internal/ci: switch away from a porcuepine logins.json secret

Use the new PORCUEPINE_CUE_TOKEN secret in the cuelang.org and cuelang.org-trybot repositories with `cue login --token`. While here, rename the other LOGINS env var for consistency, even if it's just used as a sanity check in a testscript. Preprocessor-No-Write-Cache: true Signed-off-by: Daniel Martí <[email protected]> Change-Id: Idcd531a292ae5764fba69c696f4133320774ca17 Dispatch-Trailer: {"type":"trybot","CL":1204361,"patchset":3,"ref":"refs/changes/61/1204361/3","targetBranch":"master"}
cue-lang · Nov 20, 2024 · a84d2c8 · a84d2c8
1 parent 8b863ae
commit a84d2c8
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 23 deletions.
diff --git a/.github/workflows/trybot.yaml b/.github/workflows/trybot.yaml
@@ -201,12 +201,8 @@ jobs:
       - name: Check Playground module is tidy
         run: go mod tidy
         working-directory: playground
-      - name: write $HOME/.config/cue/logins.json
-        run: |-
-          mkdir -p $HOME/.config/cue
-          cat <<EOD > $HOME/.config/cue/logins.json
-          ${{ secrets.PORCUEPINE_LOGINS_JSON }}
-          EOD
+      - name: log into the central registry as porcuepine
+        run: go run cuelang.org/go/cmd/cue login --token ${{ secrets.PORCUEPINE_CUE_TOKEN }}
       - name: Dist
         run: ./_scripts/build.bash --baseURL https://cl-${{ fromJSON(steps.DispatchTrailer.outputs.value).CL }}-${{ fromJSON(steps.DispatchTrailer.outputs.value).patchset }}--cue-cls.netlify.app
       - name: Check that git is clean at the end of the job

diff --git a/internal/ci/github/trybot.cue b/internal/ci/github/trybot.cue
@@ -218,13 +218,8 @@ workflows: trybot: _repo.bashWorkflow & {
 			// Registry) here in order to more carefully control in a CI
 			// environment who has access to this endpoint.
 			githubactions.#Step & {
-				name: "write $HOME/.config/cue/logins.json"
-				run: """
-					mkdir -p $HOME/.config/cue
-					cat <<EOD > $HOME/.config/cue/logins.json
-					${{ secrets.PORCUEPINE_LOGINS_JSON }}
-					EOD
-					"""
+				name: "log into the central registry as porcuepine"
+				run: "go run cuelang.org/go/cmd/cue login --token ${{ secrets.PORCUEPINE_CUE_TOKEN }}"
 			},
 
 			_dist & {

diff --git a/internal/cmd/preprocessor/cmd/rootfile.go b/internal/cmd/preprocessor/cmd/rootfile.go
@@ -705,10 +705,10 @@ func (m *multiStepScript) run() {
 		// otherwise stderr is not line buffered
 		"-t",
 
-		// TODO: as a temporary measure, pass CUE_TEST_LOGINS through from the
+		// TODO: as a temporary measure, pass CUE_TEST_TOKEN through from the
 		// host (documentation author) environment to the running multi-step
-		// script. CUE_TEST_LOGINS should be set to a string that can be written
-		// to $CUE_CONFIG_DIR/logins.json. This allows us to perform a headless
+		// script. CUE_TEST_TOKEN should be set to a string that can be used
+		// via `cue login --token`. This allows us to perform a headless
 		// 'cue login' step in a guide, whilst asking the user (via #norun
 		// script) to perform an actual 'cue login'.
 		//
@@ -724,11 +724,11 @@ func (m *multiStepScript) run() {
 		// well-known test users it requires. The preprocessor can then lookup
 		// the credentials in the host-provided blob, and make the credentials
 		// available via well-known environment variables e.g.
-		// USER1_CUE_TEST_LOGINS or similar. This approach will also allow us to
+		// USER1_CUE_TEST_TOKEN or similar. This approach will also allow us to
 		// know precisely what data that is passed in is credentials. We can also
 		// therefore perform a final "blanking" phase for safety's sake where we
 		// string replace credentials with '*****' or similar.
-		"-e", "CUE_TEST_LOGINS",
+		"-e", "CUE_TEST_TOKEN",
 
 		// mount the bash script
 		"--mount", fmt.Sprintf("type=bind,source=%s,target=/scripts,readonly", scriptsDir),

diff --git a/internal/cmd/preprocessor/cmd/testdata/execute_multistagescript.txtar b/internal/cmd/preprocessor/cmd/testdata/execute_multistagescript.txtar
@@ -2,7 +2,7 @@
 # This includes formatting an upload node, running a script node, and
 # skipping formatting a file in another upload node.
 
-env CUE_TEST_LOGINS=blah
+env CUE_TEST_TOKEN=blah
 
 unquote content/dir/en.md golden/content/dir/en.md.writeBack
 
@@ -148,7 +148,7 @@ Hello!
 >{{{end}}}
 >
 >{{{with script "en" "passed in env var"}}}
->echo $CUE_TEST_LOGINS
+>echo $CUE_TEST_TOKEN
 >{{{end}}}
 -- golden/content/dir/en.md.writeBack --
 >---
@@ -217,7 +217,7 @@ Hello!
 >{{{end}}}
 >
 >{{{with script "en" "passed in env var"}}}
->echo $CUE_TEST_LOGINS
+>echo $CUE_TEST_TOKEN
 >{{{end}}}
 -- golden/hugo/content/en/dir/index.md --
 ---
@@ -287,7 +287,7 @@ v0.9.0-alpha.3
 ```
 
 ```text { title="TERMINAL" type="terminal" codeToCopy="ZWNobyAkQ1VFX1RFU1RfTE9HSU5T" }
-$ echo $CUE_TEST_LOGINS
+$ echo $CUE_TEST_TOKEN
 blah
 ```
 -- golden/content/dir/gen_cache.cue --
@@ -388,7 +388,7 @@ package site
 									"""
 						}, {
 							doc:      ""
-							cmd:      "echo $CUE_TEST_LOGINS"
+							cmd:      "echo $CUE_TEST_TOKEN"
 							exitCode: 0
 							output: """
 									blah