internal: switch CI and the e2e tests to cue login --token

The new tokens generated by registry.cue.works are valid for a full year rather than regular OAuth2 access tokens, which are only valid for a few weeks, meaning we don't have to update the secrets as much. Moreover, direct support on the client side via `cue login --token` means that we no longer have to set up logins.json manually. While here, I also removed the E2E_CUE_LOGINS secret, now that the v0.10 release branch has been archived and is no longer needed. Signed-off-by: Daniel Martí <mvdan@mvdan.cc> Change-Id: Id8620d533349a6dd81a3d069f9425a85ec3d06ad Reviewed-on: https://review.gerrithub.io/c/cue-lang/cue/+/1204254 TryBot-Result: CUEcueckoo <cueckoo@cuelang.org> Reviewed-by: Roger Peppe <rogpeppe@gmail.com> Unity-Result: CUE porcuepine <cue.porcuepine@gmail.com>
cue-lang · Nov 19, 2024 · 7edac8b · 7edac8b
1 parent c97d709
commit 7edac8b
Show file tree

Hide file tree

Showing 7 changed files with 25 additions and 24 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -83,12 +83,11 @@ jobs:
           version: v2.3.2
       - name: Run GoReleaser with CUE
         run: |-
-          export CUE_CONFIG_DIR=$(mktemp -d)
-          echo "$CUE_LOGINS" > $CUE_CONFIG_DIR/logins.json
+          go run cuelang.org/go/cmd/cue login --token=${CUE_TOKEN}
           cue cmd release
         working-directory: ./internal/ci/goreleaser
         env:
-          CUE_LOGINS: ${{ secrets.NOTCUECKOO_CUE_LOGINS }}
+          CUE_TOKEN: ${{ secrets.NOTCUECKOO_CUE_TOKEN }}
           GITHUB_TOKEN: ${{ secrets.CUECKOO_GITHUB_PAT }}
       - if: startsWith(github.ref, 'refs/tags/v')
         name: Re-test cuelang.org

diff --git a/.github/workflows/trybot.yaml b/.github/workflows/trybot.yaml
@@ -145,7 +145,7 @@ jobs:
           Dispatch-Trailer: {"type":"')))) || (github.ref == 'refs/heads/ci/test')) && (matrix.go-version == '1.23.x' && matrix.runner == 'ubuntu-22.04')
         name: End-to-end test
         env:
-          CUE_TEST_LOGINS: ${{ secrets.E2E_PORCUEPINE_CUE_LOGINS }}
+          CUE_TEST_TOKEN: ${{ secrets.E2E_PORCUEPINE_CUE_TOKEN }}
         run: |-
           cd internal/_e2e
           go test -race
@@ -174,11 +174,10 @@ jobs:
       - if: (matrix.go-version == '1.23.x' && matrix.runner == 'ubuntu-22.04')
         name: Generate
         run: |-
-          export CUE_CONFIG_DIR=$(mktemp -d)
-          echo "$CUE_LOGINS" > $CUE_CONFIG_DIR/logins.json
+          go run cuelang.org/go/cmd/cue login --token=${CUE_TOKEN}
           go generate ./...
         env:
-          CUE_LOGINS: ${{ secrets.NOTCUECKOO_CUE_LOGINS }}
+          CUE_TOKEN: ${{ secrets.NOTCUECKOO_CUE_TOKEN }}
       - if: always()
         name: Check that git is clean at the end of the job
         run: test -z "$(git status --porcelain)" || (git status; git diff; false)
diff --git a/internal/_e2e/script_test.go b/internal/_e2e/script_test.go
@@ -104,14 +104,13 @@ func TestScript(t *testing.T) {
 			configDir := filepath.Join(env.WorkDir, "tmp/configdir")
 			env.Setenv("CUE_CONFIG_DIR", configDir)
 
-			// CUE_TEST_LOGINS is a secret used by the scripts publishing to registry.cue.works.
+			// CUE_TEST_TOKEN is a secret used by the scripts publishing to registry.cue.works.
 			// When unset, those tests would fail with an auth error.
-			if logins := os.Getenv("CUE_TEST_LOGINS"); logins != "" {
-				if err := os.MkdirAll(configDir, 0o777); err != nil {
-					return err
-				}
-				if err := os.WriteFile(filepath.Join(configDir, "logins.json"), []byte(logins), 0o666); err != nil {
-					return err
+			if token := os.Getenv("CUE_TEST_TOKEN"); token != "" {
+				cmd := exec.Command("cue", "login", "--token", token)
+				cmd.Env = env.Vars // store the token in the CUE_CONFIG_DIR we just set
+				if out, err := cmd.CombinedOutput(); err != nil {
+					return fmt.Errorf("%v: %s", err, out)
 				}
 			}
 			return nil

diff --git a/internal/_e2e/testdata/script/github_app_private.txtar b/internal/_e2e/testdata/script/github_app_private.txtar
@@ -1,5 +1,5 @@
 # Publish a CUE module under a private GitHub repository namespace
-# where the $CUE_TEST_LOGINS tokens have full read-write access.
+# where `cue login` has been set up with read-write access to the namespace.
 # Publish a version for this new repository with `cue mod publish`,
 # and then fetch the module as a dependency via cmd/cue.
 

diff --git a/internal/_e2e/testdata/script/github_app_public.txtar b/internal/_e2e/testdata/script/github_app_public.txtar
@@ -1,5 +1,5 @@
 # Publish a CUE module under a public GitHub repository namespace
-# where the $CUE_TEST_LOGINS tokens have full read-write access.
+# where `cue login` has been set up with read-write access to the namespace.
 # Publish a version for this new repository with `cue mod publish`,
 # and then fetch the module as a dependency via cmd/cue.
 

diff --git a/internal/ci/github/logins.cue b/internal/ci/github/logins.cue
@@ -27,11 +27,17 @@ _registryReadOnlyAccessStep: githubactions.#Step & {
 		// Note: this token has read-only access to the registry
 		// and is used only because we need some credentials
 		// to pull dependencies from the Central Registry.
-		CUE_LOGINS: "${{ secrets.NOTCUECKOO_CUE_LOGINS }}"
+		// The token is owned by notcueckoo and described as "ci readonly".
+		// TODO(mvdan): delete the NOTCUECKOO_CUE_LOGINS org secret once all uses are gone;
+		// it will have expired by early December 2024 anyway.
+		CUE_TOKEN: "${{ secrets.NOTCUECKOO_CUE_TOKEN }}"
 	}
+	// For now we `go run` cue to not rely on a previous `go install ./cmd/cue`
+	// to have happened, which is very easy to forget or misconfigure.
+	// We use the full import path so that this works from any module subdirectory.
+	// TODO(mvdan): switch to `go tool cue` as soon as we are able to.
 	run: """
-		export CUE_CONFIG_DIR=$(mktemp -d)
-		echo "$CUE_LOGINS" > $CUE_CONFIG_DIR/logins.json
+		go run cuelang.org/go/cmd/cue login --token=${CUE_TOKEN}
 		\(_run)
 		"""
 }
diff --git a/internal/ci/github/trybot.cue b/internal/ci/github/trybot.cue
@@ -143,11 +143,9 @@ workflows: trybot: _repo.bashWorkflow & {
 		{
 			name: "End-to-end test"
 			env: {
-				// E2E_PORCUEPINE_CUE_LOGINS is the logins.json resulting from doing a `cue login`
-				// with registry.cue.works as the GitHub porcuepine user.
-				// TODO(mvdan): remove the E2E_CUE_LOGINS secret once all uses are gone,
-				// i.e. once the release branch for v0.10 is deleted.
-				CUE_TEST_LOGINS: "${{ secrets.E2E_PORCUEPINE_CUE_LOGINS }}"
+				// E2E_PORCUEPINE_CUE_TOKEN is a token generated on registry.cue.works
+				// as the GitHub porcuepine user, with description "e2e cue repo".
+				CUE_TEST_TOKEN: "${{ secrets.E2E_PORCUEPINE_CUE_TOKEN }}"
 			}
 			// Our regular tests run with both `go test ./...` and `go test -race ./...`.
 			// The end-to-end tests should only be run once, given the slowness and API rate limits.