From d8d8de3f8493f20fbd3548c354532836818c76cd Mon Sep 17 00:00:00 2001 From: Ryan Northey Date: Fri, 13 Oct 2023 09:27:38 +0100 Subject: [PATCH 1/2] github/publishing: Fix appauth condition Signed-off-by: Ryan Northey --- .github/workflows/_ci.yml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/workflows/_ci.yml b/.github/workflows/_ci.yml index 829143c8857e6..9feddc9eeb843 100644 --- a/.github/workflows/_ci.yml +++ b/.github/workflows/_ci.yml @@ -2,6 +2,9 @@ name: Envoy CI on: workflow_call: + secrets: + app_id: + app_key: inputs: target: required: true @@ -76,10 +79,6 @@ on: env: type: string - secrets: - app_id: - app_key: - concurrency: group: | ${{ github.actor != 'trigger-release-envoy[bot]' @@ -100,7 +99,13 @@ jobs: with: image_tag: ${{ inputs.cache_build_image }} - - if: ${{ inputs.trusted && secrets.app_id && secrets.app_key }} + - name: Check workflow context + id: context + run: | + if [[ "${{ inputs.trusted }}" != "false" && -n "${{ secrets.app_id }}" && -n "${{ secrets.app_key }}" ]]; then + echo "use_appauth=true" >> $GITHUB_OUTPUT + fi + - if: ${{ steps.context.outputs.use_appauth == 'true' }} name: Fetch token for app auth id: appauth uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.0.18 From b1c05362be7d8d13fc6f2929b973143b83f2d789 Mon Sep 17 00:00:00 2001 From: Ryan Northey Date: Fri, 13 Oct 2023 09:37:52 +0100 Subject: [PATCH 2/2] pr-feedback Signed-off-by: Ryan Northey --- .github/workflows/_ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/_ci.yml b/.github/workflows/_ci.yml index 9feddc9eeb843..ada5352d19b08 100644 --- a/.github/workflows/_ci.yml +++ b/.github/workflows/_ci.yml @@ -121,7 +121,7 @@ jobs: # If this is set, then anything before or after in the job should be regarded as # compromised. ref: ${{ ! inputs.trusted && inputs.repo_ref || '' }} - token: ${{ (inputs.trusted && secrets.app_id && secrets.app_key) && steps.appauth.outputs.token || secrets.GITHUB_TOKEN }} + token: ${{ steps.context.outputs.use_appauth == 'true' && steps.appauth.outputs.token || secrets.GITHUB_TOKEN }} # If we are in a trusted CI run then the provided commit _must_ be either the latest for # this branch, or an antecdent.