summaryrefslogtreecommitdiff
path: root/.github/workflows
diff options
context:
space:
mode:
Diffstat (limited to '.github/workflows')
-rw-r--r--.github/workflows/auto-approve-run.yml30
-rw-r--r--.github/workflows/auto-approve.yml17
-rw-r--r--.github/workflows/broken-links.yml2
-rw-r--r--.github/workflows/ci.yml13
-rw-r--r--.github/workflows/codeql.yml82
-rw-r--r--.github/workflows/create-prerelease-on-tag.yml4
-rw-r--r--.github/workflows/playwright.yml17
-rw-r--r--.github/workflows/playwright_comment.yml4
-rw-r--r--.github/workflows/publish-firefox-development.yml14
-rw-r--r--.github/workflows/scorecard.yml11
10 files changed, 161 insertions, 33 deletions
diff --git a/.github/workflows/auto-approve-run.yml b/.github/workflows/auto-approve-run.yml
new file mode 100644
index 00000000..7ea82489
--- /dev/null
+++ b/.github/workflows/auto-approve-run.yml
@@ -0,0 +1,30 @@
+name: Auto-Approve Safe PRs (workflow-run)
+on:
+ workflow_run:
+ workflows: [Auto-Approve Safe PRs]
+ types:
+ - completed
+permissions: {}
+jobs:
+ auto-approve-run:
+ runs-on: ubuntu-latest
+ environment: themoeway-bot
+ permissions:
+ pull-requests: write
+ if: github.actor == 'djahandarie'
+ steps:
+ - name: Download workflow artifact
+ uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # v2.28.0
+ with:
+ github_token: ${{ secrets.GITHUB_TOKEN }}
+ workflow: auto-approve.yml
+ run_id: ${{ github.event.workflow_run.id }}
+ - name: Read the pr_num file
+ id: pr_num_reader
+ uses: juliangruber/read-file-action@02bbba9876a8f870efd4ad64e3b9088d3fb94d4b # v1.1.6
+ with:
+ path: ./pr_num/pr_num.txt
+ - uses: hmarr/auto-approve-action@44888193675f29a83e04faf4002fa8c0b537b1e4 # v3.2.1
+ with:
+ pull-request-number: ${{ steps.pr_num_reader.outputs.content }}
+ github-token: ${{ secrets.THEMOEWAY_BOT_PAT }}
diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml
new file mode 100644
index 00000000..7e67a92b
--- /dev/null
+++ b/.github/workflows/auto-approve.yml
@@ -0,0 +1,17 @@
+name: Auto-Approve Safe PRs
+on: pull_request
+permissions: {}
+jobs:
+ auto-approve:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Save the PR number in an artifact
+ shell: bash
+ env:
+ PR_NUM: ${{ github.event.number }}
+ run: echo $PR_NUM > pr_num.txt
+ - name: Upload the PR number
+ uses: actions/upload-artifact@v3
+ with:
+ name: pr_num
+ path: ./pr_num.txt \ No newline at end of file
diff --git a/.github/workflows/broken-links.yml b/.github/workflows/broken-links.yml
index bb2028c6..45043e79 100644
--- a/.github/workflows/broken-links.yml
+++ b/.github/workflows/broken-links.yml
@@ -16,7 +16,7 @@ jobs:
link-checker:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
- uses: lycheeverse/lychee-action@ec3ed119d4f44ad2673a7232460dc7dff59d2421
with:
fail: true
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index aee22e44..18189b6d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,7 +11,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
- name: Setup node
uses: actions/setup-node@v3
@@ -41,17 +41,12 @@ jobs:
env:
CI: true
- - name: Manifest
- run: npm run test-manifest
- env:
- CI: true
+ - name: Build
+ run: npm run build
- name: Validate manifest.json of the extension
uses: cardinalby/schema-validator-action@8407573c2627c5159428cf9fa3770d13b2360a27 # v3
with:
file: ext/manifest.json
schema: "https://json.schemastore.org/chrome-manifest.json"
- mode: lax
-
- - name: Build
- run: npm run test-build
+ mode: lax \ No newline at end of file
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 00000000..bac2d4b8
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,82 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+ push:
+ branches: [ "master" ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ "master" ]
+ schedule:
+ - cron: '31 13 * * 3'
+
+jobs:
+ analyze:
+ name: Analyze
+ # Runner size impacts CodeQL analysis time. To learn more, please see:
+ # - https://gh.io/recommended-hardware-resources-for-running-codeql
+ # - https://gh.io/supported-runners-and-hardware-resources
+ # - https://gh.io/using-larger-runners
+ # Consider using larger runners for possible analysis time improvements.
+ runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+ timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+
+ strategy:
+ fail-fast: false
+ matrix:
+ language: [ 'javascript' ]
+ # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
+ # Use only 'java' to analyze code written in Java, Kotlin or both
+ # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+ # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+
+ # Initializes the CodeQL tools for scanning.
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@v2
+ with:
+ languages: ${{ matrix.language }}
+ # If you wish to specify custom queries, you can do so here or in a config file.
+ # By default, queries listed here will override any specified in a config file.
+ # Prefix the list here with "+" to use these queries and those in the config file.
+
+ # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+ # queries: security-extended,security-and-quality
+
+
+ # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
+ # If this step fails, then you should remove it and run the build manually (see below)
+ - name: Autobuild
+ uses: github/codeql-action/autobuild@v2
+
+ # ℹī¸ Command-line programs to run using the OS shell.
+ # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+ # If the Autobuild fails above, remove it and uncomment the following three lines.
+ # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+ # - run: |
+ # echo "Run, Build Application using script"
+ # ./location_of_script_within_repo/buildscript.sh
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@v2
+ with:
+ category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/create-prerelease-on-tag.yml b/.github/workflows/create-prerelease-on-tag.yml
index 06cb8c7e..0061ed2a 100644
--- a/.github/workflows/create-prerelease-on-tag.yml
+++ b/.github/workflows/create-prerelease-on-tag.yml
@@ -13,7 +13,7 @@ jobs:
actions: write
contents: write
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
- name: Setup node
uses: actions/setup-node@v3
@@ -21,7 +21,7 @@ jobs:
node-version-file: ".node-version"
- name: Lint
- run: npm run-script build
+ run: npm run-script build -- --all --yomitan-version ${{ github.ref_name }}
shell: bash
- name: Release
diff --git a/.github/workflows/playwright.yml b/.github/workflows/playwright.yml
index 9397e4fa..8d4adca8 100644
--- a/.github/workflows/playwright.yml
+++ b/.github/workflows/playwright.yml
@@ -13,14 +13,14 @@ jobs:
- name: Remove all fonts
run: rm -rf /usr/share/fonts
- - uses: actions/checkout@v3
-
+ - uses: actions/checkout@v4
+
- name: Install CJK fonts
uses: awalsh128/cache-apt-pkgs-action@1850ee53f6e706525805321a3f2f863dcf73c962 # v1.3.0
with:
packages: fonts-ipafont-mincho
execute_install_scripts: true
-
+
- uses: actions/setup-node@v3
with:
cache: "npm"
@@ -29,6 +29,9 @@ jobs:
- name: Install dependencies
run: npm ci
+ - name: Build
+ run: npm run build
+
- name: Cache playwright browsers
id: cache-playwright
uses: actions/cache@v3
@@ -39,17 +42,17 @@ jobs:
- if: ${{ steps.cache-playwright.outputs.cache-hit != 'true' }}
name: Install Playwright Browsers
- run: npx playwright install --with-deps chromium
-
+ run: npx playwright install chromium
+
- name: Grab latest dictionaries from dictionaries branch
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
repository: themoeway/yomitan # so that this works on forks
ref: dictionaries
path: dictionaries
- name: Grab latest screenshots from master branch
- uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # pin@v2
+ uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # pin@v2
continue-on-error: true
id: master-screenshots
with:
diff --git a/.github/workflows/playwright_comment.yml b/.github/workflows/playwright_comment.yml
index d5a6727b..60b3c693 100644
--- a/.github/workflows/playwright_comment.yml
+++ b/.github/workflows/playwright_comment.yml
@@ -16,7 +16,7 @@ jobs:
github.event.workflow_run.conclusion == 'success'
steps:
- name: Grab playwright-output from PR run
- uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # pin@v2
+ uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # pin@v2
continue-on-error: true
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -24,7 +24,7 @@ jobs:
name: playwright-output
- name: Grab master-screenshots-outcome from PR run
- uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # pin@v2
+ uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # pin@v2
continue-on-error: true
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/publish-firefox-development.yml b/.github/workflows/publish-firefox-development.yml
index 6a4e6ce8..f704e365 100644
--- a/.github/workflows/publish-firefox-development.yml
+++ b/.github/workflows/publish-firefox-development.yml
@@ -49,19 +49,19 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ inputs.upload_url }}
- asset_path: yomitan-firefox.xpi
- asset_name: yomitan-firefox.xpi
+ asset_path: yomitan-firefox-dev.xpi
+ asset_name: yomitan-firefox-dev.xpi
asset_content_type: application/x-xpinstall
- # update update.json so that all people who have the dev version installed get the new update
+ # update updates.json so that all people who have the dev version installed get the new update
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
with:
ref: metadata
- - name: Recreate update.json
+ - name: Recreate updates.json
run: |
- cat > update.json << EOF
+ cat > updates.json << EOF
{
"addons": {
"{2d13e145-294e-4ead-9bce-b4644b203a00}": {
@@ -83,6 +83,6 @@ jobs:
git commit -a -m "${{ github.event.release.name }} - ${{ github.event.release.html_url }}"
- name: Push changes
- uses: ad-m/github-push-action@0fafdd62b84042d49ec0cb92d9cac7f7ce4ec79e # pin@master
+ uses: ad-m/github-push-action@29f05e01bb17e6f28228b47437e03a7b69e1f9ef # pin@master
with:
branch: metadata
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index ac07d2d7..4db56a60 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -16,6 +16,7 @@ permissions: read-all
jobs:
analysis:
name: Scorecard analysis
+ environment: scorecard
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
@@ -28,12 +29,12 @@ jobs:
steps:
- name: "Checkout code"
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: "Run analysis"
- uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3
+ uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
with:
results_file: results.sarif
results_format: sarif
@@ -41,7 +42,7 @@ jobs:
# - you want to enable the Branch-Protection check on a *public* repository, or
# - you are installing Scorecard on a *private* repository
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
- # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+ repo_token: ${{ secrets.SCORECARD_TOKEN }}
# Public repositories:
# - Publish results to OpenSSF REST API for easy access by consumers
@@ -55,7 +56,7 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
- uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+ uses: actions/upload-artifact@v3
with:
name: SARIF file
path: results.sarif
@@ -63,6 +64,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
- uses: github/codeql-action/upload-sarif@04df1262e6247151b5ac09cd2c303ac36ad3f62b # v2.2.9
+ uses: github/codeql-action/upload-sarif@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4
with:
sarif_file: results.sarif