search

asciidoctor / asciidoctor-browser-extension

:white_circle: An extension for web browsers that converts AsciiDoc files to HTML using Asciidoctor.js.
https://chrome.google.com/webstore/detail/asciidoctorjs-live-previe/iaalpfgpbocpdfblpnhhgllgbdbchmia
MIT License
218 stars 50 forks source link

Add Github Action to Deploy to Webstores #631

Open ColdSauce opened 2 years ago

ColdSauce commented 2 years ago

Hiya, we made a Github action to make it easier to deploy to each of the web stores. This PR integrates the ascii doctor browser ext to our Github action so you can deploy directly from the Github UI.

Currently supporting Chrome, Firefox, Edge, and Opera (Safari support coming soon too)

The only thing you would need to create is a SUBMIT_KEYS GitHub repository secret.

This secret is a JSON, with the schema defined here.

Here's a sample key:

{
  "$schema": "https://raw.githubusercontent.com/plasmo-corp/bpp/v1/keys.schema.json",
  "chrome": {
    "clientId": "123",
    "clientSecret": "456",
    "refreshToken": "789",
    "extId": "abcd"
  },
  "firefox": {
    "apiKey": "123",
    "apiSecret": "abcd",
    "extId": "foobar"
  }
}

You can find instructions on how to get those keys in the schema, or if you use vscode, the schema should provide hint/intelisense when hovering over the json properties. If you need any help in setting up the keys, feel free to @ me.

Otherwise, if this doesn't seem necessary, feel free to close the PR!

ggrossetie commented 2 years ago

Sounds interesting! I didn't know that it was possible to publish to the Chrome WebStore using an API. It seems that you are using Puppeteer to automate the process for Opera and Edge? No API available?

To be honest, I'm a bit reluctant to use this GitHub actions for security reasons: https://julienrenaux.fr/2019/12/20/github-actions-security-risk/ It seems legit but I don't have time to do a thorough review of bpp, cwu, bms...

ColdSauce commented 2 years ago

It seems that you are using Puppeteer to automate the process for Opera and Edge? No API available?

At least for Opera, there is a private API that I'm currently reverse engineering to take advantage of. I reached out to the program manager of the Edge store to see how we can have a better workflow for Edge. Tracking Opera task here and Edge task here

To be honest, I'm a bit reluctant to use this GitHub actions for security reasons

As a former security engineer, it makes me happy to see people are skeptical of random Github Actions that are close to their deployment :)

If you'd like I can pin the version to the SHA-1 of our latest commit, but I understand your point about not having enough time to check through all the code. If there's anything else I can do to minimize your risk and ease your concerns, please let me know. We feel like this is a useful piece of software and we'd love for people to use it, but we want people feeling safe when they do so!