From a3a683b5048342a7fd42d6e83155d2f09c9829be Mon Sep 17 00:00:00 2001
From: Paul Jolly <paul@myitcv.io>
Date: Thu, 21 Nov 2024 15:16:47 +0000
Subject: [PATCH] internal/ci: switch to use new token-based auth for Central
 Registry
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Align with the cue-lang/{cue,cuelang.org} repos in using the new
developer access tokens in combination with 'cue login --token' to
authenticate with the Central Registry.

In the process move away from the pattern we inherited from the
cue-lang/cue which seemed to imply that the auth persisted only as long
as the _registryReadOnlyAccessStep. This was not, and still is not, the
case, as a file was and is mutated.

Simplify instead to template this as a simple step.

Upgrade to CUE v0.11.0 in order to use the --token flag.

Signed-off-by: Paul Jolly <paul@myitcv.io>
Change-Id: Iee6c7b80b80a1f10dac0a44705a7f1cbc9f7255d
Reviewed-on: https://review.gerrithub.io/c/cue-lang/vscode-cue/+/1204436
TryBot-Result: CUEcueckoo <cueckoo@cuelang.org>
Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
---
 .github/workflows/trybot.yaml | 12 +++++-------
 internal/ci/github/logins.cue | 37 -----------------------------------
 internal/ci/github/trybot.cue | 21 +++++++++++++++++---
 3 files changed, 23 insertions(+), 47 deletions(-)
 delete mode 100644 internal/ci/github/logins.cue

diff --git a/.github/workflows/trybot.yaml b/.github/workflows/trybot.yaml
index c14a143..3144419 100644
--- a/.github/workflows/trybot.yaml
+++ b/.github/workflows/trybot.yaml
@@ -67,7 +67,7 @@ jobs:
       - name: Install CUE
         uses: cue-lang/setup-cue@v1.0.1
         with:
-          version: v0.11.0-rc.1
+          version: v0.11.0
       - id: go-mod-cache-dir
         name: Get go mod cache directory
         run: echo "dir=$(go env GOMODCACHE)" >> ${GITHUB_OUTPUT}
@@ -98,15 +98,13 @@ jobs:
           github.repository == 'cue-lang/vscode-cue' && (((github.ref == 'refs/heads/master') && (! (contains(github.event.head_commit.message, '
           Dispatch-Trailer: {"type":"')))) || github.ref == 'refs/heads/ci/test')
         run: go clean -testcache
+      - run: cue login --token=${CUE_TOKEN}
+        env:
+          CUE_TOKEN: ${{ secrets.NOTCUECKOO_CUE_TOKEN }}
       - name: Verify
         run: go mod verify
       - name: Generate
-        run: |-
-          export CUE_CONFIG_DIR=$(mktemp -d)
-          echo "$CUE_LOGINS" > $CUE_CONFIG_DIR/logins.json
-          go generate ./...
-        env:
-          CUE_LOGINS: ${{ secrets.NOTCUECKOO_CUE_LOGINS }}
+        run: go generate ./...
       - name: Test
         run: go test ./...
       - name: Race test
diff --git a/internal/ci/github/logins.cue b/internal/ci/github/logins.cue
deleted file mode 100644
index 7756817..0000000
--- a/internal/ci/github/logins.cue
+++ /dev/null
@@ -1,37 +0,0 @@
-// Copyright 2024 The CUE Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package github
-
-import (
-	"github.com/cue-tmp/jsonschema-pub/exp1/githubactions"
-)
-
-// _registryReadOnlyAccessStep defines a step that configures
-// a read-only Central Registry access credential. The actual
-// command should be placed in the _run field.
-_registryReadOnlyAccessStep: githubactions.#Step & {
-	_run!: string
-	env: {
-		// Note: this token has read-only access to the registry
-		// and is used only because we need some credentials
-		// to pull dependencies from the Central Registry.
-		CUE_LOGINS: "${{ secrets.NOTCUECKOO_CUE_LOGINS }}"
-	}
-	run: """
-		export CUE_CONFIG_DIR=$(mktemp -d)
-		echo "$CUE_LOGINS" > $CUE_CONFIG_DIR/logins.json
-		\(_run)
-		"""
-}
diff --git a/internal/ci/github/trybot.cue b/internal/ci/github/trybot.cue
index 5126a9f..f4f76d0 100644
--- a/internal/ci/github/trybot.cue
+++ b/internal/ci/github/trybot.cue
@@ -59,13 +59,15 @@ workflows: trybot: _repo.bashWorkflow & {
 
 			for v in _setupGoActionsCaches {v},
 
+			_centralRegistryLogin,
+
 			githubactions.#Step & {
 				name: "Verify"
 				run:  "go mod verify"
 			},
-			_registryReadOnlyAccessStep & {
+			githubactions.#Step & {
 				name: "Generate"
-				_run: "go generate ./..."
+				run:  "go generate ./..."
 			},
 			githubactions.#Step & {
 				name: "Test"
@@ -91,5 +93,18 @@ workflows: trybot: _repo.bashWorkflow & {
 _installCUE: githubactions.#Step & {
 	name: "Install CUE"
 	uses: "cue-lang/setup-cue@v1.0.1"
-	with: version: "v0.11.0-rc.1"
+	with: version: "v0.11.0"
+}
+
+_centralRegistryLogin: githubactions.#Step & {
+	env: {
+		// Note: this token has read-only access to the registry
+		// and is used only because we need some credentials
+		// to pull dependencies from the Central Registry.
+		// The token is owned by notcueckoo and described as "ci readonly".
+		CUE_TOKEN: "${{ secrets.NOTCUECKOO_CUE_TOKEN }}"
+	}
+	run: """
+		cue login --token=${CUE_TOKEN}
+		"""
 }