refactor: internalize auth and cache token wiring in prepare flow

- Remove token and cache-token from public action inputs - Always use github.token internally for downloads/push - Read fixed cache token from VOCIFERATE_CACHE_TOKEN env - Add explicit 'Resolve cache token' step before prepare/tag in prepare-release workflow and pass it via env
2026-03-20 20:47:19 +00:00
parent 1b7281c168
commit bab7b74da8
3 changed files with 15 additions and 33 deletions
--- a/prepare/action.yml
+++ b/prepare/action.yml
@@ -4,12 +4,6 @@ description: >
  The repository must be checked out before this action runs.

 inputs:
-  token:
-    description: >
-      Token used to download the vociferate binary and to push the release
-      commit and tag. Defaults to the workflow token.
-    required: false
-    default: ''
  version:
    description: >
      Optional semantic version override (with or without leading v). When
@@ -48,12 +42,6 @@ inputs:
      custom version-file.
    required: false
    default: 'changelog.md release-version'
-  cache-token:
-    description: >
-      Optional fixed cache token used for the downloaded binary cache key.
-      Defaults to action repository plus release tag.
-    required: false
-    default: ''

 outputs:
  version:
@@ -70,10 +58,10 @@ runs:
      env:
        ACTION_REF: ${{ github.action_ref }}
        ACTION_REPOSITORY: ${{ github.action_repository }}
-        CACHE_TOKEN_INPUT: ${{ inputs.cache-token }}
+        CACHE_TOKEN: ${{ env.VOCIFERATE_CACHE_TOKEN }}
        SERVER_URL: ${{ github.server_url }}
        API_URL: ${{ github.api_url }}
-        TOKEN: ${{ inputs.token != '' && inputs.token || github.token }}
+        TOKEN: ${{ github.token }}
        RUNNER_ARCH: ${{ runner.arch }}
        RUNNER_TEMP: ${{ runner.temp }}
      run: |
@@ -96,7 +84,7 @@ runs:
          binary_path="${cache_dir}/vociferate"
          asset_url="${SERVER_URL}/aether/vociferate/releases/download/${release_tag}/${asset_name}"

-          provided_cache_token="$(printf '%s' "${CACHE_TOKEN_INPUT:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')"
+          provided_cache_token="$(printf '%s' "${CACHE_TOKEN:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')"
          if [[ -n "$provided_cache_token" ]]; then
            cache_token="$provided_cache_token"
          else
@@ -136,7 +124,7 @@ runs:
      if: steps.resolve-binary.outputs.use_binary == 'true' && steps.cache-vociferate.outputs.cache-hit != 'true'
      shell: bash
      env:
-        TOKEN: ${{ inputs.token != '' && inputs.token || github.token }}
+        TOKEN: ${{ github.token }}
        ASSET_URL: ${{ steps.resolve-binary.outputs.asset_url }}
        BINARY_PATH: ${{ steps.resolve-binary.outputs.binary_path }}
      run: |
@@ -194,7 +182,7 @@ runs:
    - name: Commit and push release
      shell: bash
      env:
-        TOKEN: ${{ inputs.token != '' && inputs.token || github.token }}
+        TOKEN: ${{ github.token }}
        GIT_USER_NAME: ${{ inputs.git-user-name }}
        GIT_USER_EMAIL: ${{ inputs.git-user-email }}
        GIT_ADD_FILES: ${{ inputs.git-add-files }}