From c3cd374c288ef64096e06bbd2a9876798dc84206 Mon Sep 17 00:00:00 2001 From: dennisvang <29799340+dennisvang@users.noreply.github.com> Date: Wed, 19 Feb 2025 14:04:53 +0100 Subject: [PATCH 1/7] add repo-dispatch action with test work in progress --- .github/actions/repo-dispatch/action.yml | 27 ++++++++++++++++++++++++ .github/workflows/test-repo-dispatch.yml | 22 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 .github/actions/repo-dispatch/action.yml create mode 100644 .github/workflows/test-repo-dispatch.yml diff --git a/.github/actions/repo-dispatch/action.yml b/.github/actions/repo-dispatch/action.yml new file mode 100644 index 0000000..b26ca8a --- /dev/null +++ b/.github/actions/repo-dispatch/action.yml @@ -0,0 +1,27 @@ +name: repository-dispatch +description: creates repository_dispatch event in target repository +inputs: + secret-token: + description: fine-grained personal access token with content write permission for the target repo + required: true + secret-token-2: + description: another secret + required: true +runs: + using: composite + steps: + - # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#masking-a-value-in-a-log + name: mask secret token + run: echo "::add-mask::$SECRET_TOKEN" + shell: bash + env: + SECRET_TOKEN: ${{ inputs.secret-token }} + + - name: mask secret token + run: echo "::add-mask::${{ inputs.secret-token2 }}" + shell: bash + + - shell: bash + run: | + echo "${{ inputs.secret-token }}" + echo "${{ inputs.secret-token-2 }}" diff --git a/.github/workflows/test-repo-dispatch.yml b/.github/workflows/test-repo-dispatch.yml new file mode 100644 index 0000000..aab0537 --- /dev/null +++ b/.github/workflows/test-repo-dispatch.yml @@ -0,0 +1,22 @@ +# This workflow tests the reusable repo-dispatch action + +name: test repo-dispatch action + +on: + push: + branches: + - main + pull_request: + workflow_dispatch: + +jobs: + dispatch: + runs-on: ubuntu-latest + steps: + - name: checkout so we can use local action + uses: actions/checkout@v4 + - name: test action + uses: ./.github/actions/repo-dispatch + with: + secret-token: my-secret-token + secret-token-2: my-secret-token-2 From 3b71f3589101789440ef11924684da15b6145dd2 Mon Sep 17 00:00:00 2001 From: dennisvang <29799340+dennisvang@users.noreply.github.com> Date: Wed, 19 Feb 2025 14:12:41 +0100 Subject: [PATCH 2/7] test echo without mask --- .github/actions/repo-dispatch/action.yml | 26 +++++++++++------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/.github/actions/repo-dispatch/action.yml b/.github/actions/repo-dispatch/action.yml index b26ca8a..aeb0007 100644 --- a/.github/actions/repo-dispatch/action.yml +++ b/.github/actions/repo-dispatch/action.yml @@ -4,24 +4,22 @@ inputs: secret-token: description: fine-grained personal access token with content write permission for the target repo required: true - secret-token-2: + another-secret: description: another secret required: true runs: using: composite steps: - - # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#masking-a-value-in-a-log - name: mask secret token - run: echo "::add-mask::$SECRET_TOKEN" - shell: bash - env: - SECRET_TOKEN: ${{ inputs.secret-token }} - - - name: mask secret token - run: echo "::add-mask::${{ inputs.secret-token2 }}" - shell: bash +# - # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#masking-a-value-in-a-log +# name: mask secret token +# run: echo "::add-mask::$SECRET_TOKEN" +# shell: bash +# env: +# SECRET_TOKEN: ${{ inputs.secret-token }} +# +# - name: mask secret token +# run: echo "::add-mask::${{ inputs.secret-token2 }}" +# shell: bash - shell: bash - run: | - echo "${{ inputs.secret-token }}" - echo "${{ inputs.secret-token-2 }}" + run: echo "${{ inputs.secret-token }} and ${{ inputs.another-secret }}" From 86c6ea8948daa37d060841dfffde316d1cd938d5 Mon Sep 17 00:00:00 2001 From: dennisvang <29799340+dennisvang@users.noreply.github.com> Date: Wed, 19 Feb 2025 14:16:57 +0100 Subject: [PATCH 3/7] test echo with mask --- .github/actions/repo-dispatch/action.yml | 19 ++++++++----------- .github/workflows/test-repo-dispatch.yml | 2 +- 2 files changed, 9 insertions(+), 12 deletions(-) diff --git a/.github/actions/repo-dispatch/action.yml b/.github/actions/repo-dispatch/action.yml index aeb0007..435e246 100644 --- a/.github/actions/repo-dispatch/action.yml +++ b/.github/actions/repo-dispatch/action.yml @@ -10,16 +10,13 @@ inputs: runs: using: composite steps: -# - # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#masking-a-value-in-a-log -# name: mask secret token -# run: echo "::add-mask::$SECRET_TOKEN" -# shell: bash -# env: -# SECRET_TOKEN: ${{ inputs.secret-token }} -# -# - name: mask secret token -# run: echo "::add-mask::${{ inputs.secret-token2 }}" -# shell: bash + - # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#masking-a-value-in-a-log + name: mask secret inputs + run: | + echo "::add-mask::${{ inputs.secret-token }}" + echo "::add-mask::${{ inputs.another-secret }}" + shell: bash - - shell: bash + - name: test secrets masking run: echo "${{ inputs.secret-token }} and ${{ inputs.another-secret }}" + shell: bash \ No newline at end of file diff --git a/.github/workflows/test-repo-dispatch.yml b/.github/workflows/test-repo-dispatch.yml index aab0537..4fae9d0 100644 --- a/.github/workflows/test-repo-dispatch.yml +++ b/.github/workflows/test-repo-dispatch.yml @@ -19,4 +19,4 @@ jobs: uses: ./.github/actions/repo-dispatch with: secret-token: my-secret-token - secret-token-2: my-secret-token-2 + another-secret: my-other-secret From c7ec3488c82a62039429a865170e3d03414afe26 Mon Sep 17 00:00:00 2001 From: dennisvang <29799340+dennisvang@users.noreply.github.com> Date: Wed, 19 Feb 2025 14:40:32 +0100 Subject: [PATCH 4/7] add actual repository dispatch API call --- .github/actions/repo-dispatch/action.yml | 38 ++++++++++++++++++++---- .github/workflows/test-repo-dispatch.yml | 7 +++-- 2 files changed, 37 insertions(+), 8 deletions(-) diff --git a/.github/actions/repo-dispatch/action.yml b/.github/actions/repo-dispatch/action.yml index 435e246..7147ae6 100644 --- a/.github/actions/repo-dispatch/action.yml +++ b/.github/actions/repo-dispatch/action.yml @@ -4,9 +4,26 @@ inputs: secret-token: description: fine-grained personal access token with content write permission for the target repo required: true - another-secret: - description: another secret + type: string + target-repo-owner: + description: target repository owner (as in /) required: true + type: string + target-repo-name: + description: target repository name (as in /) + required: true + type: string + event-type: + # https://docs.github.com/en/webhooks/webhook-events-and-payloads#repository_dispatch + description: action in repository_dispatch event + required: true + type: string + client-payload: + description: client_payload in repository_dispatch event (a JSON object) + required: true + type: string + default: '{}' + runs: using: composite steps: @@ -16,7 +33,16 @@ runs: echo "::add-mask::${{ inputs.secret-token }}" echo "::add-mask::${{ inputs.another-secret }}" shell: bash - - - name: test secrets masking - run: echo "${{ inputs.secret-token }} and ${{ inputs.another-secret }}" - shell: bash \ No newline at end of file + - name: post to github api dispatches endpoint + # https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#create-a-repository-dispatch-event + # https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication + run: | + curl --location \ + --fail-with-body \ + --request POST \ + --header "Accept: application/vnd.github+json" \ + --header "Authorization: Bearer ${{ inputs.secret-token }}" \ + --header "X-GitHub-Api-Version: 2022-11-28" \ + https://api.github.com/repos/${{ inputs.target-repo-owner }}/${{ inputs.target-repo-name }}/dispatches \ + --data '{"event_type":"${{ inputs.event-type }}","client_payload":${{ inputs.client-payload }}}' + shell: bash diff --git a/.github/workflows/test-repo-dispatch.yml b/.github/workflows/test-repo-dispatch.yml index 4fae9d0..4a7a1ad 100644 --- a/.github/workflows/test-repo-dispatch.yml +++ b/.github/workflows/test-repo-dispatch.yml @@ -13,10 +13,13 @@ jobs: dispatch: runs-on: ubuntu-latest steps: - - name: checkout so we can use local action + - name: checkout in order to use local action uses: actions/checkout@v4 - name: test action uses: ./.github/actions/repo-dispatch with: secret-token: my-secret-token - another-secret: my-other-secret + target-repo-name: ${{ github.event.repository.name }} + target-repo-owner: ${{ github.repository_owner }} + event-type: my-event + client-payload: '{"my-key": "my-value"}' From 3653862621c8d80e028dd2268e2bbab9fac43132 Mon Sep 17 00:00:00 2001 From: dennisvang <29799340+dennisvang@users.noreply.github.com> Date: Wed, 19 Feb 2025 14:51:21 +0100 Subject: [PATCH 5/7] add test workflow for receiving repository_dispatch --- .github/actions/repo-dispatch/action.yml | 8 +++----- .github/workflows/test-repo-dispatch-listener.yml | 12 ++++++++++++ .github/workflows/test-repo-dispatch.yml | 2 +- 3 files changed, 16 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/test-repo-dispatch-listener.yml diff --git a/.github/actions/repo-dispatch/action.yml b/.github/actions/repo-dispatch/action.yml index 7147ae6..8ce48bf 100644 --- a/.github/actions/repo-dispatch/action.yml +++ b/.github/actions/repo-dispatch/action.yml @@ -1,7 +1,7 @@ name: repository-dispatch description: creates repository_dispatch event in target repository inputs: - secret-token: + secret-token: # beware: mask is applied below description: fine-grained personal access token with content write permission for the target repo required: true type: string @@ -28,10 +28,8 @@ runs: using: composite steps: - # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#masking-a-value-in-a-log - name: mask secret inputs - run: | - echo "::add-mask::${{ inputs.secret-token }}" - echo "::add-mask::${{ inputs.another-secret }}" + name: mask secret token + run: echo "::add-mask::${{ inputs.secret-token }}" shell: bash - name: post to github api dispatches endpoint # https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#create-a-repository-dispatch-event diff --git a/.github/workflows/test-repo-dispatch-listener.yml b/.github/workflows/test-repo-dispatch-listener.yml new file mode 100644 index 0000000..7dc478e --- /dev/null +++ b/.github/workflows/test-repo-dispatch-listener.yml @@ -0,0 +1,12 @@ +name: test the receiving end of the repo-dispatch action + +on: + repository_dispatch: + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: | + echo "action: ${{ github.event.action }}" + echo "payload: ${{ github.event.client_payload }}" diff --git a/.github/workflows/test-repo-dispatch.yml b/.github/workflows/test-repo-dispatch.yml index 4a7a1ad..c2a3a61 100644 --- a/.github/workflows/test-repo-dispatch.yml +++ b/.github/workflows/test-repo-dispatch.yml @@ -18,7 +18,7 @@ jobs: - name: test action uses: ./.github/actions/repo-dispatch with: - secret-token: my-secret-token + secret-token: ${{ secrets.personal_access_token }} target-repo-name: ${{ github.event.repository.name }} target-repo-owner: ${{ github.repository_owner }} event-type: my-event From 74e17f9a639f69232bd2eccc0c70f6b02ffae774 Mon Sep 17 00:00:00 2001 From: dennisvang <29799340+dennisvang@users.noreply.github.com> Date: Wed, 19 Feb 2025 15:02:00 +0100 Subject: [PATCH 6/7] show that we can dereference content of client_payload --- .github/workflows/test-repo-dispatch-listener.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-repo-dispatch-listener.yml b/.github/workflows/test-repo-dispatch-listener.yml index 7dc478e..c7e9818 100644 --- a/.github/workflows/test-repo-dispatch-listener.yml +++ b/.github/workflows/test-repo-dispatch-listener.yml @@ -9,4 +9,4 @@ jobs: steps: - run: | echo "action: ${{ github.event.action }}" - echo "payload: ${{ github.event.client_payload }}" + echo "payload: ${{ github.event.client_payload.my-key }}" From 1db94b6c48d88579b77ccd4b2ee3531f4898f743 Mon Sep 17 00:00:00 2001 From: dennisvang <29799340+dennisvang@users.noreply.github.com> Date: Fri, 28 Feb 2025 10:13:14 +0100 Subject: [PATCH 7/7] clarify descriptions --- .github/actions/repo-dispatch/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/repo-dispatch/action.yml b/.github/actions/repo-dispatch/action.yml index 8ce48bf..c879a06 100644 --- a/.github/actions/repo-dispatch/action.yml +++ b/.github/actions/repo-dispatch/action.yml @@ -15,11 +15,11 @@ inputs: type: string event-type: # https://docs.github.com/en/webhooks/webhook-events-and-payloads#repository_dispatch - description: action in repository_dispatch event + description: action in repository_dispatch event (as in github.event.action) required: true type: string client-payload: - description: client_payload in repository_dispatch event (a JSON object) + description: client_payload in repository_dispatch event (a JSON object, as in github.event.client_payload) required: true type: string default: '{}'