRESH_TOKEN }} |