mirror of
https://github.com/formbricks/formbricks.git
synced 2026-01-05 08:59:55 -06:00
96 lines
3.2 KiB
YAML
96 lines
3.2 KiB
YAML
name: Tolgee Tagging on PR Merge
|
|
permissions:
|
|
contents: read
|
|
|
|
on:
|
|
pull_request_target:
|
|
types: [closed]
|
|
branches:
|
|
- main
|
|
|
|
jobs:
|
|
tag-production-keys:
|
|
name: Tag Production Keys
|
|
runs-on: ubuntu-latest
|
|
if: github.event.pull_request.merged == true
|
|
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout repository
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
fetch-depth: 0 # This ensures we get the full git history
|
|
|
|
- name: Get source branch name
|
|
id: branch-name
|
|
env:
|
|
RAW_BRANCH: ${{ github.head_ref }}
|
|
run: |
|
|
# Validate and sanitize branch name - only allow alphanumeric, dots, underscores, hyphens, and forward slashes
|
|
SOURCE_BRANCH=$(echo "$RAW_BRANCH" | sed 's/[^a-zA-Z0-9._\/-]//g')
|
|
|
|
# Additional validation - ensure branch name is not empty after sanitization
|
|
if [[ -z "$SOURCE_BRANCH" ]]; then
|
|
echo "❌ Error: Branch name is empty after sanitization"
|
|
echo "Original branch: $RAW_BRANCH"
|
|
exit 1
|
|
fi
|
|
|
|
# Safely add to environment variables using GitHub's recommended method
|
|
# This prevents environment variable injection attacks
|
|
echo "SOURCE_BRANCH<<EOF" >> $GITHUB_ENV
|
|
echo "$SOURCE_BRANCH" >> $GITHUB_ENV
|
|
echo "EOF" >> $GITHUB_ENV
|
|
|
|
echo "Detected source branch: $SOURCE_BRANCH"
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
|
|
with:
|
|
node-version: 18 # Ensure compatibility with your project
|
|
|
|
- name: Install Tolgee CLI
|
|
run: npm install -g @tolgee/cli
|
|
|
|
- name: Tag Production Keys
|
|
run: |
|
|
npx tolgee tag \
|
|
--api-key ${{ secrets.TOLGEE_API_KEY }} \
|
|
--filter-extracted \
|
|
--filter-tag "draft:${SOURCE_BRANCH}" \
|
|
--tag production \
|
|
--untag "draft:${SOURCE_BRANCH}"
|
|
|
|
- name: Tag unused production keys as Deprecated
|
|
run: |
|
|
npx tolgee tag \
|
|
--api-key ${{ secrets.TOLGEE_API_KEY }} \
|
|
--filter-not-extracted --filter-tag production \
|
|
--tag deprecated --untag production
|
|
|
|
- name: Tag unused draft:current-branch keys as Deprecated
|
|
run: |
|
|
npx tolgee tag \
|
|
--api-key ${{ secrets.TOLGEE_API_KEY }} \
|
|
--filter-not-extracted --filter-tag "draft:${SOURCE_BRANCH}" \
|
|
--tag deprecated --untag "draft:${SOURCE_BRANCH}"
|
|
|
|
- name: Sync with backup
|
|
run: |
|
|
npx tolgee sync \
|
|
--api-key ${{ secrets.TOLGEE_API_KEY }} \
|
|
--backup ./tolgee-backup \
|
|
--continue-on-warning \
|
|
--yes
|
|
|
|
- name: Upload backup as artifact
|
|
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
|
|
with:
|
|
name: tolgee-backup-${{ github.sha }}
|
|
path: ./tolgee-backup
|
|
retention-days: 90
|