diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ff36b802a1e..708386d2a74 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -83,8 +83,12 @@ jobs: version: v2.2.0 - name: Run GoReleaser with CUE env: + CUE_LOGINS: ${{ secrets.NOTCUECKOO_CUE_LOGINS }} GITHUB_TOKEN: ${{ secrets.CUECKOO_GITHUB_PAT }} - run: cue cmd release + run: |- + export CUE_CONFIG_DIR=$(mktemp -d) + echo "$CUE_LOGINS" > $CUE_CONFIG_DIR/logins.json + cue cmd release working-directory: ./internal/ci/goreleaser - name: Re-test cuelang.org if: startsWith(github.ref, 'refs/tags/v') diff --git a/internal/ci/github/logins.cue b/internal/ci/github/logins.cue new file mode 100644 index 00000000000..7756817393e --- /dev/null +++ b/internal/ci/github/logins.cue @@ -0,0 +1,37 @@ +// Copyright 2024 The CUE Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package github + +import ( + "github.com/cue-tmp/jsonschema-pub/exp1/githubactions" +) + +// _registryReadOnlyAccessStep defines a step that configures +// a read-only Central Registry access credential. The actual +// command should be placed in the _run field. +_registryReadOnlyAccessStep: githubactions.#Step & { + _run!: string + env: { + // Note: this token has read-only access to the registry + // and is used only because we need some credentials + // to pull dependencies from the Central Registry. + CUE_LOGINS: "${{ secrets.NOTCUECKOO_CUE_LOGINS }}" + } + run: """ + export CUE_CONFIG_DIR=$(mktemp -d) + echo "$CUE_LOGINS" > $CUE_CONFIG_DIR/logins.json + \(_run) + """ +} diff --git a/internal/ci/github/release.cue b/internal/ci/github/release.cue index 9323ab7b4e0..d2311c23f59 100644 --- a/internal/ci/github/release.cue +++ b/internal/ci/github/release.cue @@ -79,12 +79,12 @@ workflows: release: _repo.bashWorkflow & { version: _repo.goreleaserVersion } }, - githubactions.#Step & { + _registryReadOnlyAccessStep & { // Note that the logic for what gets run at release time // is defined with the release command in CUE. name: "Run GoReleaser with CUE" env: GITHUB_TOKEN: "${{ secrets.CUECKOO_GITHUB_PAT }}" - run: "cue cmd release" + _run: "cue cmd release" "working-directory": "./internal/ci/goreleaser" }, _repo.repositoryDispatch & { diff --git a/internal/ci/github/trybot.cue b/internal/ci/github/trybot.cue index cb6adea1681..d987f206331 100644 --- a/internal/ci/github/trybot.cue +++ b/internal/ci/github/trybot.cue @@ -108,19 +108,9 @@ workflows: trybot: _repo.bashWorkflow & { // work. _isLatestLinux: "(\(goVersion) == '\(_repo.latestGo)' && \(matrixRunner) == '\(_repo.linuxMachine)')" - _goGenerate: githubactions.#Step & { + _goGenerate: _registryReadOnlyAccessStep & { name: "Generate" - env: { - // Note: this token has read-only access to the registry - // and is used only because we need some credentials - // to pull dependencies from the Central Registry. - CUE_LOGINS: "${{ secrets.NOTCUECKOO_CUE_LOGINS }}" - } - run: """ - export CUE_CONFIG_DIR=$(mktemp -d) - echo "$CUE_LOGINS" > $CUE_CONFIG_DIR/logins.json - go generate ./... - """ + _run: "go generate ./..." // The Go version corresponds to the precise version specified in // the matrix. Skip windows for now until we work out why re-gen is flaky if: _isLatestLinux