aether/vociferate
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 7 Wiki Activity

refactor: internalize auth and cache token wiring in prepare flow

Browse Source 
- Remove token and cache-token from public action inputs
- Always use github.token internally for downloads/push
- Read fixed cache token from VOCIFERATE_CACHE_TOKEN env
- Add explicit 'Resolve cache token' step before prepare/tag in
  prepare-release workflow and pass it via env
This commit is contained in:
Micheal Wilkinson
2026-03-20 20:47:19 +00:00
parent 1b7281c168
commit bab7b74da8
3 changed files with 15 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
.gitea/workflows/prepare-release.yml
View File

@@ -38,13 +38,17 @@ jobs:
- name: Run tests - name: Run tests
run: go test ./... run: go test ./...
- name: Resolve cache token
id: cache-token
run: echo "value=${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
- name: Prepare and tag release - name: Prepare and tag release
id: prepare id: prepare
uses: ./prepare uses: ./prepare
env:
VOCIFERATE_CACHE_TOKEN: ${{ steps.cache-token.outputs.value }}
with: with:
version: ${{ inputs.version }} version: ${{ inputs.version }}
token: ${{ secrets.GITHUB_TOKEN }}
cache-token: ${{ github.sha }}
- name: Summarize prepared release - name: Summarize prepared release
run: | run: |

18
action.yml
View File

@@ -2,10 +2,6 @@ name: vociferate
description: Prepare release files or recommend a next semantic version tag. description: Prepare release files or recommend a next semantic version tag.
inputs: inputs:
token:
description: Optional token used to download the cached vociferate release binary. When omitted, the workflow token is used.
required: false
default: ''
version: version:
description: Optional semantic version override. When omitted, the recommended version is used. description: Optional semantic version override. When omitted, the recommended version is used.
required: false required: false
@@ -25,12 +21,6 @@ inputs:
description: If true, print recommended next release tag. description: If true, print recommended next release tag.
required: false required: false
default: 'false' default: 'false'
cache-token:
description: >
Optional fixed cache token used for the downloaded binary cache key.
Defaults to action repository plus release tag.
required: false
default: ''
outputs: outputs:
version: version:
@@ -48,10 +38,10 @@ runs:
env: env:
ACTION_REF: ${{ github.action_ref }} ACTION_REF: ${{ github.action_ref }}
ACTION_REPOSITORY: ${{ github.action_repository }} ACTION_REPOSITORY: ${{ github.action_repository }}
CACHE_TOKEN_INPUT: ${{ inputs.cache-token }} CACHE_TOKEN: ${{ env.VOCIFERATE_CACHE_TOKEN }}
SERVER_URL: ${{ github.server_url }} SERVER_URL: ${{ github.server_url }}
API_URL: ${{ github.api_url }} API_URL: ${{ github.api_url }}
TOKEN: ${{ inputs.token != '' && inputs.token || github.token }} TOKEN: ${{ github.token }}
RUNNER_ARCH: ${{ runner.arch }} RUNNER_ARCH: ${{ runner.arch }}
RUNNER_TEMP: ${{ runner.temp }} RUNNER_TEMP: ${{ runner.temp }}
run: | run: |
@@ -78,7 +68,7 @@ runs:
binary_path="${cache_dir}/vociferate" binary_path="${cache_dir}/vociferate"
asset_url="${SERVER_URL}/aether/vociferate/releases/download/${release_tag}/${asset_name}" asset_url="${SERVER_URL}/aether/vociferate/releases/download/${release_tag}/${asset_name}"
provided_cache_token="$(printf '%s' "${CACHE_TOKEN_INPUT:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')" provided_cache_token="$(printf '%s' "${CACHE_TOKEN:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')"
if [[ -n "$provided_cache_token" ]]; then if [[ -n "$provided_cache_token" ]]; then
cache_token="$provided_cache_token" cache_token="$provided_cache_token"
else else
@@ -118,7 +108,7 @@ runs:
if: steps.resolve-binary.outputs.use_binary == 'true' && steps.cache-vociferate.outputs.cache-hit != 'true' if: steps.resolve-binary.outputs.use_binary == 'true' && steps.cache-vociferate.outputs.cache-hit != 'true'
shell: bash shell: bash
env: env:
TOKEN: ${{ inputs.token != '' && inputs.token || github.token }} TOKEN: ${{ github.token }}
ASSET_URL: ${{ steps.resolve-binary.outputs.asset_url }} ASSET_URL: ${{ steps.resolve-binary.outputs.asset_url }}
BINARY_PATH: ${{ steps.resolve-binary.outputs.binary_path }} BINARY_PATH: ${{ steps.resolve-binary.outputs.binary_path }}
run: | run: |

22
prepare/action.yml
View File

@@ -4,12 +4,6 @@ description: >
The repository must be checked out before this action runs. The repository must be checked out before this action runs.
inputs: inputs:
token:
description: >
Token used to download the vociferate binary and to push the release
commit and tag. Defaults to the workflow token.
required: false
default: ''
version: version:
description: > description: >
Optional semantic version override (with or without leading v). When Optional semantic version override (with or without leading v). When
@@ -48,12 +42,6 @@ inputs:
custom version-file. custom version-file.
required: false required: false
default: 'changelog.md release-version' default: 'changelog.md release-version'
cache-token:
description: >
Optional fixed cache token used for the downloaded binary cache key.
Defaults to action repository plus release tag.
required: false
default: ''
outputs: outputs:
version: version:
@@ -70,10 +58,10 @@ runs:
env: env:
ACTION_REF: ${{ github.action_ref }} ACTION_REF: ${{ github.action_ref }}
ACTION_REPOSITORY: ${{ github.action_repository }} ACTION_REPOSITORY: ${{ github.action_repository }}
CACHE_TOKEN_INPUT: ${{ inputs.cache-token }} CACHE_TOKEN: ${{ env.VOCIFERATE_CACHE_TOKEN }}
SERVER_URL: ${{ github.server_url }} SERVER_URL: ${{ github.server_url }}
API_URL: ${{ github.api_url }} API_URL: ${{ github.api_url }}
TOKEN: ${{ inputs.token != '' && inputs.token || github.token }} TOKEN: ${{ github.token }}
RUNNER_ARCH: ${{ runner.arch }} RUNNER_ARCH: ${{ runner.arch }}
RUNNER_TEMP: ${{ runner.temp }} RUNNER_TEMP: ${{ runner.temp }}
run: | run: |
@@ -96,7 +84,7 @@ runs:
binary_path="${cache_dir}/vociferate" binary_path="${cache_dir}/vociferate"
asset_url="${SERVER_URL}/aether/vociferate/releases/download/${release_tag}/${asset_name}" asset_url="${SERVER_URL}/aether/vociferate/releases/download/${release_tag}/${asset_name}"
provided_cache_token="$(printf '%s' "${CACHE_TOKEN_INPUT:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')" provided_cache_token="$(printf '%s' "${CACHE_TOKEN:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')"
if [[ -n "$provided_cache_token" ]]; then if [[ -n "$provided_cache_token" ]]; then
cache_token="$provided_cache_token" cache_token="$provided_cache_token"
else else
@@ -136,7 +124,7 @@ runs:
if: steps.resolve-binary.outputs.use_binary == 'true' && steps.cache-vociferate.outputs.cache-hit != 'true' if: steps.resolve-binary.outputs.use_binary == 'true' && steps.cache-vociferate.outputs.cache-hit != 'true'
shell: bash shell: bash
env: env:
TOKEN: ${{ inputs.token != '' && inputs.token || github.token }} TOKEN: ${{ github.token }}
ASSET_URL: ${{ steps.resolve-binary.outputs.asset_url }} ASSET_URL: ${{ steps.resolve-binary.outputs.asset_url }}
BINARY_PATH: ${{ steps.resolve-binary.outputs.binary_path }} BINARY_PATH: ${{ steps.resolve-binary.outputs.binary_path }}
run: | run: |
@@ -194,7 +182,7 @@ runs:
- name: Commit and push release - name: Commit and push release
shell: bash shell: bash
env: env:
TOKEN: ${{ inputs.token != '' && inputs.token || github.token }} TOKEN: ${{ github.token }}
GIT_USER_NAME: ${{ inputs.git-user-name }} GIT_USER_NAME: ${{ inputs.git-user-name }}
GIT_USER_EMAIL: ${{ inputs.git-user-email }} GIT_USER_EMAIL: ${{ inputs.git-user-email }}
GIT_ADD_FILES: ${{ inputs.git-add-files }} GIT_ADD_FILES: ${{ inputs.git-add-files }}