refactor: internalize auth and cache token wiring in prepare flow
- Remove token and cache-token from public action inputs - Always use github.token internally for downloads/push - Read fixed cache token from VOCIFERATE_CACHE_TOKEN env - Add explicit 'Resolve cache token' step before prepare/tag in prepare-release workflow and pass it via env
This commit is contained in:
Micheal Wilkinson
@@ -38,13 +38,17 @@ jobs:
|
||||
- name: Run tests
|
||||
run: go test ./...
|
||||
|
||||
- name: Resolve cache token
|
||||
id: cache-token
|
||||
run: echo "value=${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Prepare and tag release
|
||||
id: prepare
|
||||
uses: ./prepare
|
||||
env:
|
||||
VOCIFERATE_CACHE_TOKEN: ${{ steps.cache-token.outputs.value }}
|
||||
with:
|
||||
version: ${{ inputs.version }}
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
cache-token: ${{ github.sha }}
|
||||
|
||||
- name: Summarize prepared release
|
||||
run: |
|
||||
|
||||
18
action.yml
18
action.yml
@@ -2,10 +2,6 @@ name: vociferate
|
||||
description: Prepare release files or recommend a next semantic version tag.
|
||||
|
||||
inputs:
|
||||
token:
|
||||
description: Optional token used to download the cached vociferate release binary. When omitted, the workflow token is used.
|
||||
required: false
|
||||
default: ''
|
||||
version:
|
||||
description: Optional semantic version override. When omitted, the recommended version is used.
|
||||
required: false
|
||||
@@ -25,12 +21,6 @@ inputs:
|
||||
description: If true, print recommended next release tag.
|
||||
required: false
|
||||
default: 'false'
|
||||
cache-token:
|
||||
description: >
|
||||
Optional fixed cache token used for the downloaded binary cache key.
|
||||
Defaults to action repository plus release tag.
|
||||
required: false
|
||||
default: ''
|
||||
|
||||
outputs:
|
||||
version:
|
||||
@@ -48,10 +38,10 @@ runs:
|
||||
env:
|
||||
ACTION_REF: ${{ github.action_ref }}
|
||||
ACTION_REPOSITORY: ${{ github.action_repository }}
|
||||
CACHE_TOKEN_INPUT: ${{ inputs.cache-token }}
|
||||
CACHE_TOKEN: ${{ env.VOCIFERATE_CACHE_TOKEN }}
|
||||
SERVER_URL: ${{ github.server_url }}
|
||||
API_URL: ${{ github.api_url }}
|
||||
TOKEN: ${{ inputs.token != '' && inputs.token || github.token }}
|
||||
TOKEN: ${{ github.token }}
|
||||
RUNNER_ARCH: ${{ runner.arch }}
|
||||
RUNNER_TEMP: ${{ runner.temp }}
|
||||
run: |
|
||||
@@ -78,7 +68,7 @@ runs:
|
||||
binary_path="${cache_dir}/vociferate"
|
||||
asset_url="${SERVER_URL}/aether/vociferate/releases/download/${release_tag}/${asset_name}"
|
||||
|
||||
provided_cache_token="$(printf '%s' "${CACHE_TOKEN_INPUT:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')"
|
||||
provided_cache_token="$(printf '%s' "${CACHE_TOKEN:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')"
|
||||
if [[ -n "$provided_cache_token" ]]; then
|
||||
cache_token="$provided_cache_token"
|
||||
else
|
||||
@@ -118,7 +108,7 @@ runs:
|
||||
if: steps.resolve-binary.outputs.use_binary == 'true' && steps.cache-vociferate.outputs.cache-hit != 'true'
|
||||
shell: bash
|
||||
env:
|
||||
TOKEN: ${{ inputs.token != '' && inputs.token || github.token }}
|
||||
TOKEN: ${{ github.token }}
|
||||
ASSET_URL: ${{ steps.resolve-binary.outputs.asset_url }}
|
||||
BINARY_PATH: ${{ steps.resolve-binary.outputs.binary_path }}
|
||||
run: |
|
||||
|
||||
@@ -4,12 +4,6 @@ description: >
|
||||
The repository must be checked out before this action runs.
|
||||
|
||||
inputs:
|
||||
token:
|
||||
description: >
|
||||
Token used to download the vociferate binary and to push the release
|
||||
commit and tag. Defaults to the workflow token.
|
||||
required: false
|
||||
default: ''
|
||||
version:
|
||||
description: >
|
||||
Optional semantic version override (with or without leading v). When
|
||||
@@ -48,12 +42,6 @@ inputs:
|
||||
custom version-file.
|
||||
required: false
|
||||
default: 'changelog.md release-version'
|
||||
cache-token:
|
||||
description: >
|
||||
Optional fixed cache token used for the downloaded binary cache key.
|
||||
Defaults to action repository plus release tag.
|
||||
required: false
|
||||
default: ''
|
||||
|
||||
outputs:
|
||||
version:
|
||||
@@ -70,10 +58,10 @@ runs:
|
||||
env:
|
||||
ACTION_REF: ${{ github.action_ref }}
|
||||
ACTION_REPOSITORY: ${{ github.action_repository }}
|
||||
CACHE_TOKEN_INPUT: ${{ inputs.cache-token }}
|
||||
CACHE_TOKEN: ${{ env.VOCIFERATE_CACHE_TOKEN }}
|
||||
SERVER_URL: ${{ github.server_url }}
|
||||
API_URL: ${{ github.api_url }}
|
||||
TOKEN: ${{ inputs.token != '' && inputs.token || github.token }}
|
||||
TOKEN: ${{ github.token }}
|
||||
RUNNER_ARCH: ${{ runner.arch }}
|
||||
RUNNER_TEMP: ${{ runner.temp }}
|
||||
run: |
|
||||
@@ -96,7 +84,7 @@ runs:
|
||||
binary_path="${cache_dir}/vociferate"
|
||||
asset_url="${SERVER_URL}/aether/vociferate/releases/download/${release_tag}/${asset_name}"
|
||||
|
||||
provided_cache_token="$(printf '%s' "${CACHE_TOKEN_INPUT:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')"
|
||||
provided_cache_token="$(printf '%s' "${CACHE_TOKEN:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')"
|
||||
if [[ -n "$provided_cache_token" ]]; then
|
||||
cache_token="$provided_cache_token"
|
||||
else
|
||||
@@ -136,7 +124,7 @@ runs:
|
||||
if: steps.resolve-binary.outputs.use_binary == 'true' && steps.cache-vociferate.outputs.cache-hit != 'true'
|
||||
shell: bash
|
||||
env:
|
||||
TOKEN: ${{ inputs.token != '' && inputs.token || github.token }}
|
||||
TOKEN: ${{ github.token }}
|
||||
ASSET_URL: ${{ steps.resolve-binary.outputs.asset_url }}
|
||||
BINARY_PATH: ${{ steps.resolve-binary.outputs.binary_path }}
|
||||
run: |
|
||||
@@ -194,7 +182,7 @@ runs:
|
||||
- name: Commit and push release
|
||||
shell: bash
|
||||
env:
|
||||
TOKEN: ${{ inputs.token != '' && inputs.token || github.token }}
|
||||
TOKEN: ${{ github.token }}
|
||||
GIT_USER_NAME: ${{ inputs.git-user-name }}
|
||||
GIT_USER_EMAIL: ${{ inputs.git-user-email }}
|
||||
GIT_ADD_FILES: ${{ inputs.git-add-files }}
|
||||
|
||||
Reference in New Issue
Block a user