From 011cca2334f9aaa1d1dfde428e0957459119a797 Mon Sep 17 00:00:00 2001
From: Micheal Wilkinson <micheal.wilkinson@createfuture.com>
Date: Fri, 20 Mar 2026 20:40:56 +0000
Subject: [PATCH] feat: add repository-scoped cache token for action binaries

Add a new optional cache-token input to both published actions.

- Default cache key token is now action_repository + release_tag.
- Cache key uses this token plus runner architecture.
- prepare-release workflow passes github.sha as a fixed token.

This prevents cross-repository cache collisions when consumers pull
vociferate binaries produced by this repository.
---
 .gitea/workflows/prepare-release.yml |  1 +
 action.yml                           | 18 +++++++++++++++++-
 prepare/action.yml                   | 18 +++++++++++++++++-
 3 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/prepare-release.yml b/.gitea/workflows/prepare-release.yml
index cbead5a..343fe0a 100644
--- a/.gitea/workflows/prepare-release.yml
+++ b/.gitea/workflows/prepare-release.yml
@@ -44,6 +44,7 @@ jobs:
         with:
           version: ${{ inputs.version }}
           token: ${{ secrets.GITHUB_TOKEN }}
+          cache-token: ${{ github.sha }}
 
       - name: Summarize prepared release
         run: |
diff --git a/action.yml b/action.yml
index 4abd163..da75bb0 100644
--- a/action.yml
+++ b/action.yml
@@ -25,6 +25,12 @@ inputs:
     description: If true, print recommended next release tag.
     required: false
     default: 'false'
+  cache-token:
+    description: >
+      Optional fixed cache token used for the downloaded binary cache key.
+      Defaults to action repository plus release tag.
+    required: false
+    default: ''
 
 outputs:
   version:
@@ -41,6 +47,8 @@ runs:
       shell: bash
       env:
         ACTION_REF: ${{ github.action_ref }}
+        ACTION_REPOSITORY: ${{ github.action_repository }}
+        CACHE_TOKEN_INPUT: ${{ inputs.cache-token }}
         SERVER_URL: ${{ github.server_url }}
         API_URL: ${{ github.api_url }}
         TOKEN: ${{ inputs.token != '' && inputs.token || github.token }}
@@ -70,10 +78,18 @@ runs:
           binary_path="${cache_dir}/vociferate"
           asset_url="${SERVER_URL}/aether/vociferate/releases/download/${release_tag}/${asset_name}"
 
+          provided_cache_token="$(printf '%s' "${CACHE_TOKEN_INPUT:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')"
+          if [[ -n "$provided_cache_token" ]]; then
+            cache_token="$provided_cache_token"
+          else
+            cache_token="${ACTION_REPOSITORY:-aether/vociferate}-${release_tag}"
+          fi
+
           mkdir -p "$cache_dir"
 
           echo "use_binary=true"          >> "$GITHUB_OUTPUT"
           echo "release_tag=$release_tag" >> "$GITHUB_OUTPUT"
+          echo "cache_token=$cache_token" >> "$GITHUB_OUTPUT"
           echo "asset_name=$asset_name"   >> "$GITHUB_OUTPUT"
           echo "asset_url=$asset_url"     >> "$GITHUB_OUTPUT"
           echo "cache_dir=$cache_dir"     >> "$GITHUB_OUTPUT"
@@ -96,7 +112,7 @@ runs:
       uses: actions/cache@v4
       with:
         path: ${{ steps.resolve-binary.outputs.cache_dir }}
-        key: vociferate-${{ steps.resolve-binary.outputs.release_tag }}-linux-${{ runner.arch }}
+        key: vociferate-${{ steps.resolve-binary.outputs.cache_token }}-linux-${{ runner.arch }}
 
     - name: Download vociferate binary
       if: steps.resolve-binary.outputs.use_binary == 'true' && steps.cache-vociferate.outputs.cache-hit != 'true'
diff --git a/prepare/action.yml b/prepare/action.yml
index ac00dcb..adbee0a 100644
--- a/prepare/action.yml
+++ b/prepare/action.yml
@@ -48,6 +48,12 @@ inputs:
       custom version-file.
     required: false
     default: 'changelog.md release-version'
+  cache-token:
+    description: >
+      Optional fixed cache token used for the downloaded binary cache key.
+      Defaults to action repository plus release tag.
+    required: false
+    default: ''
 
 outputs:
   version:
@@ -63,6 +69,8 @@ runs:
       shell: bash
       env:
         ACTION_REF: ${{ github.action_ref }}
+        ACTION_REPOSITORY: ${{ github.action_repository }}
+        CACHE_TOKEN_INPUT: ${{ inputs.cache-token }}
         SERVER_URL: ${{ github.server_url }}
         API_URL: ${{ github.api_url }}
         TOKEN: ${{ inputs.token != '' && inputs.token || github.token }}
@@ -88,10 +96,18 @@ runs:
           binary_path="${cache_dir}/vociferate"
           asset_url="${SERVER_URL}/aether/vociferate/releases/download/${release_tag}/${asset_name}"
 
+          provided_cache_token="$(printf '%s' "${CACHE_TOKEN_INPUT:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')"
+          if [[ -n "$provided_cache_token" ]]; then
+            cache_token="$provided_cache_token"
+          else
+            cache_token="${ACTION_REPOSITORY:-aether/vociferate}-${release_tag}"
+          fi
+
           mkdir -p "$cache_dir"
 
           echo "use_binary=true"          >> "$GITHUB_OUTPUT"
           echo "release_tag=$release_tag" >> "$GITHUB_OUTPUT"
+          echo "cache_token=$cache_token" >> "$GITHUB_OUTPUT"
           echo "asset_name=$asset_name"   >> "$GITHUB_OUTPUT"
           echo "asset_url=$asset_url"     >> "$GITHUB_OUTPUT"
           echo "cache_dir=$cache_dir"     >> "$GITHUB_OUTPUT"
@@ -114,7 +130,7 @@ runs:
       uses: actions/cache@v4
       with:
         path: ${{ steps.resolve-binary.outputs.cache_dir }}
-        key: vociferate-${{ steps.resolve-binary.outputs.release_tag }}-linux-${{ runner.arch }}
+        key: vociferate-${{ steps.resolve-binary.outputs.cache_token }}-linux-${{ runner.arch }}
 
     - name: Download vociferate binary
       if: steps.resolve-binary.outputs.use_binary == 'true' && steps.cache-vociferate.outputs.cache-hit != 'true'