feat: add repository-scoped cache token for action binaries

Add a new optional cache-token input to both published actions. - Default cache key token is now action_repository + release_tag. - Cache key uses this token plus runner architecture. - prepare-release workflow passes github.sha as a fixed token. This prevents cross-repository cache collisions when consumers pull vociferate binaries produced by this repository.
2026-03-20 20:40:56 +00:00
parent dda898868f
commit 011cca2334
3 changed files with 35 additions and 2 deletions
--- a/prepare/action.yml
+++ b/prepare/action.yml
@@ -48,6 +48,12 @@ inputs:
      custom version-file.
    required: false
    default: 'changelog.md release-version'
+  cache-token:
+    description: >
+      Optional fixed cache token used for the downloaded binary cache key.
+      Defaults to action repository plus release tag.
+    required: false
+    default: ''

 outputs:
  version:
@@ -63,6 +69,8 @@ runs:
      shell: bash
      env:
        ACTION_REF: ${{ github.action_ref }}
+        ACTION_REPOSITORY: ${{ github.action_repository }}
+        CACHE_TOKEN_INPUT: ${{ inputs.cache-token }}
        SERVER_URL: ${{ github.server_url }}
        API_URL: ${{ github.api_url }}
        TOKEN: ${{ inputs.token != '' && inputs.token || github.token }}
@@ -88,10 +96,18 @@ runs:
          binary_path="${cache_dir}/vociferate"
          asset_url="${SERVER_URL}/aether/vociferate/releases/download/${release_tag}/${asset_name}"

+          provided_cache_token="$(printf '%s' "${CACHE_TOKEN_INPUT:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')"
+          if [[ -n "$provided_cache_token" ]]; then
+            cache_token="$provided_cache_token"
+          else
+            cache_token="${ACTION_REPOSITORY:-aether/vociferate}-${release_tag}"
+          fi
+
          mkdir -p "$cache_dir"

          echo "use_binary=true"          >> "$GITHUB_OUTPUT"
          echo "release_tag=$release_tag" >> "$GITHUB_OUTPUT"
+          echo "cache_token=$cache_token" >> "$GITHUB_OUTPUT"
          echo "asset_name=$asset_name"   >> "$GITHUB_OUTPUT"
          echo "asset_url=$asset_url"     >> "$GITHUB_OUTPUT"
          echo "cache_dir=$cache_dir"     >> "$GITHUB_OUTPUT"
@@ -114,7 +130,7 @@ runs:
      uses: actions/cache@v4
      with:
        path: ${{ steps.resolve-binary.outputs.cache_dir }}
-        key: vociferate-${{ steps.resolve-binary.outputs.release_tag }}-linux-${{ runner.arch }}
+        key: vociferate-${{ steps.resolve-binary.outputs.cache_token }}-linux-${{ runner.arch }}

    - name: Download vociferate binary
      if: steps.resolve-binary.outputs.use_binary == 'true' && steps.cache-vociferate.outputs.cache-hit != 'true'