From e3196aad965e9c9b34923854ae406c05de563aba Mon Sep 17 00:00:00 2001 From: Robbert Bos Date: Sun, 1 Feb 2026 00:02:56 +0100 Subject: [PATCH] feat: default github-token to github.token The github-token input now defaults to the automatic workflow token, so users no longer need to explicitly pass github-token: ${{ secrets.GITHUB_TOKEN }}. This follows the same pattern as GitHub's official actions/checkout action. A custom token is only needed for cross-repository operations or when using a PAT. Note: Users still need to set permissions at workflow level (e.g., pull-requests: write). --- CHANGELOG.md | 5 +++++ cleanup/README.md | 5 +---- cleanup/action.yml | 8 ++++---- deploy/README.md | 5 ++--- deploy/action.yml | 8 ++++---- 5 files changed, 16 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 96d3c9d..45720f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - SECURITY.md with security policy - Pre-commit hooks configuration +### Changed +- **deploy** and **cleanup** actions: `github-token` now defaults to `github.token` + - No longer necessary to explicitly pass `github-token: ${{ secrets.GITHUB_TOKEN }}` + - Only needed when using a custom PAT for cross-repository operations + ### Fixed - ShellCheck warnings: properly quoted GITHUB_OUTPUT - Actionlint configuration to only lint workflow files diff --git a/cleanup/README.md b/cleanup/README.md index 2831b40..f8eafcf 100644 --- a/cleanup/README.md +++ b/cleanup/README.md @@ -15,7 +15,7 @@ Removes a ZAD deployment and optionally cleans up associated GitHub resources (e | `container-org` | No | `''` | Organization owning the container (for image deletion) | | `container-name` | No | `''` | Container package name (for image deletion) | | `container-tag` | No | `''` | Container tag to delete (for image deletion) | -| `github-token` | No | `''` | GitHub token for deployment and container deletion (`deployments: write`, `packages: delete`) | +| `github-token` | No | `github.token` | GitHub token for deployments/containers/PR (defaults to automatic token) | | `github-admin-token` | No | `''` | GitHub token for environment deletion (needs repo admin permission) | | `api-base-url` | No | `https://operations-manager.rig.prd1.gn2.quattro.rijksapps.nl/api` | ZAD Operations Manager API base URL | | `update-pr-comment` | No | `false` | Update the deploy PR comment to show cleanup status | @@ -59,7 +59,6 @@ Removes a ZAD deployment and optionally cleans up associated GitHub resources (e container-org: minbzk container-name: regelrecht-mvp container-tag: pr-${{ github.event.number }} - github-token: ${{ secrets.GITHUB_TOKEN }} github-admin-token: ${{ secrets.GITHUB_ADMIN_TOKEN }} ``` @@ -86,7 +85,6 @@ cleanup-preview: container-org: ${{ github.repository_owner }} container-name: ${{ github.event.repository.name }} container-tag: pr-${{ github.event.number }} - github-token: ${{ secrets.GITHUB_TOKEN }} github-admin-token: ${{ secrets.GITHUB_ADMIN_TOKEN }} update-pr-comment: true ``` @@ -195,7 +193,6 @@ Check cleanup results and take action: container-org: ${{ github.repository_owner }} container-name: my-app container-tag: pr-${{ github.event.number }} - github-token: ${{ secrets.GITHUB_TOKEN }} github-admin-token: ${{ secrets.GITHUB_ADMIN_TOKEN }} - name: Report cleanup results diff --git a/cleanup/action.yml b/cleanup/action.yml index 5a637c5..ed05bd1 100644 --- a/cleanup/action.yml +++ b/cleanup/action.yml @@ -42,9 +42,9 @@ inputs: required: false default: '' github-token: - description: 'GitHub token for deployment deletion (needs deployments:write permission)' + description: 'GitHub token for deployment/PR operations (defaults to automatic token)' required: false - default: '' + default: ${{ github.token }} github-admin-token: description: 'GitHub token for environment deletion (needs repo admin permission, typically GITHUB_ADMIN_TOKEN secret)' required: false @@ -138,7 +138,7 @@ runs: - name: Delete GitHub Deployments id: delete-github-deployments - if: inputs.delete-github-deployments == 'true' && inputs.github-token != '' + if: inputs.delete-github-deployments == 'true' shell: bash env: GH_TOKEN: ${{ inputs.github-token }} @@ -275,7 +275,7 @@ runs: - name: Update PR Comment id: update-pr-comment - if: inputs.update-pr-comment == 'true' && inputs.github-token != '' && github.event_name == 'pull_request' + if: inputs.update-pr-comment == 'true' && github.event_name == 'pull_request' shell: bash env: GH_TOKEN: ${{ inputs.github-token }} diff --git a/deploy/README.md b/deploy/README.md index 8f3b101..0748673 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -15,7 +15,7 @@ Deploys a container image to ZAD Operations Manager. | `force-clone` | No | `false` | Force clone even if deployment already exists | | `api-base-url` | No | `https://operations-manager.rig.prd1.gn2.quattro.rijksapps.nl/api` | ZAD Operations Manager API base URL | | `comment-on-pr` | No | `false` | Post/update a comment on the PR with the deployment URL | -| `github-token` | No | `''` | GitHub token for PR commenting (needs `pull-requests: write`) | +| `github-token` | No | `github.token` | GitHub token for PR commenting (defaults to automatic token) | | `comment-header` | No | `## 🚀 Preview Deployment` | Custom header for the PR comment | ## Outputs @@ -79,7 +79,6 @@ deploy-preview: image: ghcr.io/org/app:pr-${{ github.event.number }} clone-from: production comment-on-pr: true - github-token: ${{ secrets.GITHUB_TOKEN }} ``` The action will create a comment like this on the PR: @@ -121,7 +120,7 @@ deploy: | Basic deployment | None (only ZAD API key) | | PR commenting | `pull-requests: write` | -For PR commenting, pass `github-token: ${{ secrets.GITHUB_TOKEN }}` and ensure your job has the required permission: +For PR commenting, ensure your job has the required permission (the token defaults to `github.token`): ```yaml permissions: diff --git a/deploy/action.yml b/deploy/action.yml index 8822722..ddda836 100644 --- a/deploy/action.yml +++ b/deploy/action.yml @@ -36,13 +36,13 @@ inputs: required: false default: 'https://operations-manager.rig.prd1.gn2.quattro.rijksapps.nl/api' comment-on-pr: - description: 'Post/update a comment on the PR with the deployment URL (requires github-token)' + description: 'Post/update a comment on the PR with the deployment URL' required: false default: 'false' github-token: - description: 'GitHub token for PR commenting (needs pull-requests: write permission)' + description: 'GitHub token for PR commenting (defaults to automatic token)' required: false - default: '' + default: ${{ github.token }} comment-header: description: 'Custom header for the PR comment (default: "## 🚀 Preview Deployment")' required: false @@ -182,7 +182,7 @@ runs: fi - name: Comment on PR - if: inputs.comment-on-pr == 'true' && inputs.github-token != '' && github.event_name == 'pull_request' + if: inputs.comment-on-pr == 'true' && github.event_name == 'pull_request' shell: bash env: GH_TOKEN: ${{ inputs.github-token }}