Skip to content

Commit

Permalink
Merge branch 'TurboWarp:master' into master
Browse files Browse the repository at this point in the history
  • Loading branch information
Thebloxers998 authored Dec 27, 2024
2 parents b9b522e + 274642d commit 68b7323
Show file tree
Hide file tree
Showing 2 changed files with 103 additions and 8 deletions.
11 changes: 8 additions & 3 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,11 @@ concurrency:
jobs:
build:
runs-on: ubuntu-latest

# If you are forking and want to set up your own website, adjust the repository and branch
# below to match your repository or remove the condition entirely.
if: ${{ github.repository == 'TurboWarp/extensions' && github.ref == 'refs/heads/master' }}

steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
Expand Down Expand Up @@ -40,6 +45,6 @@ jobs:
runs-on: ubuntu-latest
needs: build
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e
100 changes: 95 additions & 5 deletions .github/workflows/format-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,28 @@ name: Format pull request

on:
workflow_dispatch:
issue_comment:
types: [created]

permissions: {}

jobs:
format:
# Handling workflow_dispatch is simple. Just checkout whatever branch it was run on.
# The workflow will run in that repository's context and thus can safely get write permissions.
manual-dispatch:
runs-on: ubuntu-latest

if: github.event_name == 'workflow_dispatch'
permissions:
contents: write

steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
# Credentials needed for pushing changes at the end
# Credentials needed for pushing changes at the end.
# This is already the default, but for safety we are being explicit about this.
persist-credentials: true
# Commits made by workflow_dispatch trigger will trigger new workflows to run,
# so don't need to use SSH deploy key.
- name: Install Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
with:
Expand All @@ -29,6 +37,88 @@ jobs:
git config --global user.name "$GITHUB_ACTOR"
git config --global user.email "[email protected]"
git stage .
git commit --author "format-pr-bot <[email protected]>" -m "[Automated] Format code" || echo "No changes to commit"
git commit --author "DangoCat[bot] <[email protected]>" -m "[Automated] Format code" || echo "No changes to commit"
- name: Push
run: git push

# Comments are more complicated because the action runs in the context of TurboWarp/extensions but
# we are processing content from the possibly malicious pull request. We break this into two
# separate jobs.
# The first job downloads the pull request, formats it, and uploads the new files to an artifact.
# Important to have no permissions for this because the code can't be trusted.
comment-format-untrusted:
runs-on: ubuntu-latest
if: |
github.event_name == 'issue_comment' &&
github.event.issue.pull_request &&
contains(github.event.comment.body, '!format') &&
(
github.event.comment.author_association == 'MEMBER' ||
github.event.comment.user.id == github.event.issue.user.id
)
steps:
- name: Checkout upstream
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
repository: TurboWarp/extensions
persist-credentials: false
- name: Checkout pull request
run: gh pr checkout "$PR_NUM"
env:
PR_NUM: "${{ github.event.issue.number }}"
GH_TOKEN: "${{ github.token }}"
- name: Install Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
with:
node-version: 20.x
- name: Install dependencies
run: npm ci
- name: Format
run: npm run format
- name: Upload formatted code
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b
with:
name: comment-format-untrusted-artifact
path: extensions/
if-no-files-found: error
retention-days: 7

# Second job downloads the artifact, extracts it, and pushes it.
comment-push:
runs-on: ubuntu-latest
needs: comment-format-untrusted
steps:
- name: Checkout upstream
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
repository: TurboWarp/extensions
# Commits made using the default token in an issue_comment trigger won't cause more
# workflows to run, so any commits it pushes will be stuck in limbo forever waiting
# for workflows to run that will never run. To workaround this, we use an SSH key
# instead. It's a GitHub deploy key so it's scoped only to this repository.
ssh-key: "${{ secrets.FORMAT_PR_DEPLOY_KEY }}"
# Credentials needed for pushing changes at the end.
# This is already the default, but for safety we are being explicit about this.
persist-credentials: true
- name: Checkout pull request
run: gh pr checkout "$PR_NUM"
env:
PR_NUM: "${{ github.event.issue.number }}"
GH_TOKEN: "${{ github.token }}"
- name: Download formatted code
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
with:
name: comment-format-untrusted-artifact
path: extensions
- name: Commit
run: |
git config --global user.name "$GITHUB_ACTOR"
git config --global user.email "[email protected]"
git stage .
git commit --author "DangoCat[bot] <[email protected]>" -m "[Automated] Format code" || echo "No changes to commit"
- name: Push
# Explicitly set push.default to upstream, otherwise by default git might complain about us being on a
# branch called "DangoCat/master" but the corresponding branch on remote "DangoCat" is just "master".
run: |
git config --global push.default upstream
git push

0 comments on commit 68b7323

Please sign in to comment.