From 0126e5e5a3bf48a36156e18026dfa183c8250989 Mon Sep 17 00:00:00 2001 From: Wolfsblvt Date: Sat, 15 Mar 2025 23:08:45 +0100 Subject: [PATCH 1/4] Add explicit workflow permissions --- .github/workflows/issues-auto-manager.yml | 4 ++++ .github/workflows/issues-updates-on-merge.yml | 4 ++++ .github/workflows/job-close-stale.yml | 5 +++++ .github/workflows/on-close-handler.yml | 5 +++++ .github/workflows/on-open-handler.yml | 5 +++++ .github/workflows/pr-auto-manager.yml | 12 +++++++++++- .github/workflows/pr-check-merge-conflicts.yaml | 4 ++++ 7 files changed, 38 insertions(+), 1 deletion(-) diff --git a/.github/workflows/issues-auto-manager.yml b/.github/workflows/issues-auto-manager.yml index b7af4c750..acd9e0d43 100644 --- a/.github/workflows/issues-auto-manager.yml +++ b/.github/workflows/issues-auto-manager.yml @@ -7,6 +7,10 @@ on: issue_comment: types: [created] +permissions: + contents: read + issues: write + jobs: label-on-content: name: 🏷️ Label Issues by Content diff --git a/.github/workflows/issues-updates-on-merge.yml b/.github/workflows/issues-updates-on-merge.yml index c0d8f12f3..f6fd59ad1 100644 --- a/.github/workflows/issues-updates-on-merge.yml +++ b/.github/workflows/issues-updates-on-merge.yml @@ -6,6 +6,10 @@ on: - staging - release +permissions: + contents: read + issues: write + jobs: # This runs commits to staging/release, reading the commit messages. Check `pr-auto-manager.yml`:`update-linked-issues` for PR-linked updates. update-linked-issues: diff --git a/.github/workflows/job-close-stale.yml b/.github/workflows/job-close-stale.yml index ceb381f39..a58c8ae3a 100644 --- a/.github/workflows/job-close-stale.yml +++ b/.github/workflows/job-close-stale.yml @@ -6,6 +6,11 @@ on: schedule: - cron: '0 0 * * *' # Runs every day at midnight UTC +permissions: + contents: read + issues: write + pull-requests: write + jobs: mark-inactivity: name: ⏳ Mark Issues/PRs without Activity diff --git a/.github/workflows/on-close-handler.yml b/.github/workflows/on-close-handler.yml index 2491cc622..e60dc6288 100644 --- a/.github/workflows/on-close-handler.yml +++ b/.github/workflows/on-close-handler.yml @@ -6,6 +6,11 @@ on: pull_request_target: types: [closed] +permissions: + contents: read + issues: write + pull-requests: write + jobs: remove-labels: name: 🗑️ Remove Pending Labels on Close diff --git a/.github/workflows/on-open-handler.yml b/.github/workflows/on-open-handler.yml index 1861f4167..91f40486b 100644 --- a/.github/workflows/on-open-handler.yml +++ b/.github/workflows/on-open-handler.yml @@ -6,6 +6,11 @@ on: pull_request_target: types: [opened] +permissions: + contents: read + issues: write + pull-requests: write + jobs: label-maintainer: name: 🏷️ Label if Author is a Repo Maintainer diff --git a/.github/workflows/pr-auto-manager.yml b/.github/workflows/pr-auto-manager.yml index e672f1412..da25cc5fb 100644 --- a/.github/workflows/pr-auto-manager.yml +++ b/.github/workflows/pr-auto-manager.yml @@ -6,6 +6,10 @@ on: pull_request_review_comment: types: [created] +permissions: + contents: read + pull-requests: write + jobs: label-by-size: name: 🏷️ Label PR by Size @@ -75,7 +79,7 @@ jobs: name: 🗑️ Remove Stale Label on Comment runs-on: ubuntu-latest # Only runs when this is not done by the github actions bot - if: github.actor != 'github-actions[bot]' + if: github.event_name == 'pull_request_review_comment' && github.actor != 'github-actions[bot]' steps: - name: Remove Stale Label @@ -95,6 +99,12 @@ jobs: # Run, even if the previous jobs were skipped/failed if: always() + # Override permissions, as this needs to write a check + permissions: + checks: write + contents: read + pull-requests: read + steps: - name: Check Merge Blocking # GitHub Script diff --git a/.github/workflows/pr-check-merge-conflicts.yaml b/.github/workflows/pr-check-merge-conflicts.yaml index 73b3e5896..4d35b6443 100644 --- a/.github/workflows/pr-check-merge-conflicts.yaml +++ b/.github/workflows/pr-check-merge-conflicts.yaml @@ -7,6 +7,10 @@ on: pull_request_target: types: [synchronize] +permissions: + contents: read + pull-requests: write + jobs: check-merge-conflicts: name: ⚔️ Check Merge Conflicts From 892fe7bd34226eec5e83fb50843b4dea5f46b952 Mon Sep 17 00:00:00 2001 From: Wolfsblvt Date: Sat, 15 Mar 2025 23:30:48 +0100 Subject: [PATCH 2/4] Workflows ensure explicit versions of actions --- .github/workflows/issues-auto-manager.yml | 18 ++++++++--------- .github/workflows/issues-updates-on-merge.yml | 2 +- .github/workflows/job-close-stale.yml | 6 +++--- .github/workflows/on-close-handler.yml | 2 +- .github/workflows/on-open-handler.yml | 2 +- .github/workflows/pr-auto-manager.yml | 20 +++++++++---------- .../workflows/pr-check-merge-conflicts.yaml | 2 +- 7 files changed, 26 insertions(+), 26 deletions(-) diff --git a/.github/workflows/issues-auto-manager.yml b/.github/workflows/issues-auto-manager.yml index acd9e0d43..d15ae1add 100644 --- a/.github/workflows/issues-auto-manager.yml +++ b/.github/workflows/issues-auto-manager.yml @@ -20,7 +20,7 @@ jobs: - name: Checkout Repository # Checkout # https://github.com/marketplace/actions/checkout - uses: actions/checkout@v4 + uses: actions/checkout@v4.2.2 - name: Auto-Label Issues (Based on Issue Content) # only auto label based on issue content once, on open (to prevent re-labeling removed labels) @@ -28,7 +28,7 @@ jobs: # Issue Labeler # https://github.com/marketplace/actions/regex-issue-labeler - uses: github/issue-labeler@v3 + uses: github/issue-labeler@v3.4 with: configuration-path: .github/issues-auto-labels.yml enable-versioned-regex: 0 @@ -43,7 +43,7 @@ jobs: if: contains(fromJSON('["👩‍💻 Good First Issue", "🙏 Help Wanted", "🪲 Confirmed", "⚠️ High Priority", "❕ Medium Priority", "💤 Low Priority"]'), github.event.label.name) # 🤖 Issues Helper # https://github.com/marketplace/actions/issues-helper - uses: actions-cool/issues-helper@v3 + uses: actions-cool/issues-helper@v3.6.0 with: actions: 'add-labels' token: ${{ secrets.BOT_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -53,7 +53,7 @@ jobs: if: contains(fromJSON('["✅ Done", "✅ Done (staging)", "⚰️ Stale", "❌ wontfix"]'), github.event.label.name) # 🤖 Issues Helper # https://github.com/marketplace/actions/issues-helper - uses: actions-cool/issues-helper@v3 + uses: actions-cool/issues-helper@v3.6.0 with: actions: 'remove-labels' token: ${{ secrets.BOT_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -63,7 +63,7 @@ jobs: if: contains(fromJSON('["❌ wontfix","👍 Approved","👩‍💻 Good First Issue"]'), github.event.label.name) # 🤖 Issues Helper # https://github.com/marketplace/actions/issues-helper - uses: actions-cool/issues-helper@v3 + uses: actions-cool/issues-helper@v3.6.0 with: actions: 'remove-labels' token: ${{ secrets.BOT_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -73,7 +73,7 @@ jobs: if: github.event.label.name == '🪲 Confirmed' # 🤖 Issues Helper # https://github.com/marketplace/actions/issues-helper - uses: actions-cool/issues-helper@v3 + uses: actions-cool/issues-helper@v3.6.0 with: actions: 'remove-labels' token: ${{ secrets.BOT_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -89,7 +89,7 @@ jobs: - name: Remove Stale Label # 🤖 Issues Helper # https://github.com/marketplace/actions/issues-helper - uses: actions-cool/issues-helper@v3 + uses: actions-cool/issues-helper@v3.6.0 with: actions: 'remove-labels' token: ${{ secrets.BOT_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -105,12 +105,12 @@ jobs: - name: Checkout Repository # Checkout # https://github.com/marketplace/actions/checkout - uses: actions/checkout@v4 + uses: actions/checkout@v4.2.2 - name: Post Issue Comments Based on Labels # Label Commenter # https://github.com/marketplace/actions/label-commenter - uses: peaceiris/actions-label-commenter@v1 + uses: peaceiris/actions-label-commenter@v1.10.0 with: config_file: .github/issues-auto-comments.yml github_token: ${{ secrets.BOT_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/issues-updates-on-merge.yml b/.github/workflows/issues-updates-on-merge.yml index f6fd59ad1..9c01ce74e 100644 --- a/.github/workflows/issues-updates-on-merge.yml +++ b/.github/workflows/issues-updates-on-merge.yml @@ -20,7 +20,7 @@ jobs: - name: Checkout Repository # Checkout # https://github.com/marketplace/actions/checkout - uses: actions/checkout@v4 + uses: actions/checkout@v4.2.2 - name: Extract Linked Issues from Commit Message id: extract_issues diff --git a/.github/workflows/job-close-stale.yml b/.github/workflows/job-close-stale.yml index a58c8ae3a..9b83a6fa0 100644 --- a/.github/workflows/job-close-stale.yml +++ b/.github/workflows/job-close-stale.yml @@ -20,7 +20,7 @@ jobs: - name: Mark Issues/PRs without Activity # Close Stale Issues and PRs # https://github.com/marketplace/actions/close-stale-issues - uses: actions/stale@v9 + uses: actions/stale@v9.1.0 with: repo-token: ${{ secrets.BOT_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} days-before-stale: 183 @@ -54,7 +54,7 @@ jobs: - name: Mark Issues/PRs Awaiting User Response # Close Stale Issues and PRs # https://github.com/marketplace/actions/close-stale-issues - uses: actions/stale@v9 + uses: actions/stale@v9.1.0 with: repo-token: ${{ secrets.BOT_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} days-before-stale: 7 @@ -81,7 +81,7 @@ jobs: - name: Mark Issues with Alternative Exists # Close Stale Issues and PRs # https://github.com/marketplace/actions/close-stale-issues - uses: actions/stale@v9 + uses: actions/stale@v9.1.0 with: repo-token: ${{ secrets.BOT_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} days-before-stale: 7 diff --git a/.github/workflows/on-close-handler.yml b/.github/workflows/on-close-handler.yml index e60dc6288..c132e558a 100644 --- a/.github/workflows/on-close-handler.yml +++ b/.github/workflows/on-close-handler.yml @@ -20,7 +20,7 @@ jobs: - name: Remove Pending Labels on Close # 🤖 Issues Helper # https://github.com/marketplace/actions/issues-helper - uses: actions-cool/issues-helper@v3 + uses: actions-cool/issues-helper@v3.6.0 with: actions: remove-labels token: ${{ secrets.BOT_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/on-open-handler.yml b/.github/workflows/on-open-handler.yml index 91f40486b..df109f914 100644 --- a/.github/workflows/on-open-handler.yml +++ b/.github/workflows/on-open-handler.yml @@ -21,7 +21,7 @@ jobs: - name: Label if Author is a Repo Maintainer # 🤖 Issues Helper # https://github.com/marketplace/actions/issues-helper - uses: actions-cool/issues-helper@v3 + uses: actions-cool/issues-helper@v3.6.0 with: actions: 'add-labels' token: ${{ secrets.BOT_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pr-auto-manager.yml b/.github/workflows/pr-auto-manager.yml index da25cc5fb..01656c1cd 100644 --- a/.github/workflows/pr-auto-manager.yml +++ b/.github/workflows/pr-auto-manager.yml @@ -19,7 +19,7 @@ jobs: - name: Label PR Size # Pull Request Size Labeler # https://github.com/marketplace/actions/pull-request-size-labeler - uses: codelytv/pr-size-labeler@v1 + uses: codelytv/pr-size-labeler@v1.10.2 with: GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} xs_label: '🟩 ⬤○○○○' @@ -47,12 +47,12 @@ jobs: - name: Checkout Repository # Checkout # https://github.com/marketplace/actions/checkout - uses: actions/checkout@v4 + uses: actions/checkout@v4.2.2 - name: Apply Labels Based on Branch Name and Target Branch # Pull Request Labeler # https://github.com/marketplace/actions/labeler - uses: actions/labeler@v5 + uses: actions/labeler@v5.0.0 with: configuration-path: .github/pr-auto-labels-by-branch.yml repo-token: ${{ secrets.BOT_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -65,12 +65,12 @@ jobs: - name: Checkout Repository # Checkout # https://github.com/marketplace/actions/checkout - uses: actions/checkout@v4 + uses: actions/checkout@v4.2.2 - name: Apply Labels Based on Changed Files # Pull Request Labeler # https://github.com/marketplace/actions/labeler - uses: actions/labeler@v5 + uses: actions/labeler@v5.0.0 with: configuration-path: .github/pr-auto-labels-by-files.yml repo-token: ${{ secrets.BOT_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -85,7 +85,7 @@ jobs: - name: Remove Stale Label # 🤖 Issues Helper # https://github.com/marketplace/actions/issues-helper - uses: actions-cool/issues-helper@v3 + uses: actions-cool/issues-helper@v3.6.0 with: actions: 'remove-labels' token: ${{ secrets.BOT_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -108,9 +108,9 @@ jobs: steps: - name: Check Merge Blocking # GitHub Script - # https://github.com/marketplace/actions/github-scriptLabels + # https://github.com/marketplace/actions/github-script id: label-check - uses: actions/github-script@v7 + uses: actions/github-script@v7.0.1 with: script: | const prLabels = context.payload.pull_request.labels.map(label => label.name); @@ -153,12 +153,12 @@ jobs: - name: Checkout Repository # Checkout # https://github.com/marketplace/actions/checkout - uses: actions/checkout@v4 + uses: actions/checkout@v4.2.2 - name: Post PR Comments Based on Labels # Label Commenter for PRs # https://github.com/marketplace/actions/label-commenter - uses: peaceiris/actions-label-commenter@v1 + uses: peaceiris/actions-label-commenter@v1.10.0 with: config_file: .github/pr-auto-comments.yml github_token: ${{ secrets.BOT_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pr-check-merge-conflicts.yaml b/.github/workflows/pr-check-merge-conflicts.yaml index 4d35b6443..6c5acebc3 100644 --- a/.github/workflows/pr-check-merge-conflicts.yaml +++ b/.github/workflows/pr-check-merge-conflicts.yaml @@ -20,7 +20,7 @@ jobs: - name: Check Merge Conflicts # Label Conflicting Pull Requests # https://github.com/marketplace/actions/label-conflicting-pull-requests - uses: eps1lon/actions-label-merge-conflict@v3 + uses: eps1lon/actions-label-merge-conflict@v3.0.3 with: dirtyLabel: '🚫 Merge Conflicts' repoToken: ${{ secrets.BOT_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} From f18cb91ef9e2d931c0197e954009b9299dd3a649 Mon Sep 17 00:00:00 2001 From: Wolfsblvt Date: Sat, 15 Mar 2025 23:33:35 +0100 Subject: [PATCH 3/4] on push, check all pushed commits - duh --- .github/workflows/issues-updates-on-merge.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/issues-updates-on-merge.yml b/.github/workflows/issues-updates-on-merge.yml index 9c01ce74e..3a5b9a152 100644 --- a/.github/workflows/issues-updates-on-merge.yml +++ b/.github/workflows/issues-updates-on-merge.yml @@ -25,7 +25,7 @@ jobs: - name: Extract Linked Issues from Commit Message id: extract_issues run: | - ISSUES=$(git log -1 --pretty=%B | grep -oiE '(close|closes|closed|fix|fixes|fixed|resolve|resolves|resolved) #([0-9]+)' | awk '{print $2}' | tr -d '#' | jq -R -s -c 'split("\n")[:-1]') + ISSUES=$(git log ${{ github.event.before }}..${{ github.event.after }} --pretty=%B | grep -oiE '(close|closes|closed|fix|fixes|fixed|resolve|resolves|resolved) #([0-9]+)' | awk '{print $2}' | tr -d '#' | jq -R -s -c 'split("\n")[:-1]') echo "issues=$ISSUES" >> $GITHUB_ENV - name: Label Linked Issues From 248132dd8938b0a485be80138c11afd1d098f932 Mon Sep 17 00:00:00 2001 From: Cohee <18619528+Cohee1207@users.noreply.github.com> Date: Sun, 16 Mar 2025 02:25:07 +0200 Subject: [PATCH 4/4] Set debug level to unshallow warnings --- public/script.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/public/script.js b/public/script.js index c85303d0e..8d3784c71 100644 --- a/public/script.js +++ b/public/script.js @@ -6861,14 +6861,14 @@ export function buildAvatarList(block, entities, { templateId = 'inline_avatar_t */ export async function unshallowCharacter(characterId) { if (characterId === undefined) { - console.warn('Undefined character cannot be unshallowed'); + console.debug('Undefined character cannot be unshallowed'); return; } /** @type {import('./scripts/char-data.js').v1CharData} */ const character = characters[characterId]; if (!character) { - console.warn('Character not found:', characterId); + console.debug('Character not found:', characterId); return; } @@ -6879,7 +6879,7 @@ export async function unshallowCharacter(characterId) { const avatar = character.avatar; if (!avatar) { - console.warn('Character has no avatar field:', characterId); + console.debug('Character has no avatar field:', characterId); return; }