Trigger deploy of whatwg.org on changes

[foolip]

Fixes #110.

[foolip]

This seems to work, https://github.com/whatwg/sg/runs/780908592 triggered https://github.com/whatwg/whatwg.org/runs/780910278 (as @whatbot)

[annevk]

So the risks here are that if peter-evans/repository-dispatch@v1 goes rogue the DISPATCH_TOKEN is compromised but that cannot really be used for much anyway?

[annevk]

I guess Dependabot monitors these too?

[foolip]

One can configure Dependabot to bump GitHub Actions, yes. I haven't tried it, though.

[foolip]

So the risks here are that if peter-evans/repository-dispatch@v1 goes rogue the DISPATCH_TOKEN is compromised but that cannot really be used for much anyway?

An attacker would get write access to the whatwg/whatwg.org repo. From there they should be able to extract the deploy keys to marquee and SSH into it, at which point we'd be pretty thoroughly compromised.

That's a fair bit of trust to place in a nice-to-have wrapper. We could pin it to an exact commit, but reviewing changes to https://github.com/peter-evans/repository-dispatch/blob/v1/dist/index.js isn't going to be easy.

I'll try to craft the curl command line for this instead.

[foolip]

OK, after some flailing about I got it to work, https://github.com/whatwg/sg/runs/781040423 triggered https://github.com/whatwg/whatwg.org/actions/runs/138597128. @annevk r?

[annevk]

Nice! Still pretty heavy for a fetch, but I guess that's what computing is these days. 😊

[foolip]

FWIW, Azure Pipelines has something lighter-weight where no agent at all is required:
https://docs.microsoft.com/en-us/azure/devops/pipelines/process/phases?view=azure-devops&tabs=yaml#server-jobs

But GitHub Actions does not, AFAICT.

[foolip]

Alright, this all seems to work: https://github.com/whatwg/whatwg.org/runs/781299300

[foolip]

I did accidentally rebase all the junk commits onto master, though. Disabled branch protection and force pushed to fix.