From ca333a25006b5e6cfcbb5309cc7e501566eb33a4 Mon Sep 17 00:00:00 2001 From: Joakim Olsson Date: Thu, 8 Jan 2026 20:57:06 +0100 Subject: [PATCH] feat: use file-based release token instead of secret --- .gitea/workflows/Release.yml | 28 ++++++++++++++-------------- README.md | 8 +++----- 2 files changed, 17 insertions(+), 19 deletions(-) diff --git a/.gitea/workflows/Release.yml b/.gitea/workflows/Release.yml index 2d7a7fc..03614fa 100644 --- a/.gitea/workflows/Release.yml +++ b/.gitea/workflows/Release.yml @@ -8,13 +8,10 @@ on: required: false default: false type: boolean - secrets: - UNBOUND_RELEASE_TOKEN: - description: 'Token with API access to create PRs and releases' - required: true env: GITEA_URL: https://git.unbound.se + RELEASE_TOKEN_FILE: /runner-secrets/release-token jobs: preconditions: @@ -24,14 +21,17 @@ jobs: image: amd64/alpine:3.22.2@sha256:b687e78c6e2785808446f45b52f1540a1e58adc07bdcffea354933b18c613d90 steps: - name: Validate token - if: ${{ secrets.UNBOUND_RELEASE_TOKEN == '' }} run: | - echo "To use Unbound Release, a UNBOUND_RELEASE_TOKEN secret needs to be defined." - echo "It needs API access to write repository files, create PRs and releases." - echo " " - echo "Create a token in Gitea: Settings -> Applications -> Generate New Token" - echo "Required scopes: repository (read/write), issue (read/write)" - exit 1 + if [ ! -r "${RELEASE_TOKEN_FILE}" ]; then + echo "Release token file not found at ${RELEASE_TOKEN_FILE}" + echo "This workflow requires the runner to have RELEASE_TOKEN configured." + exit 1 + fi + if [ ! -s "${RELEASE_TOKEN_FILE}" ]; then + echo "Release token file is empty" + exit 1 + fi + echo "Release token found" changelog: name: Generate Changelog @@ -99,10 +99,10 @@ jobs: - name: Create or update release PR env: - TOKEN: ${{ secrets.UNBOUND_RELEASE_TOKEN }} REPOSITORY: ${{ github.repository }} DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} run: | + TOKEN=$(cat "${RELEASE_TOKEN_FILE}") VERSION=$(cat VERSION) OWNER=$(echo "${REPOSITORY}" | cut -d'/' -f1) REPO=$(echo "${REPOSITORY}" | cut -d'/' -f2) @@ -312,10 +312,10 @@ jobs: - name: Create release env: - TOKEN: ${{ secrets.UNBOUND_RELEASE_TOKEN }} REPOSITORY: ${{ github.repository }} DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} run: | + TOKEN=$(cat "${RELEASE_TOKEN_FILE}") if [ ! -r .version ]; then echo "Version file not found" exit 0 @@ -375,10 +375,10 @@ jobs: - name: Create tag env: - TOKEN: ${{ secrets.UNBOUND_RELEASE_TOKEN }} REPOSITORY: ${{ github.repository }} DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} run: | + TOKEN=$(cat "${RELEASE_TOKEN_FILE}") if [ ! -r .version ]; then echo "Version file not found" exit 0 diff --git a/README.md b/README.md index efbe18f..42bce87 100644 --- a/README.md +++ b/README.md @@ -20,21 +20,19 @@ on: jobs: release: uses: unboundsoftware/shared-workflows/.gitea/workflows/Release.yml@main - secrets: - UNBOUND_RELEASE_TOKEN: ${{ secrets.GIT_API_TOKEN }} ``` **Inputs:** - `tag_only` (boolean, default: `false`): Set to `true` to only create tags without full releases -**Secrets:** +**Requirements:** -- `UNBOUND_RELEASE_TOKEN` (required): Token with API access to create PRs and releases. Required scopes: `repository` (read/write), `issue` (read/write) +This workflow reads the release token from `/runner-secrets/release-token`, which is automatically available on Unbound's Gitea runners. No repository secrets need to be configured. **How it works:** 1. On each push to the default branch, generates a changelog using git-cliff 2. Creates or updates a `next-release` branch with the updated CHANGELOG.md and .version file 3. Opens or updates a PR titled "chore(release): prepare for vX.Y.Z" -4. When the .version file exists (after merging the release PR), creates a GitHub release with the changelog +4. When the .version file exists (after merging the release PR), creates a Gitea release with the changelog