trmcnvn / firefox-addon Goto Github PK

Using webpack I build a zip file for the extension but this action uses xpi extension, is there a way I can use a zip file?

Thank you for this addon!
When using it here I got a Request failed with status code 400

Run trmcnvn/firefox-addon@v1
  with:
    uuid: {87477736-c9f4-44c4-8eee-7fdfaaf750e9}
    xpi: packages/qownnotes-web-companion.v20.8.3.firefox.xpi.zip
    manifest: dist/firefox/manifest.json
    api-key: ***
    api-secret: ***
  env:
    VERSION: 20.8.3
    TAG: v20.8.3
    RELEASE_TEXT: ## 20.8.3
  - Firefox store releasing is now done via GitHub Actions
##[error]Request failed with status code 400

Config: https://github.com/qownnotes/web-companion/blob/8512fd2c075491c775767825c5f6aaa56219fe70/.github/workflows/build-release.yml#L69-L77

Is there a way to find out what causes the error?

I got this review, because I use minified sources:

This version contains minified, concatenated or otherwise machine-generated code. Please provide the original sources, together with instructions on how to generate the final XPI. Source code must be provided as an archive and uploaded using the source code upload field, which can be done during submission or on the version page in the developer hub.
Please read through the instructions at https://extensionworkshop.com/documentation/publish/source-code-submission/ .

How can I upload the source with this action?

Btw. amazing work on this! This action makes publishing really easy.

nevermind

Hi, this action asks for a key and secret but the page linked says JWT issuer and JWT secret.

Using them as key secret respectively doesn't seem to be working.

Just looking for some clarification, I know this action is 2 years old

There are other fields that can be submitted such as Release Notes using the AMO webform. It'd be nice to also be able to submit updated data through this action.

At https://github.com/step-security/secure-workflows we are building a knowledge-base (KB) of GITHUB_TOKEN permissions needed by different GitHub Actions. When developers try to set minimum token permissions for their workflows, they can use this knowledge-base instead of trying to research permissions needed by each GitHub Action they use.

Below you can see the KB of your GITHUB Action.

name: 'Firefox Addon Action' # trmcnvn/firefox-addon
# GITHUB_TOKEN not used

If you think this information is not accurate, or if in the future your GitHub Action starts using a different set of permissions, please create an issue at https://github.com/step-security/secure-workflows/issues to let us know.

This issue is automatically created by our analysis bot, feel free to close after reading :)

References:

GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.

Setting minimum token permissions is also checked for by Open Source Security Foundation (OpenSSF) Scorecards. Scorecards recommend using https://github.com/step-security/secure-workflows so developers can fix this issue in an easier manner.