Adding github action for automated submission and dependabot upkeep

[louisgv]

Hi @palant!

Love pfp. I was looking for ways to contribute, and thought adding a bit more ci might help. This PR introduces 2 github action workflows:

• automerge: automate the dependabot merging to reduce PR noise, using https://github.com/fastify/github-action-merge-dependabot. It build and test the project before it merge!
• submit: automate the zip submission process to the Chrome/Firefox stores automatically, using bpp . It is set to run manually from the github action tab, but we can tweak it to run as frequent as you wish! The only thing you would need to create is a SUBMIT_KEYS github repository secret.

The SUBMIT_KEYS secret is a json, with the schema defined here.

Here's a sample key for you:

{
  "$schema": "https://raw.githubusercontent.com/plasmo-corp/bpp/main/keys.schema.json",
  "chrome": {
    "zip": "build-chrome/pfp-{version}.zip",
    "clientId": "123",
    "refreshToken": "789",
    "extId": "abcd"
  },
  "firefox": {
    "zip": "build-firefox/pfp-{version}.xpi",
    "apiKey": "abcd",
    "apiSecret": "abcd"
  }
}

You can find instructions on how to get the keys in the schema, or in this doc. If you use vscode, the schema should provide hint/intelisense when hovering over the json properties. If you need any help in setting up the keys, feel free to @ me! Otherwise if this doesn't seem necessary, feel free to close the PR :)

---

Side notes: bpp is an open source action, together with its dependencies. You can audit the source as well as providing any issue/feedback here:

• Browser Plugin Publisher
• Browser Market Submit
• Mozilla Webstore Upload
• Chrome Webstore Upload

[palant]

Hi, thank you for this contribution! Unfortunately, I’m not quite certain how I feel about these changes. Maybe I’m overly cautious but I’d prefer to merge Dependabot changes manually for now. Two reasons for that. First of all, in a bunch of cases I rejected a Dependabot PR. Not because it would break something, but simply because it made more sense to properly upgrade a dependency instead. And second: running tests does relatively little to ensure that no broken build is being produced as this isn’t being tested.

Also, I’m not exactly releasing frequently as you probably noticed. Automating releases is certainly possible and I could do it without relying on third parties (something I generally tend to avoid for something as sensitive), but it just isn’t worth the effort at this stage. Given that I only learned about Github Actions recently, properly evaluating the risks of using bpp will still take me significant time…