internal/ci: switch to use new token-based auth for Central Registry

Align with the cue-lang/{cue,cuelang.org} repos in using the new developer access tokens in combination with 'cue login --token' to authenticate with the Central Registry. In the process move away from the pattern we inherited from the cue-lang/cue which seemed to imply that the auth persisted only as long as the _registryReadOnlyAccessStep. This was not, and still is not, the case, as a file was and is mutated. Simplify instead to template this as a simple step. Upgrade to CUE v0.11.0 in order to use the --token flag. Signed-off-by: Paul Jolly <[email protected]> Change-Id: Iee6c7b80b80a1f10dac0a44705a7f1cbc9f7255d Reviewed-on: https://review.gerrithub.io/c/cue-lang/vscode-cue/+/1204436 TryBot-Result: CUEcueckoo <[email protected]> Reviewed-by: Daniel Martí <[email protected]>
cue-lang · Nov 21, 2024 · a3a683b · a3a683b
1 parent e8503fa
commit a3a683b
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 47 deletions.
diff --git a/.github/workflows/trybot.yaml b/.github/workflows/trybot.yaml
@@ -67,7 +67,7 @@ jobs:
       - name: Install CUE
         uses: cue-lang/[email protected]
         with:
-          version: v0.11.0-rc.1
+          version: v0.11.0
       - id: go-mod-cache-dir
         name: Get go mod cache directory
         run: echo "dir=$(go env GOMODCACHE)" >> ${GITHUB_OUTPUT}
@@ -98,15 +98,13 @@ jobs:
           github.repository == 'cue-lang/vscode-cue' && (((github.ref == 'refs/heads/master') && (! (contains(github.event.head_commit.message, '
           Dispatch-Trailer: {"type":"')))) || github.ref == 'refs/heads/ci/test')
         run: go clean -testcache
+      - run: cue login --token=${CUE_TOKEN}
+        env:
+          CUE_TOKEN: ${{ secrets.NOTCUECKOO_CUE_TOKEN }}
       - name: Verify
         run: go mod verify
       - name: Generate
-        run: |-
-          export CUE_CONFIG_DIR=$(mktemp -d)
-          echo "$CUE_LOGINS" > $CUE_CONFIG_DIR/logins.json
-          go generate ./...
-        env:
-          CUE_LOGINS: ${{ secrets.NOTCUECKOO_CUE_LOGINS }}
+        run: go generate ./...
       - name: Test
         run: go test ./...
       - name: Race test

diff --git a/internal/ci/github/logins.cue b/internal/ci/github/logins.cue
diff --git a/internal/ci/github/trybot.cue b/internal/ci/github/trybot.cue
@@ -59,13 +59,15 @@ workflows: trybot: _repo.bashWorkflow & {
 
 			for v in _setupGoActionsCaches {v},
 
+			_centralRegistryLogin,
+
 			githubactions.#Step & {
 				name: "Verify"
 				run:  "go mod verify"
 			},
-			_registryReadOnlyAccessStep & {
+			githubactions.#Step & {
 				name: "Generate"
-				_run: "go generate ./..."
+				run:  "go generate ./..."
 			},
 			githubactions.#Step & {
 				name: "Test"
@@ -91,5 +93,18 @@ workflows: trybot: _repo.bashWorkflow & {
 _installCUE: githubactions.#Step & {
 	name: "Install CUE"
 	uses: "cue-lang/[email protected]"
-	with: version: "v0.11.0-rc.1"
+	with: version: "v0.11.0"
+}
+
+_centralRegistryLogin: githubactions.#Step & {
+	env: {
+		// Note: this token has read-only access to the registry
+		// and is used only because we need some credentials
+		// to pull dependencies from the Central Registry.
+		// The token is owned by notcueckoo and described as "ci readonly".
+		CUE_TOKEN: "${{ secrets.NOTCUECKOO_CUE_TOKEN }}"
+	}
+	run: """
+		cue login --token=${CUE_TOKEN}
+		"""
 }