Add automated Chrome Web Store publishing #9
Conversation
|
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
- Create helper script to simplify getting GitHub refresh tokens - Update release workflow to use semantic versioning - Improve options page styling and token setup flow
Condensed README sections to be more skimmable - the accessibility and setup sections were way too verbose. Also updated storage capacity from 100 to 2000 items throughout docs and config since we increased that limit. Added note about NPM registry communication in privacy policy since that's not obvious to users.
There was a problem hiding this comment.
Pull Request Overview
This PR adds automated Chrome Web Store publishing infrastructure to the release workflow, along with storage limit increases and documentation improvements to support the extension's public launch.
Key Changes:
- Added OAuth refresh token generation utility for Chrome Web Store API authentication
- Integrated automated publishing into the GitHub Actions release workflow
- Increased activity storage limit from 100 to 2000 items across code and documentation
- Streamlined README documentation for better readability
Reviewed Changes
Copilot reviewed 11 out of 13 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/get-refresh-token.js | New utility script to generate OAuth refresh tokens for Chrome Web Store API |
| .github/workflows/release.yml | Added Chrome Web Store publishing step using mnao305/chrome-extension-upload action |
| package.json | Added open@11.0.0 package for browser automation in OAuth flow |
| package-lock.json | Updated lockfile with dependencies for the open package |
| shared/config.js | Increased MAX_ACTIVITIES_STORED from 100 to 2000 |
| shared/state-manager.js | Refactored to use centralized STORAGE_CONFIG constant instead of hardcoded limit |
| options/options.js | Added GitHub link footer to changelog display |
| options/options.css | Added styling for new changelog footer component |
| manifest.json | Added web_accessible_resources configuration for CHANGELOG.md |
| README.md | Updated Chrome Web Store links and condensed documentation sections for readability |
| PRIVACY.md | Updated storage limit documentation to reflect 2000 items; added NPM registry communication note |
| CONTRIBUTING.md | Documented automated Chrome Web Store publishing in release process |
| .gitignore | Added pattern to exclude OAuth credential files (client_secret*.json) |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
scripts/get-refresh-token.js
Outdated
| import { parse } from 'url'; | ||
| import open from 'open'; | ||
|
|
||
| const CREDENTIALS_FILE = process.argv[2] || 'client_secret_346359641766-c71fo1muqo7r1n7lv7em33fbt2vnmkin.apps.googleusercontent.com.json'; |
There was a problem hiding this comment.
The default credentials filename contains a hardcoded client ID that appears to be a real Google OAuth client ID (346359641766-c71fo1muqo7r1n7lv7em33fbt2vnmkin.apps.googleusercontent.com). This sensitive information should not be committed to the repository. Consider using a generic placeholder like 'client_secret.json' or documenting in comments how to obtain the credentials file without including actual client IDs.
| const CREDENTIALS_FILE = process.argv[2] || 'client_secret_346359641766-c71fo1muqo7r1n7lv7em33fbt2vnmkin.apps.googleusercontent.com.json'; | |
| // Provide the path to your OAuth 2.0 client credentials file (download from Google Cloud Console). | |
| // Usage: node scripts/get-refresh-token.js [path-to-credentials.json] | |
| const CREDENTIALS_FILE = process.argv[2] || 'client_secret.json'; |
scripts/get-refresh-token.js
Outdated
| console.log(` CHROME_CLIENT_ID = ${client_id}`); | ||
| console.log(` CHROME_CLIENT_SECRET = ${client_secret}`); | ||
| console.log(` CHROME_REFRESH_TOKEN = ${tokens.refresh_token}`); |
There was a problem hiding this comment.
Sensitive credentials (client_id, client_secret, and refresh_token) are being logged to the console. This creates a security risk as terminal output may be captured in logs, screen recordings, or visible to others. Consider warning users to keep this information secure or provide instructions to redirect output to a secure file instead of printing directly to stdout.
| "web_accessible_resources": [ | ||
| { | ||
| "resources": ["CHANGELOG.md"], | ||
| "matches": ["<all_urls>"] |
There was a problem hiding this comment.
The web_accessible_resources configuration makes CHANGELOG.md accessible to all URLs (<all_urls>). This is overly permissive and creates a security risk by allowing any website to access the extension's CHANGELOG. If external access to CHANGELOG.md is necessary, consider restricting it to specific domains. If it's only needed internally by the extension, this configuration may not be necessary at all.
| "matches": ["<all_urls>"] | |
| "matches": ["chrome-extension://__EXTENSION_ID__/options/options.html", "chrome-extension://__EXTENSION_ID__/popup/popup.html"] |
jonmartin721
force-pushed
the
add-oauth-refresh-flow
branch
from
0fbb7e2 to
e8116c4
Compare
|
Closing to create fresh PR without force-push history |
Summary
Changes
Chrome Web Store Publishing
Added automation to publish releases directly to the Chrome Web Store:
.github/workflows/release.ymlto automatically publish on releaseDocumentation Improvements
Tightened up README to be more skimmable:
Storage Updates
Testing
The Chrome Web Store publishing requires these GitHub secrets to be set:
CHROME_EXTENSION_IDCHROME_CLIENT_IDCHROME_CLIENT_SECRETCHROME_REFRESH_TOKEN