aether/vociferate
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 7 Wiki Activity

feat: add repository-scoped cache token for action binaries

Browse Source 
Add a new optional cache-token input to both published actions.

- Default cache key token is now action_repository + release_tag.
- Cache key uses this token plus runner architecture.
- prepare-release workflow passes github.sha as a fixed token.

This prevents cross-repository cache collisions when consumers pull
vociferate binaries produced by this repository.
This commit is contained in:
Micheal Wilkinson
2026-03-20 20:40:56 +00:00
parent dda898868f
commit 011cca2334
3 changed files with 35 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitea/workflows/prepare-release.yml
View File

@@ -44,6 +44,7 @@ jobs:
with: with:
version: ${{ inputs.version }} version: ${{ inputs.version }}
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
cache-token: ${{ github.sha }}
- name: Summarize prepared release - name: Summarize prepared release
run: | run: |

18
action.yml
View File

@@ -25,6 +25,12 @@ inputs:
description: If true, print recommended next release tag. description: If true, print recommended next release tag.
required: false required: false
default: 'false' default: 'false'
cache-token:
description: >
Optional fixed cache token used for the downloaded binary cache key.
Defaults to action repository plus release tag.
required: false
default: ''
outputs: outputs:
version: version:
@@ -41,6 +47,8 @@ runs:
shell: bash shell: bash
env: env:
ACTION_REF: ${{ github.action_ref }} ACTION_REF: ${{ github.action_ref }}
ACTION_REPOSITORY: ${{ github.action_repository }}
CACHE_TOKEN_INPUT: ${{ inputs.cache-token }}
SERVER_URL: ${{ github.server_url }} SERVER_URL: ${{ github.server_url }}
API_URL: ${{ github.api_url }} API_URL: ${{ github.api_url }}
TOKEN: ${{ inputs.token != '' && inputs.token || github.token }} TOKEN: ${{ inputs.token != '' && inputs.token || github.token }}
@@ -70,10 +78,18 @@ runs:
binary_path="${cache_dir}/vociferate" binary_path="${cache_dir}/vociferate"
asset_url="${SERVER_URL}/aether/vociferate/releases/download/${release_tag}/${asset_name}" asset_url="${SERVER_URL}/aether/vociferate/releases/download/${release_tag}/${asset_name}"
provided_cache_token="$(printf '%s' "${CACHE_TOKEN_INPUT:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')"
if [[ -n "$provided_cache_token" ]]; then
cache_token="$provided_cache_token"
else
cache_token="${ACTION_REPOSITORY:-aether/vociferate}-${release_tag}"
fi
mkdir -p "$cache_dir" mkdir -p "$cache_dir"
echo "use_binary=true" >> "$GITHUB_OUTPUT" echo "use_binary=true" >> "$GITHUB_OUTPUT"
echo "release_tag=$release_tag" >> "$GITHUB_OUTPUT" echo "release_tag=$release_tag" >> "$GITHUB_OUTPUT"
echo "cache_token=$cache_token" >> "$GITHUB_OUTPUT"
echo "asset_name=$asset_name" >> "$GITHUB_OUTPUT" echo "asset_name=$asset_name" >> "$GITHUB_OUTPUT"
echo "asset_url=$asset_url" >> "$GITHUB_OUTPUT" echo "asset_url=$asset_url" >> "$GITHUB_OUTPUT"
echo "cache_dir=$cache_dir" >> "$GITHUB_OUTPUT" echo "cache_dir=$cache_dir" >> "$GITHUB_OUTPUT"
@@ -96,7 +112,7 @@ runs:
uses: actions/cache@v4 uses: actions/cache@v4
with: with:
path: ${{ steps.resolve-binary.outputs.cache_dir }} path: ${{ steps.resolve-binary.outputs.cache_dir }}
key: vociferate-${{ steps.resolve-binary.outputs.release_tag }}-linux-${{ runner.arch }} key: vociferate-${{ steps.resolve-binary.outputs.cache_token }}-linux-${{ runner.arch }}
- name: Download vociferate binary - name: Download vociferate binary
if: steps.resolve-binary.outputs.use_binary == 'true' && steps.cache-vociferate.outputs.cache-hit != 'true' if: steps.resolve-binary.outputs.use_binary == 'true' && steps.cache-vociferate.outputs.cache-hit != 'true'

18
prepare/action.yml
View File

@@ -48,6 +48,12 @@ inputs:
custom version-file. custom version-file.
required: false required: false
default: 'changelog.md release-version' default: 'changelog.md release-version'
cache-token:
description: >
Optional fixed cache token used for the downloaded binary cache key.
Defaults to action repository plus release tag.
required: false
default: ''
outputs: outputs:
version: version:
@@ -63,6 +69,8 @@ runs:
shell: bash shell: bash
env: env:
ACTION_REF: ${{ github.action_ref }} ACTION_REF: ${{ github.action_ref }}
ACTION_REPOSITORY: ${{ github.action_repository }}
CACHE_TOKEN_INPUT: ${{ inputs.cache-token }}
SERVER_URL: ${{ github.server_url }} SERVER_URL: ${{ github.server_url }}
API_URL: ${{ github.api_url }} API_URL: ${{ github.api_url }}
TOKEN: ${{ inputs.token != '' && inputs.token || github.token }} TOKEN: ${{ inputs.token != '' && inputs.token || github.token }}
@@ -88,10 +96,18 @@ runs:
binary_path="${cache_dir}/vociferate" binary_path="${cache_dir}/vociferate"
asset_url="${SERVER_URL}/aether/vociferate/releases/download/${release_tag}/${asset_name}" asset_url="${SERVER_URL}/aether/vociferate/releases/download/${release_tag}/${asset_name}"
provided_cache_token="$(printf '%s' "${CACHE_TOKEN_INPUT:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')"
if [[ -n "$provided_cache_token" ]]; then
cache_token="$provided_cache_token"
else
cache_token="${ACTION_REPOSITORY:-aether/vociferate}-${release_tag}"
fi
mkdir -p "$cache_dir" mkdir -p "$cache_dir"
echo "use_binary=true" >> "$GITHUB_OUTPUT" echo "use_binary=true" >> "$GITHUB_OUTPUT"
echo "release_tag=$release_tag" >> "$GITHUB_OUTPUT" echo "release_tag=$release_tag" >> "$GITHUB_OUTPUT"
echo "cache_token=$cache_token" >> "$GITHUB_OUTPUT"
echo "asset_name=$asset_name" >> "$GITHUB_OUTPUT" echo "asset_name=$asset_name" >> "$GITHUB_OUTPUT"
echo "asset_url=$asset_url" >> "$GITHUB_OUTPUT" echo "asset_url=$asset_url" >> "$GITHUB_OUTPUT"
echo "cache_dir=$cache_dir" >> "$GITHUB_OUTPUT" echo "cache_dir=$cache_dir" >> "$GITHUB_OUTPUT"
@@ -114,7 +130,7 @@ runs:
uses: actions/cache@v4 uses: actions/cache@v4
with: with:
path: ${{ steps.resolve-binary.outputs.cache_dir }} path: ${{ steps.resolve-binary.outputs.cache_dir }}
key: vociferate-${{ steps.resolve-binary.outputs.release_tag }}-linux-${{ runner.arch }} key: vociferate-${{ steps.resolve-binary.outputs.cache_token }}-linux-${{ runner.arch }}
- name: Download vociferate binary - name: Download vociferate binary
if: steps.resolve-binary.outputs.use_binary == 'true' && steps.cache-vociferate.outputs.cache-hit != 'true' if: steps.resolve-binary.outputs.use_binary == 'true' && steps.cache-vociferate.outputs.cache-hit != 'true'