From 20d65736885d057e05da4e918534cfde15e1bbbb Mon Sep 17 00:00:00 2001
From: Roger Peppe <rogpeppe@gmail.com>
Date: Tue, 1 Oct 2024 15:56:20 +0100
Subject: [PATCH] internal/ci: pass access token to releaser step
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A previous CL (https://cuelang.org/cl/1201986) started using the Central
Registry for github actions schemas, but the `cue cmd release` command
run in `internal/ci` also depends on some of the same CUE code, so
provide the token to that step too, making it easily reusable if we find
more steps that need it.

Signed-off-by: Roger Peppe <rogpeppe@gmail.com>
Change-Id: Ibb4a8b0cbb1bb2af2e8797f1b934fcbae410aa58
Reviewed-on: https://review.gerrithub.io/c/cue-lang/cue/+/1202051
Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
TryBot-Result: CUEcueckoo <cueckoo@cuelang.org>
Unity-Result: CUE porcuepine <cue.porcuepine@gmail.com>
---
 .github/workflows/release.yaml |  6 +++++-
 internal/ci/github/logins.cue  | 37 ++++++++++++++++++++++++++++++++++
 internal/ci/github/release.cue |  4 ++--
 internal/ci/github/trybot.cue  | 14 ++-----------
 4 files changed, 46 insertions(+), 15 deletions(-)
 create mode 100644 internal/ci/github/logins.cue

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index ff36b802a1e..708386d2a74 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -83,8 +83,12 @@ jobs:
           version: v2.2.0
       - name: Run GoReleaser with CUE
         env:
+          CUE_LOGINS: ${{ secrets.NOTCUECKOO_CUE_LOGINS }}
           GITHUB_TOKEN: ${{ secrets.CUECKOO_GITHUB_PAT }}
-        run: cue cmd release
+        run: |-
+          export CUE_CONFIG_DIR=$(mktemp -d)
+          echo "$CUE_LOGINS" > $CUE_CONFIG_DIR/logins.json
+          cue cmd release
         working-directory: ./internal/ci/goreleaser
       - name: Re-test cuelang.org
         if: startsWith(github.ref, 'refs/tags/v')
diff --git a/internal/ci/github/logins.cue b/internal/ci/github/logins.cue
new file mode 100644
index 00000000000..7756817393e
--- /dev/null
+++ b/internal/ci/github/logins.cue
@@ -0,0 +1,37 @@
+// Copyright 2024 The CUE Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package github
+
+import (
+	"github.com/cue-tmp/jsonschema-pub/exp1/githubactions"
+)
+
+// _registryReadOnlyAccessStep defines a step that configures
+// a read-only Central Registry access credential. The actual
+// command should be placed in the _run field.
+_registryReadOnlyAccessStep: githubactions.#Step & {
+	_run!: string
+	env: {
+		// Note: this token has read-only access to the registry
+		// and is used only because we need some credentials
+		// to pull dependencies from the Central Registry.
+		CUE_LOGINS: "${{ secrets.NOTCUECKOO_CUE_LOGINS }}"
+	}
+	run: """
+		export CUE_CONFIG_DIR=$(mktemp -d)
+		echo "$CUE_LOGINS" > $CUE_CONFIG_DIR/logins.json
+		\(_run)
+		"""
+}
diff --git a/internal/ci/github/release.cue b/internal/ci/github/release.cue
index 9323ab7b4e0..d2311c23f59 100644
--- a/internal/ci/github/release.cue
+++ b/internal/ci/github/release.cue
@@ -79,12 +79,12 @@ workflows: release: _repo.bashWorkflow & {
 					version:        _repo.goreleaserVersion
 				}
 			},
-			githubactions.#Step & {
+			_registryReadOnlyAccessStep & {
 				// Note that the logic for what gets run at release time
 				// is defined with the release command in CUE.
 				name: "Run GoReleaser with CUE"
 				env: GITHUB_TOKEN: "${{ secrets.CUECKOO_GITHUB_PAT }}"
-				run:                 "cue cmd release"
+				_run:                 "cue cmd release"
 				"working-directory": "./internal/ci/goreleaser"
 			},
 			_repo.repositoryDispatch & {
diff --git a/internal/ci/github/trybot.cue b/internal/ci/github/trybot.cue
index cb6adea1681..d987f206331 100644
--- a/internal/ci/github/trybot.cue
+++ b/internal/ci/github/trybot.cue
@@ -108,19 +108,9 @@ workflows: trybot: _repo.bashWorkflow & {
 	// work.
 	_isLatestLinux: "(\(goVersion) == '\(_repo.latestGo)' && \(matrixRunner) == '\(_repo.linuxMachine)')"
 
-	_goGenerate: githubactions.#Step & {
+	_goGenerate: _registryReadOnlyAccessStep & {
 		name: "Generate"
-		env: {
-			// Note: this token has read-only access to the registry
-			// and is used only because we need some credentials
-			// to pull dependencies from the Central Registry.
-			CUE_LOGINS: "${{ secrets.NOTCUECKOO_CUE_LOGINS }}"
-		}
-		run:  """
-			export CUE_CONFIG_DIR=$(mktemp -d)
-			echo "$CUE_LOGINS" > $CUE_CONFIG_DIR/logins.json
-			go generate ./...
-			"""
+		_run:  "go generate ./..."
 		// The Go version corresponds to the precise version specified in
 		// the matrix. Skip windows for now until we work out why re-gen is flaky
 		if: _isLatestLinux