internal/ci: update base from bbb2452e in the main CUE repo

DO NOT SUBMIT Need to update commit ref above. The changes in the generated .github/workflows/*.yaml files are accounted for by the "upstream" changes to a custom default shell. Signed-off-by: Paul Jolly <[email protected]> Change-Id: Ie8f2b9488d938b83ce3557277ddeb350b62d2e0e Dispatch-Trailer: {"type":"trybot","CL":1206958,"patchset":1,"ref":"refs/changes/58/1206958/1","targetBranch":"master"}
cue-lang · Jan 9, 2025 · a0edeb7 · a0edeb7
1 parent d8ec058
commit a0edeb7
Show file tree

Hide file tree

Showing 8 changed files with 23 additions and 26 deletions.
diff --git a/.github/workflows/evict_caches.yaml b/.github/workflows/evict_caches.yaml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-22.04
     defaults:
       run:
-        shell: bash
+        shell: bash --noprofile --norc -euo pipefail {0}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4

diff --git a/.github/workflows/push_tip_to_trybot.yaml b/.github/workflows/push_tip_to_trybot.yaml
@@ -46,5 +46,5 @@ jobs:
           fi
     defaults:
       run:
-        shell: bash
+        shell: bash --noprofile --norc -euo pipefail {0}
     if: ${{github.repository == 'cue-lang/vscode-cue'}}
diff --git a/.github/workflows/trybot.yaml b/.github/workflows/trybot.yaml
@@ -19,7 +19,7 @@ jobs:
       Dispatch-Trailer: {"type":"'))
     defaults:
       run:
-        shell: bash
+        shell: bash --noprofile --norc -euo pipefail {0}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -108,9 +108,7 @@ jobs:
           node-version: 22.11.0
       - name: Early git and code sanity checks
         run: go run cuelang.org/go/internal/ci/[email protected]
-      - run: cue login --token=${CUE_TOKEN}
-        env:
-          CUE_TOKEN: ${{ secrets.NOTCUECKOO_CUE_TOKEN }}
+      - run: cue login --token=${{ secrets.NOTCUECKOO_CUE_TOKEN }}
       - name: Add node_modules/.bin to PATH and npm install
         run: |-
           echo "PATH=$PWD/node_modules/.bin:$PATH" >> $GITHUB_ENV

diff --git a/.github/workflows/trybot_dispatch.yaml b/.github/workflows/trybot_dispatch.yaml
@@ -12,7 +12,7 @@ jobs:
     if: ${{ ((github.ref == 'refs/heads/ci/test') && false) || github.event.client_payload.type == 'trybot' }}
     defaults:
       run:
-        shell: bash
+        shell: bash --noprofile --norc -euo pipefail {0}
     steps:
       - name: Write netrc file for cueckoo Gerrithub
         run: |-

diff --git a/internal/ci/base/base.cue b/internal/ci/base/base.cue
@@ -55,6 +55,11 @@ botGerritHubUser:                   *botGitHubUser | string
 botGerritHubUserPasswordSecretsKey: *(strings.ToUpper(botGitHubUser) + "_GERRITHUB_PASSWORD") | string
 botGerritHubUserEmail:              *botGitHubUserEmail | string
 
+unprivilegedBotGitHubUser:                               "not" + botGitHubUser
+unprivilegedBotGitHubUserCentralRegistryTokenSecretsKey: *(strings.ToUpper(unprivilegedBotGitHubUser) + "_CUE_TOKEN") | string
+
+cueCommand: *"cue" | string
+
 workflowFileExtension: ".yaml"
 
 linuxMachine: string

diff --git a/internal/ci/base/gerrithub.cue b/internal/ci/base/gerrithub.cue
@@ -40,7 +40,6 @@ trybotDispatchWorkflow: bashWorkflow & {
 			branches: [testDefaultBranch]
 		}
 	}
-	jobs: [string]: defaults: run: shell: "bash"
 	jobs: {
 		(trybot.key): {
 			"runs-on": linuxMachine
@@ -157,8 +156,6 @@ trybotDispatchWorkflow: bashWorkflow & {
 }
 
 pushTipToTrybotWorkflow: bashWorkflow & {
-	jobs: [string]: defaults: run: shell: "bash"
-
 	on: {
 		push: branches: protectedBranchPatterns
 	}

diff --git a/internal/ci/base/github.cue b/internal/ci/base/github.cue
@@ -12,7 +12,11 @@ import (
 )
 
 bashWorkflow: githubactions.#Workflow & {
-	jobs: [string]: defaults: run: shell: "bash"
+	// Use a custom default shell that extends the GitHub default to also fail
+	// on access to unset variables.
+	//
+	// https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#defaultsrunshell
+	jobs: [string]: defaults: run: shell: "bash --noprofile --norc -euo pipefail {0}"
 }
 
 installGo: {
@@ -67,7 +71,7 @@ checkoutCode: {
 		name: "Checkout code"
 		uses: "actions/checkout@v4"
 
-		// "pull_request" builds will by default use a merge commit,
+		// "pull_request_target" builds will by default use a merge commit,
 		// testing the PR's HEAD merged on top of the master branch.
 		// For consistency with Gerrit, avoid that merge commit entirely.
 		// This doesn't affect builds by other events like "push",
@@ -366,3 +370,9 @@ containsUnityTrailer: containsDispatchTrailer & {
 }
 
 _dispatchTrailerVariable: "github.event.head_commit.message"
+
+loginCentralRegistry: githubactions.#Step & {
+	#cueCommand:      *cueCommand | string
+	#tokenExpression: *"${{ secrets.\(unprivilegedBotGitHubUserCentralRegistryTokenSecretsKey) }}" | string
+	run:              "\(#cueCommand) login --token=\(#tokenExpression)"
+}
diff --git a/internal/ci/github/trybot.cue b/internal/ci/github/trybot.cue
@@ -104,7 +104,7 @@ workflows: trybot: _repo.bashWorkflow & {
 
 			_repo.earlyChecks,
 
-			_centralRegistryLogin,
+			_repo.loginCentralRegistry,
 
 			npmSetup,
 			extensionStep & npmSetup,
@@ -182,16 +182,3 @@ _installCUE: githubactions.#Step & {
 	uses: "cue-lang/[email protected]"
 	with: version: _repo.cueVersion
 }
-
-_centralRegistryLogin: githubactions.#Step & {
-	env: {
-		// Note: this token has read-only access to the registry
-		// and is used only because we need some credentials
-		// to pull dependencies from the Central Registry.
-		// The token is owned by notcueckoo and described as "ci readonly".
-		CUE_TOKEN: "${{ secrets.NOTCUECKOO_CUE_TOKEN }}"
-	}
-	run: """
-		cue login --token=${CUE_TOKEN}
-		"""
-}