fix(sec-02): validate webview URL scheme, remove allowpopups, add nav… #23
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: contributor automation | |
| on: | |
| schedule: | |
| - cron: '0 0 * * *' | |
| pull_request_target: | |
| types: [closed] | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| permissions: | |
| contents: write | |
| jobs: | |
| update-readme: | |
| runs-on: ubuntu-latest | |
| # Only run for merged PRs (skip PRs that were closed without merging); | |
| # schedule and manual dispatch always run. | |
| if: ${{ github.event_name != 'pull_request_target' || github.event.pull_request.merged == true }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| # Push with an admin PAT so the commit bypasses the `protect-main` | |
| # ruleset via the "Repository admin" bypass role (the github-actions | |
| # bot is not a bypass actor and cannot push to main directly). | |
| token: ${{ secrets.CONTRIB_PAT }} | |
| - name: Fetch Merged PR Authors (Pagination) | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -euo pipefail | |
| PAGE=1 | |
| echo "[]" > final_list.json | |
| while true; do | |
| RESPONSE=$(gh api "/repos/PandyaJeet/SuperBrowser/pulls?state=closed&per_page=100&page=${PAGE}") | |
| COUNT=$(echo "$RESPONSE" | jq '. | length') | |
| if [ "$COUNT" -eq 0 ]; then break; fi | |
| jq -s '.[0] + .[1]' final_list.json <(echo "$RESPONSE") > tmp.json && mv tmp.json final_list.json | |
| PAGE=$((PAGE + 1)) | |
| done | |
| jq '[.[] | |
| | select(.merged_at != null and .user != null and .user.type != "Bot") | |
| | .user.login] | |
| | unique | |
| | sort' final_list.json > contributors.json | |
| - name: Build Gallery HTML | |
| run: | | |
| set -euo pipefail | |
| GALLERY_HTML="" | |
| for USERNAME in $(jq -r '.[]' contributors.json); do | |
| GALLERY_HTML="${GALLERY_HTML}<a href=\"https://github.com/${USERNAME}\"><img src=\"https://github.com/${USERNAME}.png\" width=\"50px\" loading=\"lazy\" title=\"${USERNAME}\" style=\"border-radius:50%;margin:5px;\" alt=\"${USERNAME}\" /></a>" | |
| done | |
| echo "$GALLERY_HTML" > gallery_fragment.txt | |
| - name: Update README.md | |
| run: | | |
| set -euo pipefail | |
| start_count=$(grep -c '<!-- CONTRIBUTORS_START -->' README.md || true) | |
| end_count=$(grep -c '<!-- CONTRIBUTORS_END -->' README.md || true) | |
| if [ "$start_count" -ne 1 ] || [ "$end_count" -ne 1 ]; then | |
| echo "Error: README.md must contain exactly one pair of markers." | |
| exit 1 | |
| fi | |
| start_line=$(grep -n '<!-- CONTRIBUTORS_START -->' README.md | cut -d: -f1) | |
| end_line=$(grep -n '<!-- CONTRIBUTORS_END -->' README.md | cut -d: -f1) | |
| if [ "$start_line" -ge "$end_line" ]; then | |
| echo "Error: CONTRIBUTORS_START must appear before CONTRIBUTORS_END." | |
| exit 1 | |
| fi | |
| sed -i '/<!-- CONTRIBUTORS_START -->/,/<!-- CONTRIBUTORS_END -->/ { | |
| /<!-- CONTRIBUTORS_START -->/! { /<!-- CONTRIBUTORS_END -->/! d; } | |
| }' README.md | |
| sed -i '/<!-- CONTRIBUTORS_START -->/r gallery_fragment.txt' README.md | |
| - name: Commit and Push | |
| run: | | |
| git config --global user.name "github-actions[bot]" | |
| git config --global user.email "github-actions[bot]@users.noreply.github.com" | |
| git add README.md | |
| if git diff --staged --quiet; then | |
| echo "No changes to README." | |
| else | |
| git commit -m "update contributor list [skip ci]" | |
| git push origin main | |
| fi | |