Dev

.github/workflows/actions/build-test-pack/action.yml

@@ -0,0 +1,42 @@
+# Assumes that:
+# 1. the following env variables are set:
+# - ZIP_FILE_PATH
+# - EXTENSION_DIR
+# 2. repository checked out
+# Effects:
+# - builds and tests an extension, fails on error
+# - packed extension.zip saved to env.ZIP_FILE_PATH if inputs.doNotPackZip == 'false'
+
+name: "Build, test and pack WebExtension"
+description: "Builds, tests, and packs extension dir into zip file"
+
+inputs:
+  doNotPackZip:
+    description: 'Set `true` to omit pack step'
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    # Add additional build and test steps here
+
+    - name: Copy extension to folder
+      shell: bash
+      run: |
+        mkdir -p ${{ env.EXTENSION_DIR }}
+        cp manifest.json ${{ env.EXTENSION_DIR }}
+        cp blocked.html ${{ env.EXTENSION_DIR }}
+        cp -r config/ ${{ env.EXTENSION_DIR }}
+        cp -r images/ ${{ env.EXTENSION_DIR }}
+        cp -r options/ ${{ env.EXTENSION_DIR }}
+        cp -r popup/ ${{ env.EXTENSION_DIR }}
+        cp -r rules/ ${{ env.EXTENSION_DIR }}
+        cp -r scripts/ ${{ env.EXTENSION_DIR }}
+        cp -r styles/ ${{ env.EXTENSION_DIR }}
+
+    - name: Pack directory to zip
+      if: inputs.doNotPackZip != 'true'
+      uses: cardinalby/webext-buildtools-pack-extension-dir-action@28fdcac9860fb08555580587cab0d33afe4a341d
+      with:
+        extensionDir: ${{ env.EXTENSION_DIR }}
+        zipFilePath: ${{ env.ZIP_FILE_PATH }}

.github/workflows/actions/get-zip-asset/action.yml

@@ -0,0 +1,67 @@
+# Assumes that:
+# 1. the following env variables are set:
+# - ZIP_ASSET_NAME
+# - ZIP_FILE_PATH
+# - ZIP_FILE_NAME
+# - EXTENSION_DIR
+# 2. repository checked out
+# Effects:
+# - extension.zip saved to env.ZIP_FILE_PATH
+# - outputs.releaseUploadUrl is set if ref_type == 'tag' and release exists
+# - extension.zip uploaded as build artifact to the job if it wasn't found in release
+
+name: "Obtain extension.zip asset"
+description: "Downloads zip asset from a release (if exists) or builds it from the scratch"
+inputs:
+  githubToken:
+    description: GitHub token
+    required: true
+outputs:
+  releaseUploadUrl:
+    description: Release upload url, if exists
+    value: ${{ steps.getRelease.outputs.upload_url }}
+runs:
+  using: "composite"
+  steps:
+    - name: Get release
+      id: getRelease
+      if: github.ref_type == 'tag'
+      uses: cardinalby/git-get-release-action@cedef2faf69cb7c55b285bad07688d04430b7ada
+      env:
+        GITHUB_TOKEN: ${{ inputs.githubToken }}
+      with:
+        tag: ${{ github.ref_name }}
+        doNotFailIfNotFound: true
+
+    - name: Find out zip asset id from assets JSON
+      if: steps.getRelease.outputs.assets
+      id: readAssetIdFromRelease
+      uses: cardinalby/js-eval-action@b34865f1d9cfdf35356013627474857cfe0d5091
+      env:
+        ASSETS_JSON: ${{ steps.getRelease.outputs.assets }}
+        ASSET_NAME: ${{ env.ZIP_ASSET_NAME }}
+      with:
+        expression: |
+          JSON.parse(env.ASSETS_JSON)
+            .find(asset => asset.name == env.ZIP_ASSET_NAME)?.id || ''
+
+    - name: Download found zip release asset
+      id: downloadZipAsset
+      if: steps.readAssetIdFromRelease.outputs.result
+      uses: cardinalby/download-release-asset-action@8fe4ec3a876fe25b72086c8de1faddfaeb6512ff
+      with:
+        token: ${{ inputs.githubToken }}
+        assetId: ${{ steps.readAssetIdFromRelease.outputs.result }}
+        targetPath: ${{ env.ZIP_FILE_PATH }}
+
+    - name: Build and pack zip
+      id: buildZip
+      if: steps.downloadZipAsset.outcome != 'success'
+      uses: ./.github/workflows/actions/build-test-pack
+
+    - name: Upload zip file artifact
+      if: steps.buildZip.outcome == 'success'
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
+      with:
+        name: ${{ env.ZIP_FILE_NAME }}
+        path: ${{ env.ZIP_FILE_PATH }}

.github/workflows/build-and-test.yml

@@ -0,0 +1,32 @@
+name: Build and test
+on:
+  pull_request:
+  push:
+    branches:
+      - 'main'
+      - 'dev'
+  workflow_dispatch:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: cardinalby/export-env-action@66657b34899a2d695434ed060d9f2215db9b4035
+        with:
+          envFile: './.github/workflows/constants.env'
+          expand: true
+
+      - name: Build, test and pack to zip
+        id: build
+        uses: ./.github/workflows/actions/build-test-pack
+        with:
+          # pack zip only for pull requests or workflow_dispatch events
+          doNotPackZip: ${{ github.event_name == 'push' && 'true' || 'false'}}
+
+      - name: Upload zip file artifact
+        if: github.event_name != 'push'
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
+        with:
+          name: ${{ env.ZIP_FILE_NAME }}
+          path: ${{ env.ZIP_FILE_PATH }}

.github/workflows/build-assets-on-release.yml

@@ -0,0 +1,96 @@
+# On release published:
+# - if no built extension.zip asset attached to release, does that
+# - builds and attaches signed crx asset to release
+# - builds and attaches signed xpi asset to release
+name: Build release assets
+
+on:
+  release:
+    # Creating draft releases will not trigger it
+    types: [published]
+jobs:
+  # Find out asset id of existing extension.zip asset in a release or
+  # build and attach it to the release and use its asset id
+  ensure-zip:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    outputs:
+      zipAssetId: |
+        ${{ steps.getZipAssetId.outputs.result ||
+            steps.uploadZipAsset.outputs.id }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: cardinalby/export-env-action@66657b34899a2d695434ed060d9f2215db9b4035
+        with:
+          envFile: './.github/workflows/constants.env'
+          expand: true
+
+      - name: Find out "extension.zip" asset id from the release
+        id: getZipAssetId
+        uses: cardinalby/js-eval-action@b34865f1d9cfdf35356013627474857cfe0d5091
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ASSETS_URL: ${{ github.event.release.assets_url }}
+          ASSET_NAME: ${{ env.ZIP_FILE_NAME }}
+        with:
+          expression: |
+            (await octokit.request("GET " + env.ASSETS_URL)).data
+              .find(asset => asset.name == env.ASSET_NAME)?.id || ''
+
+      - name: Build, test and pack
+        if: '!steps.getZipAssetId.outputs.result'
+        id: buildPack
+        uses: ./.github/workflows/actions/build-test-pack
+
+      - name: Upload "extension.zip" asset to the release
+        id: uploadZipAsset
+        if: '!steps.getZipAssetId.outputs.result'
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ github.event.release.upload_url }}
+          asset_path: ${{ env.ZIP_FILE_PATH }}
+          asset_name: ${{ env.ZIP_FILE_NAME }}
+          asset_content_type: application/zip
+
+  build-signed-crx-asset:
+    needs: ensure-zip
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: cardinalby/export-env-action@66657b34899a2d695434ed060d9f2215db9b4035
+        with:
+          envFile: './.github/workflows/constants.env'
+          expand: true
+
+      - name: Download zip release asset
+        uses: cardinalby/download-release-asset-action@8fe4ec3a876fe25b72086c8de1faddfaeb6512ff
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          assetId: ${{ needs.ensure-zip.outputs.zipAssetId }}
+          targetPath: ${{ env.ZIP_FILE_PATH }}
+
+      - name: Build offline crx
+        id: buildOfflineCrx
+        uses: cardinalby/webext-buildtools-chrome-crx-action@200e7173cbdb5acb91d381cf9f7a30080b025047
+        with:
+          zipFilePath: ${{ env.ZIP_FILE_PATH }}
+          crxFilePath: ${{ env.OFFLINE_CRX_FILE_PATH }}
+          privateKey: ${{ secrets.CHROME_CRX_PRIVATE_KEY }}
+
+      - name: Upload offline crx release asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ github.event.release.upload_url }}
+          asset_path: ${{ env.OFFLINE_CRX_FILE_PATH }}
+          asset_name: ${{ env.OFFLINE_CRX_FILE_NAME }}
+          asset_content_type: application/x-chrome-extension
+

.github/workflows/constants.env

@@ -0,0 +1,11 @@
+EXTENSION_DIR=extension/
+BUILD_DIR=build/
+
+ZIP_FILE_NAME=extension.zip
+ZIP_FILE_PATH=${BUILD_DIR}${ZIP_FILE_NAME}
+
+WEBSTORE_CRX_FILE_NAME=extension.webstore.crx
+WEBSTORE_CRX_FILE_PATH=${BUILD_DIR}${WEBSTORE_CRX_FILE_NAME}
+
+OFFLINE_CRX_FILE_NAME=extension.offline.crx
+OFFLINE_CRX_FILE_PATH=${BUILD_DIR}${OFFLINE_CRX_FILE_NAME}

.github/workflows/google-refresh-token.yml

@@ -0,0 +1,14 @@
+name: Google Refresh Token
+on:
+  schedule:
+    - cron:  '0 3 2 * *' # At 03:00 on day-of-month 2
+  workflow_dispatch:
+jobs:
+  fetchToken:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: cardinalby/google-api-fetch-token-action@24c99245e2a2494cc4c4b1037203d319a184b15b
+        with:
+          clientId: ${{ secrets.G_CLIENT_ID }}
+          clientSecret: ${{ secrets.G_CLIENT_SECRET }}
+          refreshToken: ${{ secrets.G_REFRESH_TOKEN }}

.github/workflows/pr_check.yml

@@ -0,0 +1,59 @@
+name: PR Branch Check
+
+on:
+  # Using pull_request_target instead of pull_request for secure handling of fork PRs
+  pull_request_target:
+    # Only run on these PR events
+    types: [opened, synchronize, reopened]
+    # Only check PRs targeting these branches
+    branches:
+      - main
+      - master
+
+permissions:
+  pull-requests: write
+  issues: write
+
+jobs:
+  check-branch:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check and Comment on PR
+        # Only process fork PRs with specific branch conditions
+        # Must be a fork AND (source is main/master OR target is main/master)
+        if: |
+          github.event.pull_request.head.repo.fork == true &&
+          ((github.event.pull_request.head.ref == 'main' || github.event.pull_request.head.ref == 'master') ||
+          (github.event.pull_request.base.ref == 'main' || github.event.pull_request.base.ref == 'master'))
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            let message = '';
+
+            // Check if PR is targeting main/master
+            if (context.payload.pull_request.base.ref === 'main' || context.payload.pull_request.base.ref === 'master') {
+              message += '⚠️ PRs cannot target the main branch directly. If you are attempting to contribute code please PR to the dev branch.\n\n';
+            }
+
+            // Check if PR is from a fork's main/master branch
+            if (context.payload.pull_request.head.repo.fork &&
+                (context.payload.pull_request.head.ref === 'main' || context.payload.pull_request.head.ref === 'master')) {
+              message += '⚠️ This PR cannot be merged because it originates from your fork\'s main/master branch. If you are attempting to contribute code please PR from your dev branch or another non-main/master branch.\n\n';
+            }
+
+            message += '🔒 This PR will now be automatically closed due to the above rules.';
+
+            // Post the comment
+            await github.rest.issues.createComment({
+              ...context.repo,
+              issue_number: context.issue.number,
+              body: message
+            });
+
+            // Close the PR
+            await github.rest.pulls.update({
+              ...context.repo,
+              pull_number: context.issue.number,
+              state: 'closed'
+            });