summaryrefslogtreecommitdiff
path: root/.github/workflows
diff options
context:
space:
mode:
Diffstat (limited to '.github/workflows')
-rw-r--r--.github/workflows/broken-links.yml23
-rw-r--r--.github/workflows/ci.yml77
-rw-r--r--.github/workflows/create-prerelease-on-tag.yml46
-rw-r--r--.github/workflows/delay.yml44
-rw-r--r--.github/workflows/playwright.yml109
-rw-r--r--.github/workflows/publish-chrome-development.yml97
-rw-r--r--.github/workflows/publish-chrome.yml99
-rw-r--r--.github/workflows/publish-firefox-development.yml84
-rw-r--r--.github/workflows/publish-firefox.yml32
-rw-r--r--.github/workflows/scorecard.yml68
-rw-r--r--.github/workflows/touch-google-refresh-token.yml16
11 files changed, 665 insertions, 30 deletions
diff --git a/.github/workflows/broken-links.yml b/.github/workflows/broken-links.yml
new file mode 100644
index 00000000..3d318005
--- /dev/null
+++ b/.github/workflows/broken-links.yml
@@ -0,0 +1,23 @@
+name: Broken Link Checker
+
+permissions:
+ contents: read
+
+# runs on prs containing markdown or html changes, as well as every monday at 9 am
+on:
+ pull_request:
+ paths:
+ - "**.md"
+ - "**.html"
+ schedule:
+ - cron: "0 9 * * 1"
+
+jobs:
+ link-checker:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ - uses: lycheeverse/lychee-action@9ace499fe66cee282a29eaa628fdac2c72fa087f
+ with:
+ fail: true
+ jobSummary: false
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c1c491f4..c62c9893 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,8 @@
name: CI
+permissions:
+ contents: read
+
on: [push, pull_request]
jobs:
@@ -7,33 +10,47 @@ jobs:
runs-on: ubuntu-latest
steps:
- - name: Checkout
- uses: actions/checkout@v2
- - name: Setup node
- uses: actions/setup-node@v1
- with:
- node-version: '16.x'
- - name: Install dependencies
- run: npm ci
- - name: Lint
- run: npm run test-lint
- env:
- CI: true
- - name: Lint CSS
- run: npm run test-lint-css
- env:
- CI: true
- - name: Lint HTML
- run: npm run test-lint-html
- env:
- CI: true
- - name: Tests
- run: npm run test-code
- env:
- CI: true
- - name: Manifest
- run: npm run test-manifest
- env:
- CI: true
- - name: Build
- run: npm run test-build
+ - name: Checkout
+ uses: actions/checkout@v3
+
+ - name: Setup node
+ uses: actions/setup-node@v3
+ with:
+ node-version-file: ".node-version"
+
+ - name: Install dependencies
+ run: npm ci
+
+ - name: Lint
+ run: npm run test-lint
+ env:
+ CI: true
+
+ - name: Lint CSS
+ run: npm run test-lint-css
+ env:
+ CI: true
+
+ - name: Lint HTML
+ run: npm run test-lint-html
+ env:
+ CI: true
+
+ - name: Tests
+ run: npm run test-code
+ env:
+ CI: true
+
+ - name: Manifest
+ run: npm run test-manifest
+ env:
+ CI: true
+
+ - name: Validate manifest.json of the extension
+ uses: cardinalby/schema-validator-action@c2da05377e89dd0c9b7be9420da0b3534b1efcce # pin@v1
+ with:
+ file: ext/manifest.json
+ schema: "https://json.schemastore.org/chrome-manifest.json"
+
+ - name: Build
+ run: npm run test-build
diff --git a/.github/workflows/create-prerelease-on-tag.yml b/.github/workflows/create-prerelease-on-tag.yml
new file mode 100644
index 00000000..3d749c58
--- /dev/null
+++ b/.github/workflows/create-prerelease-on-tag.yml
@@ -0,0 +1,46 @@
+name: Create prerelease on tag
+on:
+ push:
+ tags:
+ - "*.*.*.*"
+ workflow_dispatch:
+permissions:
+ contents: read
+jobs:
+ build-release-publish:
+ runs-on: ubuntu-latest
+ permissions:
+ actions: write
+ contents: write
+ steps:
+ - uses: actions/checkout@v3
+
+ - name: Setup node
+ uses: actions/setup-node@v3
+ with:
+ node-version-file: ".node-version"
+
+ - name: Lint
+ run: npm run-script build
+ shell: bash
+
+ - name: Release
+ uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # pin@v0.1.15
+ with:
+ generate_release_notes: true
+ prerelease: true
+ files: builds/*
+
+ - name: Dispatch publish-chrome-development
+ uses: aurelien-baudet/workflow-dispatch@93e95b157d791ae7f42aef8f8a0d3d723eba1c31 # pin@v2
+ with:
+ workflow: publish-chrome-development
+ token: ${{ secrets.GITHUB_TOKEN }}
+ wait-for-completion: false
+
+ - name: Dispatch publish-firefox-development
+ uses: aurelien-baudet/workflow-dispatch@93e95b157d791ae7f42aef8f8a0d3d723eba1c31 # pin@v2
+ with:
+ workflow: publish-firefox-development
+ token: ${{ secrets.GITHUB_TOKEN }}
+ wait-for-completion: false
diff --git a/.github/workflows/delay.yml b/.github/workflows/delay.yml
new file mode 100644
index 00000000..11d29bd9
--- /dev/null
+++ b/.github/workflows/delay.yml
@@ -0,0 +1,44 @@
+# This workflow is used to delay the execution of workflows that need to use an environment.
+# The delay occurs thanks to the usage of the 12hoursDelay environment.
+#
+# It is used to delay the execution of the publish-chrome(-development) workflow to avoid the
+# Google Web Store rejecting the upload of a new version because it is still in review.
+#
+# The reason we can't directly do a workflow-dispatch is because the 12hoursDelay
+# environment does not include our secrets, so instead we chain two workflow-dispatch calls.
+
+name: delay
+on:
+ workflow_dispatch:
+ inputs:
+ workflow:
+ description: "Workflow name"
+ required: true
+ attemptNumber:
+ description: "Attempt number"
+ required: false
+ default: "1"
+ maxAttempts:
+ description: "Max attempts"
+ required: false
+ default: "10"
+permissions: {}
+jobs:
+ delay:
+ runs-on: ubuntu-latest
+ environment: 12hoursDelay
+ permissions:
+ actions: write
+ steps:
+ - name: Start the next attempt
+ uses: aurelien-baudet/workflow-dispatch@93e95b157d791ae7f42aef8f8a0d3d723eba1c31 # pin@v2
+ with:
+ workflow: ${{ github.event.inputs.workflow }}
+ token: ${{ secrets.GITHUB_TOKEN }}
+ wait-for-completion: false
+ inputs: |
+ {
+ "attemptNumber": "${{ github.event.inputs.attemptNumber }}",
+ "maxAttempts": "${{ github.event.inputs.maxAttempts }}",
+ "environment": "${{ github.event.inputs.environment }}"
+ }
diff --git a/.github/workflows/playwright.yml b/.github/workflows/playwright.yml
new file mode 100644
index 00000000..5ee786ef
--- /dev/null
+++ b/.github/workflows/playwright.yml
@@ -0,0 +1,109 @@
+name: Playwright Tests
+on:
+ push:
+ branches: [master]
+ pull_request:
+permissions:
+ contents: read
+jobs:
+ playwright:
+ timeout-minutes: 60
+ runs-on: ubuntu-latest
+ permissions:
+ pull-requests: write
+ contents: write
+ steps:
+ - uses: actions/checkout@v3
+
+ - uses: actions/setup-node@v3
+ with:
+ cache: "npm"
+ node-version-file: ".node-version"
+
+ - name: Install dependencies
+ run: npm ci
+
+ - name: Cache playwright browsers
+ id: cache-playwright
+ uses: actions/cache@v3
+ with:
+ path: |
+ ~/.cache/ms-playwright
+ key: cache-playwright-${{ hashFiles('package-lock.json') }} # playwright version is included in package-lock, so this serves as a reasonable cache key
+
+ - if: ${{ steps.cache-playwright.outputs.cache-hit != 'true' }}
+ name: Install Playwright Browsers
+ run: npx playwright install --with-deps chromium
+
+ - name: Grab latest dictionaries from dictionaries branch
+ uses: actions/checkout@v3
+ with:
+ ref: dictionaries
+ path: dictionaries
+
+ - name: Grab latest screenshots from master branch
+ uses: dawidd6/action-download-artifact@5e780fc7bbd0cac69fc73271ed86edf5dcb72d67 # pin@v2
+ continue-on-error: true
+ id: download-screenshots
+ with:
+ github_token: ${{ secrets.GITHUB_TOKEN }}
+ name: playwright-screenshots
+ branch: master
+ workflow: playwright.yml
+ workflow_conclusion: success
+ path: test/playwright/__screenshots__/
+
+ - name: "[PR] Generate new screenshots & compare against master"
+ id: playwright
+ run: |
+ EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
+ echo "PLAYWRIGHT_OUTPUT<<$EOF" >> $GITHUB_OUTPUT
+ npx playwright test 2>&1 | tee $GITHUB_OUTPUT || true
+ echo "$EOF" >> $GITHUB_OUTPUT
+ echo "NUM_FAILED=$(grep -c 'Screenshot comparison failed' $GITHUB_OUTPUT)" >> $GITHUB_OUTPUT
+ continue-on-error: true
+ if: github.event_name == 'pull_request' && steps.download-screenshots.outcome != 'failure'
+
+ - name: "[Push] Generate new authoritative screenshots for master"
+ id: playwright-master
+ run: npx playwright test -u
+ if: github.event_name == 'push'
+
+ - uses: actions/upload-artifact@v3
+ with:
+ name: playwright-screenshots
+ path: test/playwright/__screenshots__/
+
+ - uses: actions/upload-artifact@v3
+ with:
+ name: playwright-report
+ path: playwright-report/
+
+ - name: "[Couldn't download screenshots] Comment results on PR"
+ uses: mshick/add-pr-comment@a65df5f64fc741e91c59b8359a4bc56e57aaf5b1 # pin@v2
+ if: github.event_name == 'pull_request' && steps.download-screenshots.outcome == 'failure'
+ with:
+ message: |
+ :heavy_exclamation_mark: Could not fetch screenshots from master branch, so had nothing to make a visual comparison against; please check the "download-screenshots" step in the workflow run and rerun it before merging.
+
+ - name: "[Success] Comment results on PR"
+ uses: mshick/add-pr-comment@a65df5f64fc741e91c59b8359a4bc56e57aaf5b1 # pin@v2
+ if: github.event_name == 'pull_request' && steps.download-screenshots.outcome != 'failure' && steps.playwright.outputs.NUM_FAILED == 0
+ with:
+ message: |
+ :heavy_check_mark: No visual differences introduced by this PR.
+ [View Playwright Report](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}#artifacts) (note: open the "playwright-report" artifact)
+
+ - name: "[Failure] Comment results on PR"
+ uses: mshick/add-pr-comment@a65df5f64fc741e91c59b8359a4bc56e57aaf5b1 # pin@v2
+ if: github.event_name == 'pull_request' && steps.download-screenshots.outcome != 'failure' && steps.playwright.outputs.NUM_FAILED != 0
+ with:
+ message: |
+ :warning: {{ steps.playwright.outputs.NUM_FAILED }} visual differences introduced by this PR; please validate if they are desirable.
+ <details>
+ <summary>Playwright Test Results</summary>
+ <pre>
+ ${{ steps.playwright.outputs.PLAYWRIGHT_OUTPUT }}
+ </pre>
+ </details>
+ [View Playwright Report](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}#artifacts) (note: open the "playwright-report" artifact)
diff --git a/.github/workflows/publish-chrome-development.yml b/.github/workflows/publish-chrome-development.yml
new file mode 100644
index 00000000..bf866f67
--- /dev/null
+++ b/.github/workflows/publish-chrome-development.yml
@@ -0,0 +1,97 @@
+name: publish-chrome-development
+on:
+ workflow_dispatch:
+ inputs:
+ attemptNumber:
+ description: "Attempt number"
+ required: false
+ default: "1"
+ maxAttempts:
+ description: "Max attempts"
+ required: false
+ default: "10"
+permissions:
+ contents: read
+jobs:
+ upload-on-webstore:
+ runs-on: ubuntu-latest
+ environment: cd
+ outputs:
+ result: ${{ steps.webStorePublish.outcome }}
+ releaseUploadUrl: ${{ steps.getZipAsset.outputs.releaseUploadUrl }}
+ permissions:
+ actions: write
+ steps:
+ - name: Get the next attempt number
+ id: getNextAttemptNumber
+ uses: cardinalby/js-eval-action@b34865f1d9cfdf35356013627474857cfe0d5091 # pin@v1.0.7
+ env:
+ attemptNumber: ${{ github.event.inputs.attemptNumber }}
+ maxAttempts: ${{ github.event.inputs.maxAttempts }}
+ with:
+ expression: |
+ {
+ const
+ attempt = parseInt(env.attemptNumber),
+ max = parseInt(env.maxAttempts);
+ assert(attempt && max && max >= attempt);
+ return attempt < max ? attempt + 1 : '';
+ }
+
+ - uses: robinraju/release-downloader@768b85c8d69164800db5fc00337ab917daf3ce68 # pin@v1.7
+ with:
+ tag: ${{ github.ref_name }}
+ fileName: "*"
+
+ - name: Fetch Google API access token
+ id: fetchAccessToken
+ uses: cardinalby/google-api-fetch-token-action@24c99245e2a2494cc4c4b1037203d319a184b15b # pin@v1.0.3
+ with:
+ clientId: ${{ secrets.G_CLIENT_ID }}
+ clientSecret: ${{ secrets.G_CLIENT_SECRET }}
+ refreshToken: ${{ secrets.G_REFRESH_TOKEN }}
+
+ - name: Upload to Google Web Store
+ id: webStoreUpload
+ continue-on-error: true
+ uses: cardinalby/webext-buildtools-chrome-webstore-upload-action@8db7a005529498d95d3e2e0166f6f4050d2b96a5 # pin@v1.0.10
+ with:
+ zipFilePath: yomitan-chrome-dev.zip
+ extensionId: ${{ secrets.G_DEVELOPMENT_EXTENSION_ID }}
+ apiAccessToken: ${{ steps.fetchAccessToken.outputs.accessToken }}
+ waitForUploadCheckCount: 10
+ waitForUploadCheckIntervalMs: 180000 # 3 minutes
+
+ # Schedule a next attempt if store refused to accept new version because it
+ # still has a previous one in review
+ - name: Start the next attempt with the delay
+ uses: aurelien-baudet/workflow-dispatch@93e95b157d791ae7f42aef8f8a0d3d723eba1c31 # pin@v2
+ if: |
+ steps.getNextAttemptNumber.outputs.result &&
+ steps.webStoreUpload.outputs.inReviewError == 'true'
+ with:
+ workflow: delay
+ token: ${{ secrets.GITHUB_TOKEN }}
+ wait-for-completion: false
+ inputs: |
+ {
+ "attemptNumber": "${{ steps.getNextAttemptNumber.outputs.result }}",
+ "maxAttempts": "${{ github.event.inputs.maxAttempts }}",
+ "workflow": "${{ github.workflow }}"
+ }
+
+ - name: Abort on unrecoverable upload error
+ if: |
+ !steps.webStoreUpload.outputs.newVersion &&
+ steps.webStoreUpload.outputs.sameVersionAlreadyUploadedError != 'true'
+ run: exit 1
+
+ - name: Publish on Google Web Store
+ id: webStorePublish
+ if: |
+ steps.webStoreUpload.outputs.newVersion ||
+ steps.webStoreUpload.outputs.sameVersionAlreadyUploadedError == 'true'
+ uses: cardinalby/webext-buildtools-chrome-webstore-publish-action@d39ebd4ab4ea4b44498bf5fc34d4b3db7706f1ed # pin@v1.0.7
+ with:
+ extensionId: ${{ secrets.G_DEVELOPMENT_EXTENSION_ID }}
+ apiAccessToken: ${{ steps.fetchAccessToken.outputs.accessToken }}
diff --git a/.github/workflows/publish-chrome.yml b/.github/workflows/publish-chrome.yml
new file mode 100644
index 00000000..e1502165
--- /dev/null
+++ b/.github/workflows/publish-chrome.yml
@@ -0,0 +1,99 @@
+name: publish-chrome
+on:
+ release:
+ types: [released]
+ workflow_dispatch:
+ inputs:
+ attemptNumber:
+ description: "Attempt number"
+ required: false
+ default: "1"
+ maxAttempts:
+ description: "Max attempts"
+ required: false
+ default: "10"
+permissions:
+ contents: read
+jobs:
+ upload-on-webstore:
+ runs-on: ubuntu-latest
+ environment: cd
+ outputs:
+ result: ${{ steps.webStorePublish.outcome }}
+ releaseUploadUrl: ${{ steps.getZipAsset.outputs.releaseUploadUrl }}
+ permissions:
+ actions: write
+ steps:
+ - name: Get the next attempt number
+ id: getNextAttemptNumber
+ uses: cardinalby/js-eval-action@b34865f1d9cfdf35356013627474857cfe0d5091 # pin@v1.0.7
+ env:
+ attemptNumber: ${{ github.event.inputs.attemptNumber }}
+ maxAttempts: ${{ github.event.inputs.maxAttempts }}
+ with:
+ expression: |
+ {
+ const
+ attempt = parseInt(env.attemptNumber),
+ max = parseInt(env.maxAttempts);
+ assert(attempt && max && max >= attempt);
+ return attempt < max ? attempt + 1 : '';
+ }
+
+ - uses: robinraju/release-downloader@768b85c8d69164800db5fc00337ab917daf3ce68 # pin@v1.7
+ with:
+ tag: ${{ github.ref_name }}
+ fileName: "*"
+
+ - name: Fetch Google API access token
+ id: fetchAccessToken
+ uses: cardinalby/google-api-fetch-token-action@24c99245e2a2494cc4c4b1037203d319a184b15b # pin@v1.0.3
+ with:
+ clientId: ${{ secrets.G_CLIENT_ID }}
+ clientSecret: ${{ secrets.G_CLIENT_SECRET }}
+ refreshToken: ${{ secrets.G_REFRESH_TOKEN }}
+
+ - name: Upload to Google Web Store
+ id: webStoreUpload
+ continue-on-error: true
+ uses: cardinalby/webext-buildtools-chrome-webstore-upload-action@8db7a005529498d95d3e2e0166f6f4050d2b96a5 # pin@v1.0.10
+ with:
+ zipFilePath: yomitan-chrome.zip
+ extensionId: ${{ secrets.G_STABLE_EXTENSION_ID }}
+ apiAccessToken: ${{ steps.fetchAccessToken.outputs.accessToken }}
+ waitForUploadCheckCount: 10
+ waitForUploadCheckIntervalMs: 180000 # 3 minutes
+
+ # Schedule a next attempt if store refused to accept new version because it
+ # still has a previous one in review
+ - name: Start the next attempt with the delay
+ uses: aurelien-baudet/workflow-dispatch@93e95b157d791ae7f42aef8f8a0d3d723eba1c31 # pin@v2
+ if: |
+ steps.getNextAttemptNumber.outputs.result &&
+ steps.webStoreUpload.outputs.inReviewError == 'true'
+ with:
+ workflow: delay
+ token: ${{ secrets.GITHUB_TOKEN }}
+ wait-for-completion: false
+ inputs: |
+ {
+ "attemptNumber": "${{ steps.getNextAttemptNumber.outputs.result }}",
+ "maxAttempts": "${{ github.event.inputs.maxAttempts }}",
+ "workflow": "${{ github.workflow }}"
+ }
+
+ - name: Abort on unrecoverable upload error
+ if: |
+ !steps.webStoreUpload.outputs.newVersion &&
+ steps.webStoreUpload.outputs.sameVersionAlreadyUploadedError != 'true'
+ run: exit 1
+
+ - name: Publish on Google Web Store
+ id: webStorePublish
+ if: |
+ steps.webStoreUpload.outputs.newVersion ||
+ steps.webStoreUpload.outputs.sameVersionAlreadyUploadedError == 'true'
+ uses: cardinalby/webext-buildtools-chrome-webstore-publish-action@d39ebd4ab4ea4b44498bf5fc34d4b3db7706f1ed # pin@v1.0.7
+ with:
+ extensionId: ${{ secrets.G_STABLE_EXTENSION_ID }}
+ apiAccessToken: ${{ steps.fetchAccessToken.outputs.accessToken }}
diff --git a/.github/workflows/publish-firefox-development.yml b/.github/workflows/publish-firefox-development.yml
new file mode 100644
index 00000000..6ce61dc5
--- /dev/null
+++ b/.github/workflows/publish-firefox-development.yml
@@ -0,0 +1,84 @@
+# For the Firefox development addon, people install it manually,
+# and updates are distributed via the JSON file created in this
+# action which is stored in the metadata branch of this repo.
+
+name: publish-firefox-development
+on:
+ workflow_dispatch:
+permissions:
+ contents: read
+jobs:
+ build-signed-xpi-asset:
+ runs-on: ubuntu-latest
+ environment: cd
+ permissions:
+ contents: write
+ steps:
+ - uses: robinraju/release-downloader@768b85c8d69164800db5fc00337ab917daf3ce68 # pin@v1.7
+ with:
+ tag: ${{ github.ref_name }}
+ fileName: "*"
+
+ - name: Sign Firefox xpi for offline distribution
+ id: ffSignXpi
+ continue-on-error: true
+ uses: cardinalby/webext-buildtools-firefox-sign-xpi-action@94a2e58141e33c4306a72a93f191e8540189df92 # pin@v1.0.6
+ with:
+ timeoutMs: 1200000
+ extensionId: ${{ secrets.FF_OFFLINE_EXT_ID }}
+ zipFilePath: yomitan-firefox-dev.zip
+ xpiFilePath: yomitan-firefox-dev.xpi
+ jwtIssuer: ${{ secrets.FF_JWT_ISSUER }}
+ jwtSecret: ${{ secrets.FF_JWT_SECRET }}
+
+ - name: Abort on sign error
+ if: |
+ steps.ffSignXpi.outcome == 'failure' &&
+ steps.ffSignXpi.outputs.sameVersionAlreadyUploadedError != 'true'
+ run: exit 1
+
+ - name: Upload offline xpi release asset
+ id: uploadReleaseAsset
+ if: steps.ffSignXpi.outcome == 'success'
+ uses: actions/upload-release-asset@v1
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ with:
+ upload_url: ${{ github.event.release.upload_url }}
+ asset_path: yomitan-firefox.xpi
+ asset_name: yomitan-firefox.xpi
+ asset_content_type: application/x-xpinstall
+
+ # update update.json so that all people who have the dev version installed get the new update
+
+ - uses: actions/checkout@v3
+ with:
+ ref: metadata
+
+ - name: Recreate update.json
+ run: |
+ cat > update.json << EOF
+ {
+ "addons": {
+ "{2d13e145-294e-4ead-9bce-b4644b203a00}": {
+ "updates": [
+ {
+ "version": "${{ github.event.release.name }}",
+ "update_link": "${{ steps.uploadReleaseAsset.browser_download_url }}"
+ }
+ ]
+ }
+ }
+ }
+ EOF
+
+ - name: Commit files
+ run: |
+ git config --local user.email "github-actions[bot]@users.noreply.github.com"
+ git config --local user.name "github-actions[bot]"
+ git commit -a -m "${{ github.event.release.name }} - ${{ github.event.release.html_url }}"
+
+ - name: Push changes
+ uses: ad-m/github-push-action@0fafdd62b84042d49ec0cb92d9cac7f7ce4ec79e # pin@master
+ with:
+ branch: metadata
diff --git a/.github/workflows/publish-firefox.yml b/.github/workflows/publish-firefox.yml
new file mode 100644
index 00000000..1dd6d260
--- /dev/null
+++ b/.github/workflows/publish-firefox.yml
@@ -0,0 +1,32 @@
+name: publish-firefox
+on:
+ release:
+ types: [released]
+permissions:
+ contents: read
+jobs:
+ publish:
+ runs-on: ubuntu-latest
+ environment: cd
+ steps:
+ - uses: robinraju/release-downloader@768b85c8d69164800db5fc00337ab917daf3ce68 # pin@v1.7
+ with:
+ tag: ${{ github.ref_name }}
+ fileName: "*"
+
+ - name: Deploy to Firefox Addons
+ id: addonsDeploy
+ uses: cardinalby/webext-buildtools-firefox-addons-action@924ad87df7e4af50a654c164ad9e498dce260ffa # pin@v1.0.9
+ continue-on-error: true
+ with:
+ zipFilePath: yomitan-firefox.zip
+ extensionId: ${{ secrets.FF_EXTENSION_ID }}
+ jwtIssuer: ${{ secrets.FF_JWT_ISSUER }}
+ jwtSecret: ${{ secrets.FF_JWT_SECRET }}
+
+ - name: Abort on upload error
+ if: |
+ steps.addonsDeploy.outcome == 'failure' &&
+ steps.addonsDeploy.outputs.sameVersionAlreadyUploadedError != 'true' &&
+ steps.addonsDeploy.outputs.timeoutError != 'true'
+ run: exit 1
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
new file mode 100644
index 00000000..c39c52bb
--- /dev/null
+++ b/.github/workflows/scorecard.yml
@@ -0,0 +1,68 @@
+name: Scorecard supply-chain security
+on:
+ # For Branch-Protection check. Only the default branch is supported. See
+ # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+ branch_protection_rule:
+ # To guarantee Maintained check is occasionally updated. See
+ # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+ schedule:
+ - cron: "34 17 * * 1"
+ push:
+ branches: ["master"]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+ analysis:
+ name: Scorecard analysis
+ runs-on: ubuntu-latest
+ permissions:
+ # Needed to upload the results to code-scanning dashboard.
+ security-events: write
+ # Needed to publish results and get a badge (see publish_results below).
+ id-token: write
+ # Uncomment the permissions below if installing in a private repository.
+ # contents: read
+ # actions: read
+
+ steps:
+ - name: "Checkout code"
+ uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+ with:
+ persist-credentials: false
+
+ - name: "Run analysis"
+ uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+ with:
+ results_file: results.sarif
+ results_format: sarif
+ # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+ # - you want to enable the Branch-Protection check on a *public* repository, or
+ # - you are installing Scorecard on a *private* repository
+ # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+ # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+ # Public repositories:
+ # - Publish results to OpenSSF REST API for easy access by consumers
+ # - Allows the repository to include the Scorecard badge.
+ # - See https://github.com/ossf/scorecard-action#publishing-results.
+ # For private repositories:
+ # - `publish_results` will always be set to `false`, regardless
+ # of the value entered here.
+ publish_results: true
+
+ # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+ # format to the repository Actions tab.
+ - name: "Upload artifact"
+ uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+ with:
+ name: SARIF file
+ path: results.sarif
+ retention-days: 5
+
+ # Upload the results to GitHub's code scanning dashboard.
+ - name: "Upload to code-scanning"
+ uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+ with:
+ sarif_file: results.sarif
diff --git a/.github/workflows/touch-google-refresh-token.yml b/.github/workflows/touch-google-refresh-token.yml
new file mode 100644
index 00000000..9c4e2ec9
--- /dev/null
+++ b/.github/workflows/touch-google-refresh-token.yml
@@ -0,0 +1,16 @@
+name: Touch google token
+on:
+ schedule:
+ - cron: "0 3 2 * *" # At 03:00 on day-of-month 2
+ workflow_dispatch:
+permissions: {}
+jobs:
+ fetchToken:
+ runs-on: ubuntu-latest
+ environment: cd
+ steps:
+ - uses: cardinalby/google-api-fetch-token-action@24c99245e2a2494cc4c4b1037203d319a184b15b # pin@v1.0.3
+ with:
+ clientId: ${{ secrets.G_CLIENT_ID }}
+ clientSecret: ${{ secrets.G_CLIENT_SECRET }}
+ refreshToken: ${{ secrets.G_REFRESH_TOKEN }}