Skip to content

Convert update-plugin-index to a composite action#85

Draft
scotwells wants to merge 2 commits into
mainfrom
feat/update-plugin-index-composite
Draft

Convert update-plugin-index to a composite action#85
scotwells wants to merge 2 commits into
mainfrom
feat/update-plugin-index-composite

Conversation

@scotwells

Copy link
Copy Markdown
Contributor

Why

The update-plugin-index reusable workflow (shipped in v1.17.0) can't actually do its job. Callers mint a GitHub App token to open the cross-repo catalog PR, but a reusable workflow runs as its own job, so the token has to cross a job boundary — and masked values are scrubbed to empty when passed through job outputs. In practice the catalog checkout failed with Input required and not supplied: token.

What this changes

Converts it from a reusable workflow to a composite action (update-plugin-index/action.yml) — the repo's first. A composite action runs inside the caller's job, so the token is minted and used in the same job and passed directly as the token input (no cross-job hop). The step logic and the generic archive→checksum mapping are unchanged; the only interface change is the cross-repo credential moving from a PLUGIN_INDEX_TOKEN secret to a token input.

  • Adds update-plugin-index/action.yml.
  • Removes .github/workflows/update-plugin-index.yaml.
  • Updates docs/update-plugin-index/ and CLAUDE.md.

Callers now mint + call in one job:

steps:
  - uses: actions/create-github-app-token@v2
    id: app-token
    with: { app-id: ..., private-key: ..., owner: milo-os, repositories: cli-plugins }
  - uses: datum-cloud/actions/update-plugin-index@v1
    with:
      index-repo: milo-os/cli-plugins
      plugin-name: ipam
      version: ${{ github.event.release.tag_name }}
      token: ${{ steps.app-token.outputs.token }}

Verification

Validated end-to-end against the existing milo-os/ipam v0.2.0 release assets, opening a real PR on a scratch milo-os/cli-plugins branch (see comments).

Related work

scotwells added 2 commits July 1, 2026 00:55
A GitHub App installation token minted in one job and passed to a reusable
workflow (a separate job) is scrubbed to empty — masked values don't survive
job-to-job outputs, so the reusable-workflow form couldn't actually check out
the catalog repo. A composite action runs inside the caller's job, so the
token is minted and used in one job and passed directly as the `token` input.

Same logic and generic archive->checksum mapping as before; the cross-repo
credential moves from a `PLUGIN_INDEX_TOKEN` secret to a `token` input.
Point the generated PR at the release page so reviewers can see what changed
in the release the plugin is being bumped to.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant