From bab7b74da8208930c48ce58dfb38948b448c3e95 Mon Sep 17 00:00:00 2001 From: Micheal Wilkinson Date: Fri, 20 Mar 2026 20:47:19 +0000 Subject: [PATCH] refactor: internalize auth and cache token wiring in prepare flow - Remove token and cache-token from public action inputs - Always use github.token internally for downloads/push - Read fixed cache token from VOCIFERATE_CACHE_TOKEN env - Add explicit 'Resolve cache token' step before prepare/tag in prepare-release workflow and pass it via env --- .gitea/workflows/prepare-release.yml | 8 ++++++-- action.yml | 18 ++++-------------- prepare/action.yml | 22 +++++----------------- 3 files changed, 15 insertions(+), 33 deletions(-) diff --git a/.gitea/workflows/prepare-release.yml b/.gitea/workflows/prepare-release.yml index 343fe0a..d7cf9b3 100644 --- a/.gitea/workflows/prepare-release.yml +++ b/.gitea/workflows/prepare-release.yml @@ -38,13 +38,17 @@ jobs: - name: Run tests run: go test ./... + - name: Resolve cache token + id: cache-token + run: echo "value=${GITHUB_SHA}" >> "$GITHUB_OUTPUT" + - name: Prepare and tag release id: prepare uses: ./prepare + env: + VOCIFERATE_CACHE_TOKEN: ${{ steps.cache-token.outputs.value }} with: version: ${{ inputs.version }} - token: ${{ secrets.GITHUB_TOKEN }} - cache-token: ${{ github.sha }} - name: Summarize prepared release run: | diff --git a/action.yml b/action.yml index da75bb0..ee0b1d7 100644 --- a/action.yml +++ b/action.yml @@ -2,10 +2,6 @@ name: vociferate description: Prepare release files or recommend a next semantic version tag. inputs: - token: - description: Optional token used to download the cached vociferate release binary. When omitted, the workflow token is used. - required: false - default: '' version: description: Optional semantic version override. When omitted, the recommended version is used. required: false @@ -25,12 +21,6 @@ inputs: description: If true, print recommended next release tag. required: false default: 'false' - cache-token: - description: > - Optional fixed cache token used for the downloaded binary cache key. - Defaults to action repository plus release tag. - required: false - default: '' outputs: version: @@ -48,10 +38,10 @@ runs: env: ACTION_REF: ${{ github.action_ref }} ACTION_REPOSITORY: ${{ github.action_repository }} - CACHE_TOKEN_INPUT: ${{ inputs.cache-token }} + CACHE_TOKEN: ${{ env.VOCIFERATE_CACHE_TOKEN }} SERVER_URL: ${{ github.server_url }} API_URL: ${{ github.api_url }} - TOKEN: ${{ inputs.token != '' && inputs.token || github.token }} + TOKEN: ${{ github.token }} RUNNER_ARCH: ${{ runner.arch }} RUNNER_TEMP: ${{ runner.temp }} run: | @@ -78,7 +68,7 @@ runs: binary_path="${cache_dir}/vociferate" asset_url="${SERVER_URL}/aether/vociferate/releases/download/${release_tag}/${asset_name}" - provided_cache_token="$(printf '%s' "${CACHE_TOKEN_INPUT:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')" + provided_cache_token="$(printf '%s' "${CACHE_TOKEN:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')" if [[ -n "$provided_cache_token" ]]; then cache_token="$provided_cache_token" else @@ -118,7 +108,7 @@ runs: if: steps.resolve-binary.outputs.use_binary == 'true' && steps.cache-vociferate.outputs.cache-hit != 'true' shell: bash env: - TOKEN: ${{ inputs.token != '' && inputs.token || github.token }} + TOKEN: ${{ github.token }} ASSET_URL: ${{ steps.resolve-binary.outputs.asset_url }} BINARY_PATH: ${{ steps.resolve-binary.outputs.binary_path }} run: | diff --git a/prepare/action.yml b/prepare/action.yml index adbee0a..4c41e3f 100644 --- a/prepare/action.yml +++ b/prepare/action.yml @@ -4,12 +4,6 @@ description: > The repository must be checked out before this action runs. inputs: - token: - description: > - Token used to download the vociferate binary and to push the release - commit and tag. Defaults to the workflow token. - required: false - default: '' version: description: > Optional semantic version override (with or without leading v). When @@ -48,12 +42,6 @@ inputs: custom version-file. required: false default: 'changelog.md release-version' - cache-token: - description: > - Optional fixed cache token used for the downloaded binary cache key. - Defaults to action repository plus release tag. - required: false - default: '' outputs: version: @@ -70,10 +58,10 @@ runs: env: ACTION_REF: ${{ github.action_ref }} ACTION_REPOSITORY: ${{ github.action_repository }} - CACHE_TOKEN_INPUT: ${{ inputs.cache-token }} + CACHE_TOKEN: ${{ env.VOCIFERATE_CACHE_TOKEN }} SERVER_URL: ${{ github.server_url }} API_URL: ${{ github.api_url }} - TOKEN: ${{ inputs.token != '' && inputs.token || github.token }} + TOKEN: ${{ github.token }} RUNNER_ARCH: ${{ runner.arch }} RUNNER_TEMP: ${{ runner.temp }} run: | @@ -96,7 +84,7 @@ runs: binary_path="${cache_dir}/vociferate" asset_url="${SERVER_URL}/aether/vociferate/releases/download/${release_tag}/${asset_name}" - provided_cache_token="$(printf '%s' "${CACHE_TOKEN_INPUT:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')" + provided_cache_token="$(printf '%s' "${CACHE_TOKEN:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')" if [[ -n "$provided_cache_token" ]]; then cache_token="$provided_cache_token" else @@ -136,7 +124,7 @@ runs: if: steps.resolve-binary.outputs.use_binary == 'true' && steps.cache-vociferate.outputs.cache-hit != 'true' shell: bash env: - TOKEN: ${{ inputs.token != '' && inputs.token || github.token }} + TOKEN: ${{ github.token }} ASSET_URL: ${{ steps.resolve-binary.outputs.asset_url }} BINARY_PATH: ${{ steps.resolve-binary.outputs.binary_path }} run: | @@ -194,7 +182,7 @@ runs: - name: Commit and push release shell: bash env: - TOKEN: ${{ inputs.token != '' && inputs.token || github.token }} + TOKEN: ${{ github.token }} GIT_USER_NAME: ${{ inputs.git-user-name }} GIT_USER_EMAIL: ${{ inputs.git-user-email }} GIT_ADD_FILES: ${{ inputs.git-add-files }}