Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 11 additions & 6 deletions .github/workflows/_ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ name: Envoy CI

on:
workflow_call:
secrets:
app_id:
app_key:
inputs:
target:
required: true
Expand Down Expand Up @@ -76,10 +79,6 @@ on:
env:
type: string

secrets:
app_id:
app_key:

concurrency:
group: |
${{ github.actor != 'trigger-release-envoy[bot]'
Expand All @@ -100,7 +99,13 @@ jobs:
with:
image_tag: ${{ inputs.cache_build_image }}

- if: ${{ inputs.trusted && secrets.app_id && secrets.app_key }}
- name: Check workflow context
id: context
run: |
if [[ "${{ inputs.trusted }}" != "false" && -n "${{ secrets.app_id }}" && -n "${{ secrets.app_key }}" ]]; then
echo "use_appauth=true" >> $GITHUB_OUTPUT
fi
Comment on lines +105 to +107

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am still a little worry about this... But let's land it first and check it again.

- if: ${{ steps.context.outputs.use_appauth == 'true' }}
name: Fetch token for app auth
id: appauth
uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.0.18
Expand All @@ -116,7 +121,7 @@ jobs:
# If this is set, then anything before or after in the job should be regarded as
# compromised.
ref: ${{ ! inputs.trusted && inputs.repo_ref || '' }}
token: ${{ (inputs.trusted && secrets.app_id && secrets.app_key) && steps.appauth.outputs.token || secrets.GITHUB_TOKEN }}
token: ${{ steps.context.outputs.use_appauth == 'true' && steps.appauth.outputs.token || secrets.GITHUB_TOKEN }}

# If we are in a trusted CI run then the provided commit _must_ be either the latest for
# this branch, or an antecdent.
Expand Down