mirror of
https://github.com/formbricks/formbricks.git
synced 2025-12-30 10:19:51 -06:00
aecedfd082
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> Co-authored-by: Dhruwang Jariwala <67850763+Dhruwang@users.noreply.github.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Co-authored-by: Dhruwang <dhruwangjariwala18@gmail.com> Co-authored-by: Matthias Nannt <mail@matthiasnannt.com>
88 lines
2.7 KiB
YAML
88 lines
2.7 KiB
YAML
name: Tolgee Tagging on PR Merge
|
|
permissions:
|
|
contents: read
|
|
|
|
on:
|
|
pull_request_target:
|
|
types: [closed]
|
|
branches:
|
|
- main
|
|
|
|
jobs:
|
|
tag-production-keys:
|
|
name: Tag Production Keys
|
|
runs-on: ubuntu-latest
|
|
if: github.event.pull_request.merged == true
|
|
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout repository
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
fetch-depth: 0 # This ensures we get the full git history
|
|
|
|
- name: Get source branch name
|
|
id: branch-name
|
|
run: |
|
|
RAW_BRANCH="${{ github.head_ref }}"
|
|
SOURCE_BRANCH=$(echo "$RAW_BRANCH" | sed 's/[^a-zA-Z0-9._\/-]//g')
|
|
|
|
|
|
# Safely add to environment variables using GitHub's recommended method
|
|
# This prevents environment variable injection attacks
|
|
echo "SOURCE_BRANCH<<EOF" >> $GITHUB_ENV
|
|
echo "$SOURCE_BRANCH" >> $GITHUB_ENV
|
|
echo "EOF" >> $GITHUB_ENV
|
|
|
|
echo "Detected source branch: $SOURCE_BRANCH"
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
|
|
with:
|
|
node-version: 18 # Ensure compatibility with your project
|
|
|
|
- name: Install Tolgee CLI
|
|
run: npm install -g @tolgee/cli
|
|
|
|
- name: Tag Production Keys
|
|
run: |
|
|
npx tolgee tag \
|
|
--api-key ${{ secrets.TOLGEE_API_KEY }} \
|
|
--filter-extracted \
|
|
--filter-tag "draft:${SOURCE_BRANCH}" \
|
|
--tag production \
|
|
--untag "draft:${SOURCE_BRANCH}"
|
|
|
|
- name: Tag unused production keys as Deprecated
|
|
run: |
|
|
npx tolgee tag \
|
|
--api-key ${{ secrets.TOLGEE_API_KEY }} \
|
|
--filter-not-extracted --filter-tag production \
|
|
--tag deprecated --untag production
|
|
|
|
- name: Tag unused draft:current-branch keys as Deprecated
|
|
run: |
|
|
npx tolgee tag \
|
|
--api-key ${{ secrets.TOLGEE_API_KEY }} \
|
|
--filter-not-extracted --filter-tag "draft:${SOURCE_BRANCH}" \
|
|
--tag deprecated --untag "draft:${SOURCE_BRANCH}"
|
|
|
|
- name: Sync with backup
|
|
run: |
|
|
npx tolgee sync \
|
|
--api-key ${{ secrets.TOLGEE_API_KEY }} \
|
|
--backup ./tolgee-backup \
|
|
--continue-on-warning \
|
|
--yes
|
|
|
|
- name: Upload backup as artifact
|
|
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
|
|
with:
|
|
name: tolgee-backup-${{ github.sha }}
|
|
path: ./tolgee-backup
|
|
retention-days: 90
|