Replace the task-list-completed GitHub app with a GitHub action

[TicClick]

unfortunately this seems necessary due to stilliard/github-task-list-completed#25 -- the check coming from the task-list-completed app occasionally becomes stale, only displaying the "Waiting for status to be reported" placeholder, and whether or not you can break its torpor is pure luck (it's probably something on GitHub's end, but I personally can't care anymore)

https://github.com/Shopify/task-list-checker is the new action. keep in mind that it only considers the PR's description, while task-list-completed reads all comments and tests them for checkboxes

@peppy please:

• uninstall https://github.com/marketplace/task-list-completed from the repo
• change GITHUB_TOKEN access to Read and write permissions in the repo settings → actions

[TicClick]

uhh it seems we need to extend GITHUB_TOKEN's permissions on a repo level by choosing the Read and write permissions option @ https://github.com/ppy/osu-wiki/settings/actions, because my attempt 45f4dcf (#10067) didn't work:

You can use the permissions key to add and remove read permissions for forked repositories, but typically you can't grant write access.

https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token

[peppy]

What's the write access for in this case?

Also we may want to propagate this change to other repos, like lazer.

[cl8n]

the permission is for writing commit statuses

[TicClick]

tested on my repository that our actions still work with limited permissions:

• welcome-new-contributor
• syncing a feature branch to master
• wiki checks (was able to read a list of commits)

---

task-list-checker also works

here's what the token was required for

[TicClick]

JFYI there's an alternative solution to the permissions issue:

1. make a classic¹ personal token with a repo:status access scope and unlimited expiry date
2. put it into ppy/osu-wiki's secrets and change secrets.GITHUB_SECRET in this PR to secrets.{new secret name}

the downside is that the new action will fail in pull requests made to forks, unless the forks' owners generate their own tokens
(also that the token may be eventually revoked and then stuff breaks, but that's easily noticeable)

Footnotes

1. fine-grained tokens can't be issued for use for longer than a year ↩

[sr229]

JFYI there's an alternative solution to the permissions issue:

1. make a classic1 personal token with a repo:status access scope and unlimited expiry date
2. put it into ppy/osu-wiki's secrets and change secrets.GITHUB_SECRET in this PR to secrets.{new secret name}

the downside is that the new action will fail in pull requests made to forks, unless the forks' owners generate their own tokens (also that the token may be eventually revoked and then stuff breaks, but that's easily noticeable)

Footnotes

1. fine-grained tokens can't be issued for use longer than a year ↩

Just to add to this, [the CI] tokens are ephemeral by default which reduces the likelihood of a supply chain attack, so I believe its due diligence to audit the actions we use and precisely tag the version we want to prevent any kind of misuse.

[TicClick]

good point -- what I suggested as a replacement for task list handling isn't tagged..

[TicClick]

(hopefully permanently) closing as per https://discord.com/channels/188630481301012481/218677502141399041/1157343244322078770

[5:48 PM] peppy: hmm
[5:49 PM] peppy: i may have fixed the todo cheker app not working
[5:49 PM] peppy: please lemme know if it works better