Merge branch 'TurboWarp:master' into blockify-vr

.github/workflows/deploy.yml

@@ -5,41 +5,46 @@ on:
   push:
     branches: [master]
 
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
 concurrency:
   group: "deploy"
   cancel-in-progress: true
 
 jobs:
   build:
     runs-on: ubuntu-latest
+
+    # If you are forking and want to set up your own website, adjust the repository and branch
+    # below to match your repository or remove the condition entirely.
+    if: ${{ github.repository == 'TurboWarp/extensions' && github.ref == 'refs/heads/master' }}
+
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
       - name: Install Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
         with:
           node-version: 20.x
       - name: Install dependencies
         run: npm ci
       - name: Build for production
         run: npm run build
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa
         with:
           path: ./build/
 
   deploy:
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
+    permissions:
+      pages: write
+      id-token: write
     runs-on: ubuntu-latest
     needs: build
     steps:
-    - name: Deploy to GitHub Pages
-      id: deployment
-      uses: actions/deploy-pages@v4
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e

.github/workflows/download-translations.yml

@@ -0,0 +1,93 @@
+name: Download translations
+
+on:
+  workflow_dispatch:
+
+concurrency:
+  group: "download-translations"
+  cancel-in-progress: true
+
+jobs:
+  download-translations:
+    runs-on: ubuntu-latest
+
+    # This workflow is not useful to forks without setting up Transifex and modifying the
+    # workflow to use your organization, project, resources, API token, ...
+    if: ${{ github.repository == 'TurboWarp/extensions' && github.ref == 'refs/heads/master' }}
+
+    steps:
+      - name: Checkout fork
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          # Commits will be written to this fork, then pull requested to the main repository.
+          repository: "DangoCat/extensions"
+          token: "${{ secrets.UPDATE_TRANSLATIONS_FORK_GH_TOKEN }}"
+          # We will push later so the token has to be stored.
+          persist-credentials: true
+      - name: Checkout upstream
+        run: |
+          git remote add upstream "https://github.com/$UPSTREAM_REPO.git"
+          git fetch upstream
+          git checkout upstream/master
+        env:
+          UPSTREAM_REPO: "TurboWarp/extensions"
+      - name: Install Node.js
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
+        with:
+          node-version: 20.x
+      - name: Install dependencies
+        run: npm ci
+      - name: Download translations
+        run: npm run download-translations
+        env:
+          TRANSIFEX_TOKEN: "${{ secrets.TRANSIFEX_TOKEN }}"
+          TRANSIFEX_ORGANIZATION: "turbowarp"
+          TRANSIFEX_PROJECT: "turbowarp"
+          TRANSIFEX_RUNTIME_RESOURCE: "extensions"
+          TRANSIFEX_METADATA_RESOURCE: "extension-metadata"
+      - name: Delete old branches, commit, push, pull request
+        run: |
+          if [[ ! $(git status --porcelain) ]]; then
+            echo "No changes"
+            exit 0
+          fi
+
+          # Remove old branches, which also closes the pull requests
+          all_branches=$(GH_TOKEN="$FORK_GH_TOKEN" gh api "repos/$FORK_REPO/branches" --paginate | jq -r '.[].name')
+          for branch in $all_branches; do
+            if [[ $branch == update-translations-* ]]; then
+              echo "Deleting branch: $branch"
+              git push -d origin "$branch"
+            else
+              echo "Keeping branch: $branch"
+            fi
+          done
+
+          # Create new branch
+          new_branch="update-translations-$(date -u +%Y%m%d%H%M%S)"
+          git checkout -b "$new_branch"
+
+          # Commit
+          date="$(date -u "+%Y-%m-%d")"
+          title="[Automated] Update translations $date"
+          git add .
+          git config --global user.name "DangoCat[bot]"
+          git config --global user.email "[email protected]"
+          git commit -m "$title"
+
+          # Push
+          git push origin "$new_branch"
+
+          # Create pull request
+          GH_TOKEN="$UPSTREAM_GH_TOKEN" gh pr create \
+            --head "dangocat:$new_branch" \
+            --repo "$UPSTREAM_REPO" \
+            --title "$title" \
+            --body "This pull request was made by a robot."
+        env:
+          FORK_REPO: "DangoCat/extensions"
+          # This token has contents write permissions on fork repository
+          FORK_GH_TOKEN: "${{ secrets.UPDATE_TRANSLATIONS_FORK_GH_TOKEN }}"
+          UPSTREAM_REPO: "${{ github.repository }}"
+          # This token has pull request write permissions on upstream repository
+          UPSTREAM_GH_TOKEN: "${{ secrets.UPDATE_TRANSLATIONS_UPSTREAM_GH_TOKEN }}"

.github/workflows/format-pr.yml

@@ -0,0 +1,127 @@
+name: Format pull request
+
+on:
+  workflow_dispatch:
+  issue_comment:
+    types: [created]
+
+permissions: {}
+
+jobs:
+  # Handling workflow_dispatch is simple. Just checkout whatever branch it was run on.
+  # The workflow will run in that repository's context and thus can safely get write permissions.
+  manual-dispatch:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'workflow_dispatch'
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          # Commits made by workflow_dispatch trigger can trigger new workflows to run,
+          # so just use the default workflow token.
+          # Credentials needed for pushing changes at the end.
+          # This is already the default, but it's good to be explicit about this.
+          persist-credentials: true
+      - name: Install Node.js
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
+        with:
+          node-version: 20.x
+      - name: Install dependencies
+        run: npm ci
+      - name: Format
+        run: npm run format
+      - name: Commit
+        run: |
+          git config --global user.name "$GITHUB_ACTOR"
+          git config --global user.email "[email protected]"
+          git stage .
+          git commit --author "DangoCat[bot] <[email protected]>" -m "[Automated] Format code" || echo "No changes to commit"
+      - name: Push
+        run: git push
+
+  # Comments are more complicated because the action runs in the context of TurboWarp/extensions but
+  # we are processing content from the possibly malicious pull request. We break this into two
+  # separate jobs.
+  # The first job downloads the pull request, formats it, and uploads the new files to an artifact.
+  # Important to have no permissions for this because the code can't be trusted.
+  comment-format-untrusted:
+    runs-on: ubuntu-latest
+    if: |
+      github.event_name == 'issue_comment' &&
+      github.event.issue.pull_request &&
+      contains(github.event.comment.body, '!format') &&
+      (
+        github.event.comment.author_association == 'MEMBER' ||
+        github.event.comment.user.id == github.event.issue.user.id
+      )
+    steps:
+      - name: Checkout upstream
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          repository: TurboWarp/extensions
+          persist-credentials: false
+      - name: Checkout pull request
+        run: gh pr checkout "$PR_NUM"
+        env:
+          PR_NUM: "${{ github.event.issue.number }}"
+          GH_TOKEN: "${{ github.token }}"
+      - name: Install Node.js
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
+        with:
+          node-version: 20.x
+      - name: Install dependencies
+        run: npm ci
+      - name: Format
+        run: npm run format
+      - name: Upload formatted code
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b
+        with:
+          name: comment-format-untrusted-artifact
+          path: extensions/
+          if-no-files-found: error
+          retention-days: 7
+
+  # Second job downloads the artifact, extracts it, and pushes it.
+  comment-push:
+    runs-on: ubuntu-latest
+    needs: comment-format-untrusted
+    steps:
+      - name: Checkout upstream
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          repository: TurboWarp/extensions
+          # Can't use the default workflow token because commits made by it won't cause more
+          # workflows to un, so any commits it pushes get stuck in limbo waiting for workflows
+          # to run that will never run.
+          # Can't use a deploy key because it won't be able to access the fork that the pull
+          # request is coming from.
+          # Thus we use a manually created fine-grained personal access token under the
+          # @DangoCat account.
+          token: "${{ secrets.FORMAT_PR_GH_TOKEN }}"
+          # Credentials needed for pushing changes at the end.
+          # This is already the default, but it's good to be explicit about this.
+          persist-credentials: true
+      - name: Checkout pull request
+        run: gh pr checkout "$PR_NUM"
+        env:
+          PR_NUM: "${{ github.event.issue.number }}"
+          GH_TOKEN: "${{ github.token }}"
+      - name: Download formatted code
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
+        with:
+          name: comment-format-untrusted-artifact
+          path: extensions
+      - name: Commit
+        run: |
+          git config --global user.name "$GITHUB_ACTOR"
+          git config --global user.email "[email protected]"
+          git stage .
+          git commit --author "DangoCat[bot] <[email protected]>" -m "[Automated] Format code" || echo "No changes to commit"
+      - name: Push
+        # Explicitly set push.default to upstream, otherwise by default git might complain about us being on a
+        # branch called "DangoCat/master" but the corresponding branch on remote "DangoCat" is just "master".
+        run: |
+          git config --global push.default upstream
+          git push

.github/workflows/upload-translations.yml

@@ -0,0 +1,36 @@
+name: Upload translations
+
+on:
+  workflow_dispatch:
+
+concurrency:
+  group: "upload-translations"
+  cancel-in-progress: true
+
+jobs:
+  upload-translations:
+    runs-on: ubuntu-latest
+
+    # This workflow is not useful to forks without setting up Transifex and modifying the
+    # workflow to use your organization, project, resources, API token, ...
+    if: ${{ github.repository == 'TurboWarp/extensions' && github.ref == 'refs/heads/master' }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
+      - name: Install Node.js
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
+        with:
+          node-version: 20.x
+      - name: Install dependencies
+        run: npm ci
+      - name: Upload translations
+        run: npm run upload-translations
+        env:
+          TRANSIFEX_TOKEN: "${{ secrets.TRANSIFEX_TOKEN }}"
+          TRANSIFEX_ORGANIZATION: "turbowarp"
+          TRANSIFEX_PROJECT: "turbowarp"
+          TRANSIFEX_RUNTIME_RESOURCE: "extensions"
+          TRANSIFEX_METADATA_RESOURCE: "extension-metadata"

.github/workflows/validate.yml

@@ -8,9 +8,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
       - name: Install Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
         with:
           node-version: 20.x
           cache: npm
@@ -23,9 +25,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
       - name: Install Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
         with:
           node-version: 20.x
           cache: npm
@@ -38,9 +42,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
       - name: Install Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
         with:
           node-version: 20.x
           cache: npm

.gitignore

@@ -7,6 +7,7 @@ build-l10n
 
 # Various operating system caches
 thumbs.db
+desktop.ini
 .DS_Store
 
 # Popular editors