Skip to content

Allow using GITHUB_TOKEN downstream#89

Merged
shahmishal merged 1 commit intoswiftlang:mainfrom
award999:token
Feb 14, 2025
Merged

Allow using GITHUB_TOKEN downstream#89
shahmishal merged 1 commit intoswiftlang:mainfrom
award999:token

Conversation

@award999
Copy link
Contributor

@award999 award999 commented Feb 5, 2025

Looking at https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#github-context the github.token is only available withins the steps. Of the common workflow, but the jobs extending it do not have access. The vscode-swift extension publishes a build of the extension in a separate job, and we want to be able to download it within the common workflow so we can test what is actually might be released.

@award999 award999 requested a review from a team as a code owner February 5, 2025 13:20
@award999
Copy link
Contributor Author

award999 commented Feb 5, 2025

@shahmishal I've tested this on my fork of vscode-swift https://github.com/award999/vscode-swift/actions/runs/13144430476. It does allow us to download the artifact for the sake of testing the extension we may ship.

https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token outlines the default permissions.

@award999
Allow using GITHUB_TOKEN downstream
3512e3b 
Looking at https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#github-context
the `github.token` is only available withins the `steps`. Of the common
workflow, but the jobs extending it do not have access. The vscode-swift
extension publishes a build of the extension in a separate job, and we
want to be able to download it within the common workflow so we can test
what is actually might be released.
MahdiBM
MahdiBM reviewed Feb 5, 2025
View reviewed changes
.github/workflows/swift_package_test.yml
Comment on lines +87 to +90
- name: Provide token
if: ${{ inputs.needs_token }}
run: |
echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
Copy link

@MahdiBM MahdiBM Feb 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if something like this at call sites would do what you want:

    uses: path/to/my/ci-file
+   secrets: inherit

Copy link
Contributor Author

@award999 award999 Feb 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That didn't work unfortunately. secrets.GITHUB_TOKEN was empty

Copy link
Contributor Author

@award999 award999 Feb 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually it wasn't the fact it was empty, secrets.GITHUB_TOKEN causes an error
Screenshot 2025-02-05 at 9 45 40 AM

and then github.secrets.GITHUB_TOKEN doesn't cause an error but is empty. And yes secrets is set to inherit

@shahmishal shahmishal merged commit de01c02 into swiftlang:main Feb 14, 2025
24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shahmishal shahmishal shahmishal approved these changes

+1 more reviewer

@MahdiBM MahdiBM MahdiBM left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@award999 @shahmishal @MahdiBM