docs: adds guidance in action files around the "github_token" input

Signed-off-by: Jennifer Power <[email protected]>
RedHatProductSecurity · May 3, 2024 · 79aad6e · 79aad6e
1 parent e143ffc
commit 79aad6e
Show file tree

Hide file tree

Showing 8 changed files with 28 additions and 12 deletions.
diff --git a/actions/autosync/README.md b/actions/autosync/README.md
@@ -26,7 +26,9 @@ name: Example Workflow
 | markdown_path | Path relative to the repository path where the Trestle markdown files are located. See action README.md for more information. | None | True |
 | oscal_model | OSCAL Model type to assemble. Values can be catalog, profile, compdef, or ssp. | None | True |
 | dry_run | Runs tasks without pushing changes to the repository. | false | False |
-| github_token | GitHub token used to make authenticated API requests | None | False |
+| github_token | "GitHub token used to make authenticated API requests.
+Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do nothardcode the token."
+ | None | False |
 | version | Version of the OSCAL model to set during assembly into JSON. | None | False |
 | skip_assemble | Skip assembly task. Defaults to false | false | False |
 | skip_regenerate | Skip regenerate task. Defaults to false. | false | False |

diff --git a/actions/autosync/action.yml b/actions/autosync/action.yml
@@ -14,7 +14,9 @@ inputs:
     required: false
     default: "false"
   github_token:
-    description: "GitHub token used to make authenticated API requests"
+    description: |
+      "GitHub token used to make authenticated API requests.
+      Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do nothardcode the token."
     required: false
   version:
     description: "Version of the OSCAL model to set during assembly into JSON."
@@ -91,7 +93,7 @@ runs:
   image: "../../Dockerfile"
   entrypoint: "/auto-sync-entrypoint.sh"
   env:
-    GITHUB_TOKEN: ${{ inputs.github_token }}
+    TRESTLEBOT_REPO_ACCESS_TOKEN: ${{ inputs.github_token }}
 
 branding:
   icon: "check"

diff --git a/actions/create-cd/README.md b/actions/create-cd/README.md
@@ -33,7 +33,9 @@ name: Example Workflow
 | component_description | Description of the component to create | None | True |
 | filter_by_profile | Name of the profile in the workspace to filter controls by | None | False |
 | dry_run | Runs tasks without pushing changes to the repository. | false | False |
-| github_token | GitHub token used to make authenticated API requests | None | False |
+| github_token | "GitHub token used to make authenticated API requests.
+Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do nothardcode the token."
+ | None | False |
 | commit_message | Commit message | Sync automatic updates | False |
 | pull_request_title | Custom pull request title | Automatic updates from trestlebot | False |
 | branch | Name of the Git branch to which modifications should be pushed. Required if Action is used on the `pull_request` event. | ${{ github.ref_name }} | False |

diff --git a/actions/create-cd/action.yml b/actions/create-cd/action.yml
@@ -30,7 +30,9 @@ inputs:
     required: false
     default: "false"
   github_token:
-    description: "GitHub token used to make authenticated API requests"
+    description: |
+      "GitHub token used to make authenticated API requests.
+      Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do nothardcode the token."
     required: false
   commit_message:
     description: Commit message
@@ -89,7 +91,7 @@ runs:
   image: "../../Dockerfile"
   entrypoint: "/create-cd-entrypoint.sh"
   env:
-    GITHUB_TOKEN: ${{ inputs.github_token }}
+    TRESTLEBOT_REPO_ACCESS_TOKEN: ${{ inputs.github_token }}
 
 branding:
   icon: "check"

diff --git a/actions/rules-transform/README.md b/actions/rules-transform/README.md
@@ -34,7 +34,9 @@ With custom rules directory:
 | --- | --- | --- | --- |
 | rules_view_path | Path relative to the repository path where the Trestle rules view files are located. Defaults to `rules/`. | rules/ | False |
 | dry_run | Runs tasks without pushing changes to the repository. | false | False |
-| github_token | GitHub token used to make authenticated API requests | None | False |
+| github_token | "GitHub token used to make authenticated API requests.
+Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do not hardcode the token."
+ | None | False |
 | skip_items | Comma-separated glob patterns list of content by Trestle name to skip during task execution. For example `compdef_x,compdef_y*,`. | None | False |
 | commit_message | Commit message | Sync automatic updates | False |
 | pull_request_title | Custom pull request title | Automatic updates from trestlebot | False |

diff --git a/actions/rules-transform/action.yml b/actions/rules-transform/action.yml
@@ -12,7 +12,9 @@ inputs:
     required: false
     default: "false"
   github_token:
-    description: "GitHub token used to make authenticated API requests"
+    description: |
+      "GitHub token used to make authenticated API requests.
+      Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do not hardcode the token."
     required: false
   skip_items:
     description: "Comma-separated glob patterns list of content by Trestle name to skip during task execution. For example `compdef_x,compdef_y*,`."
@@ -74,7 +76,7 @@ runs:
   image: "../../Dockerfile"
   entrypoint: "/rules-transform-entrypoint.sh"
   env:
-    GITHUB_TOKEN: ${{ inputs.github_token }}
+    TRESTLEBOT_REPO_ACCESS_TOKEN: ${{ inputs.github_token }}
 
 branding:
   icon: "check"

diff --git a/actions/sync-upstreams/README.md b/actions/sync-upstreams/README.md
@@ -24,7 +24,9 @@ name: Example Workflow
 | --- | --- | --- | --- |
 | sources | A newline separated list of upstream sources to sync with a repo@branch format. For example, `https://github.com/myorg/myprofiles@main` | None | True |
 | dry_run | Runs tasks without pushing changes to the repository. | false | False |
-| github_token | GitHub token used to make authenticated API requests | None | False |
+| github_token | "GitHub token used to make authenticated API requests.
+Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do nothardcode the token."
+ | None | False |
 | include_model_names | Comma-separated glob pattern list of model names (i.e. trestle directory name) to include in the sync. For example, `*framework-v2`. Defaults to include all model names. | None | False |
 | exclude_model_names | Comma-separated glob pattern of model names (i.e. trestle directory name) to exclude from the sync. For example, `*framework-v1`. Defaults to skip no model names. | None | False |
 | skip_validation | Skip validation of the upstream OSCAL content. Defaults to false | false | False |

diff --git a/actions/sync-upstreams/action.yml b/actions/sync-upstreams/action.yml
@@ -11,7 +11,9 @@ inputs:
     required: false
     default: "false"
   github_token:
-    description: "GitHub token used to make authenticated API requests"
+    description: |
+      "GitHub token used to make authenticated API requests.
+      Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do nothardcode the token."
     required: false
   include_model_names:
     description: "Comma-separated glob pattern list of model names (i.e. trestle directory name) to include in the sync. For example, `*framework-v2`. Defaults to include all model names."
@@ -80,7 +82,7 @@ runs:
   image: "../../Dockerfile"
   entrypoint: "/sync-upstreams-entrypoint.sh"
   env:
-    GITHUB_TOKEN: ${{ inputs.github_token }}
+    TRESTLEBOT_REPO_ACCESS_TOKEN: ${{ inputs.github_token }}
 
 branding:
   icon: "check"