internal/ci: pass access token to releaser step

A previous CL (https://cuelang.org/cl/1201986) started using the Central
Registry for github actions schemas, but the `cue cmd release` command
run in `internal/ci` also depends on some of the same CUE code, so
provide the token to that step too, making it easily reusable if we find
more steps that need it.

Signed-off-by: Roger Peppe <[email protected]>
Change-Id: Ibb4a8b0cbb1bb2af2e8797f1b934fcbae410aa58
Reviewed-on: https://review.gerrithub.io/c/cue-lang/cue/+/1202051
Reviewed-by: Daniel Martí <[email protected]>
TryBot-Result: CUEcueckoo <[email protected]>
Unity-Result: CUE porcuepine <[email protected]>

Author: rogpeppe

.github/workflows/release.yaml

@@ -83,8 +83,12 @@ jobs:
           version: v2.2.0
       - name: Run GoReleaser with CUE
         env:
+          CUE_LOGINS: ${{ secrets.NOTCUECKOO_CUE_LOGINS }}
           GITHUB_TOKEN: ${{ secrets.CUECKOO_GITHUB_PAT }}
-        run: cue cmd release
+        run: |-
+          export CUE_CONFIG_DIR=$(mktemp -d)
+          echo "$CUE_LOGINS" > $CUE_CONFIG_DIR/logins.json
+          cue cmd release
         working-directory: ./internal/ci/goreleaser
       - name: Re-test cuelang.org
         if: startsWith(github.ref, 'refs/tags/v')

internal/ci/github/logins.cue

@@ -0,0 +1,37 @@
+// Copyright 2024 The CUE Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package github
+
+import (
+	"github.com/cue-tmp/jsonschema-pub/exp1/githubactions"
+)
+
+// _registryReadOnlyAccessStep defines a step that configures
+// a read-only Central Registry access credential. The actual
+// command should be placed in the _run field.
+_registryReadOnlyAccessStep: githubactions.#Step & {
+	_run!: string
+	env: {
+		// Note: this token has read-only access to the registry
+		// and is used only because we need some credentials
+		// to pull dependencies from the Central Registry.
+		CUE_LOGINS: "${{ secrets.NOTCUECKOO_CUE_LOGINS }}"
+	}
+	run: """
+		export CUE_CONFIG_DIR=$(mktemp -d)
+		echo "$CUE_LOGINS" > $CUE_CONFIG_DIR/logins.json
+		\(_run)
+		"""
+}

internal/ci/github/release.cue

@@ -79,12 +79,12 @@ workflows: release: _repo.bashWorkflow & {
 					version:        _repo.goreleaserVersion
 				}
 			},
-			githubactions.#Step & {
+			_registryReadOnlyAccessStep & {
 				// Note that the logic for what gets run at release time
 				// is defined with the release command in CUE.
 				name: "Run GoReleaser with CUE"
 				env: GITHUB_TOKEN: "${{ secrets.CUECKOO_GITHUB_PAT }}"
-				run:                 "cue cmd release"
+				_run:                 "cue cmd release"
 				"working-directory": "./internal/ci/goreleaser"
 			},
 			_repo.repositoryDispatch & {

internal/ci/github/trybot.cue

@@ -108,19 +108,9 @@ workflows: trybot: _repo.bashWorkflow & {
 	// work.
 	_isLatestLinux: "(\(goVersion) == '\(_repo.latestGo)' && \(matrixRunner) == '\(_repo.linuxMachine)')"
 
-	_goGenerate: githubactions.#Step & {
+	_goGenerate: _registryReadOnlyAccessStep & {
 		name: "Generate"
-		env: {
-			// Note: this token has read-only access to the registry
-			// and is used only because we need some credentials
-			// to pull dependencies from the Central Registry.
-			CUE_LOGINS: "${{ secrets.NOTCUECKOO_CUE_LOGINS }}"
-		}
-		run:  """
-			export CUE_CONFIG_DIR=$(mktemp -d)
-			echo "$CUE_LOGINS" > $CUE_CONFIG_DIR/logins.json
-			go generate ./...
-			"""
+		_run:  "go generate ./..."
 		// The Go version corresponds to the precise version specified in
 		// the matrix. Skip windows for now until we work out why re-gen is flaky
 		if: _isLatestLinux