action: generate action.yml from CUE

Embed the JS from a separate JavaScript file making editing that in
future easier.

There are no changes to the code itself, but for the formatting changes
applied by prettier. We will setup npm etc in a later CL, making minimal
changes here for now.

Also test the action as part of this repo's CI. A simple attempt to use
the action is sufficient, because this triggers the fetching of a token
from the Central Registry.

Signed-off-by: Paul Jolly <paul@myitcv.io>
Change-Id: I4066b03b798c2401d8fe096f85b3c64d0caefc6e
Reviewed-on: https://review.gerrithub.io/c/cue-labs/registry-login-action/+/1230255
Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
TryBot-Result: CUE porcuepine <cue.porcuepine@gmail.com>

Author: myitcv

.github/workflows/trybot.yaml

@@ -18,6 +18,8 @@ jobs:
       run:
         shell: bash --noprofile --norc -euo pipefail {0}
     runs-on: namespace-profile-linux-amd64
+    permissions:
+      id-token: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v5
@@ -53,3 +55,5 @@ jobs:
         run: |-
           echo "github.event.head_commit.message contains Dispatch-Trailer but we are on a protected branch"
           false
+      - name: Login to CUE Central Registry
+        uses: ./

action.cue

@@ -0,0 +1,37 @@
+@extern(embed)
+
+package action
+
+name:        "Login to CUE Registry via GitHub OIDC"
+description: "Authenticate to a CUE registry using GitHub OIDC tokens"
+branding: {
+	icon:  "log-in"
+	color: "blue"
+}
+inputs: {
+	registry: {
+		description: "CUE registry"
+		required:    false
+		default:     "registry.cue.works"
+	}
+	update_logins: {
+		description: "Whether to update the local CUE logins.json file"
+		required:    false
+		default:     "true"
+	}
+}
+outputs: access_token: {
+	description: "The access token obtained from the registry"
+	value:       "${{ steps.oidc.outputs.access_token }}"
+}
+runs: {
+	using: "composite"
+	steps: [{
+		name: "Get OIDC token and login"
+		id:   "oidc"
+		uses: "actions/github-script@v7"
+		with: {
+			script: _ @embed(file=action.js,type=text)
+		}
+	}]
+}

action.js

@@ -0,0 +1,66 @@
+const registry = "${{ inputs.registry }}";
+const registryUrl = `https://${registry}`;
+
+// Get OIDC token with registry as audience
+let token = null;
+try {
+  token = await core.getIDToken(registryUrl);
+} catch (e) {
+  throw new Error(
+    `Failed to obtain OIDC token. Did you specify the id-token: write permission? ${e.message}`,
+  );
+}
+
+// Exchange OIDC token for registry access token
+const res = await fetch(`${registryUrl}/login/oidc/github`, {
+  method: "POST",
+  headers: {
+    "Content-Type": "application/json",
+  },
+  body: JSON.stringify({ id_token: token }),
+});
+if (!res.ok) {
+  let msg = `HTTP ${res.status} ${res.statusText}`;
+  try {
+    const data = await res.json();
+    msg = data.error_description || JSON.stringify(data);
+  } catch (e) {}
+  throw new Error(`${registry}: ${msg}`);
+}
+const data = await res.json();
+core.setOutput("access_token", data.access_token);
+
+// Write credentials to cue logins file if update_logins is true
+if ("${{ inputs.update_logins }}" === "true") {
+  const fs = require("fs");
+  const path = require("path");
+  const homeDir = process.env.HOME || process.env.USERPROFILE;
+  const configDir = path.join(homeDir, ".config", "cue");
+  const loginsPath = path.join(configDir, "logins.json");
+
+  fs.mkdirSync(configDir, { recursive: true });
+
+  let logins = {};
+  if (fs.existsSync(loginsPath)) {
+    try {
+      const content = fs.readFileSync(loginsPath, "utf8");
+      if (content.trim()) {
+        logins = JSON.parse(content);
+      }
+    } catch (err) {
+      console.warn(
+        "Failed to parse existing logins.json, will overwrite:",
+        err.message,
+      );
+    }
+  }
+
+  logins.registries = logins.registries || {};
+
+  logins.registries[registry] = {
+    access_token: data.access_token,
+    token_type: "Bearer",
+  };
+
+  fs.writeFileSync(loginsPath, JSON.stringify(logins, null, 2) + "\\n");
+}

action.yml

@@ -1,91 +1,92 @@
-name: 'Login to CUE Registry via GitHub OIDC'
-description: 'Authenticate to a CUE registry using GitHub OIDC tokens'
+name: Login to CUE Registry via GitHub OIDC
+description: Authenticate to a CUE registry using GitHub OIDC tokens
 branding:
-  icon: 'log-in'
-  color: 'blue'
-
+  icon: log-in
+  color: blue
 inputs:
   registry:
-    description: 'CUE registry'
+    description: CUE registry
     required: false
-    default: 'registry.cue.works'
+    default: registry.cue.works
   update_logins:
-    description: 'Whether to update the local CUE logins.json file'
+    description: Whether to update the local CUE logins.json file
     required: false
-    default: 'true'
-
+    default: "true"
 outputs:
   access_token:
-    description: 'The access token obtained from the registry'
+    description: The access token obtained from the registry
     value: ${{ steps.oidc.outputs.access_token }}
-
 runs:
-  using: 'composite'
+  using: composite
   steps:
     - name: Get OIDC token and login
       id: oidc
       uses: actions/github-script@v7
       with:
         script: |
-          const registry = '${{ inputs.registry }}'
-          const registryUrl = `https://${registry}`
-          
+          const registry = "${{ inputs.registry }}";
+          const registryUrl = `https://${registry}`;
+
           // Get OIDC token with registry as audience
-          let token = null
+          let token = null;
           try {
-            token = await core.getIDToken(registryUrl)
+            token = await core.getIDToken(registryUrl);
           } catch (e) {
-            throw new Error(`Failed to obtain OIDC token. Did you specify the id-token: write permission? ${e.message}`)
+            throw new Error(
+              `Failed to obtain OIDC token. Did you specify the id-token: write permission? ${e.message}`,
+            );
           }
 
           // Exchange OIDC token for registry access token
           const res = await fetch(`${registryUrl}/login/oidc/github`, {
-            method: 'POST',
+            method: "POST",
             headers: {
-              'Content-Type': 'application/json'
+              "Content-Type": "application/json",
             },
-            body: JSON.stringify({ id_token: token })
-          })
+            body: JSON.stringify({ id_token: token }),
+          });
           if (!res.ok) {
             let msg = `HTTP ${res.status} ${res.statusText}`;
             try {
-              const data = await res.json()
-              msg = data.error_description || JSON.stringify(data)
-            } catch (e) {
-            }
-            throw new Error(`${registry}: ${msg}`)
+              const data = await res.json();
+              msg = data.error_description || JSON.stringify(data);
+            } catch (e) {}
+            throw new Error(`${registry}: ${msg}`);
           }
-          const data = await res.json()
-          core.setOutput('access_token', data.access_token)
+          const data = await res.json();
+          core.setOutput("access_token", data.access_token);
 
           // Write credentials to cue logins file if update_logins is true
-          if ('${{ inputs.update_logins }}' === 'true') {
-            const fs = require('fs')
-            const path = require('path')
-            const homeDir = process.env.HOME || process.env.USERPROFILE
-            const configDir = path.join(homeDir, '.config', 'cue')
-            const loginsPath = path.join(configDir, 'logins.json')
-            
-            fs.mkdirSync(configDir, { recursive: true })
-            
-            let logins = {}
+          if ("${{ inputs.update_logins }}" === "true") {
+            const fs = require("fs");
+            const path = require("path");
+            const homeDir = process.env.HOME || process.env.USERPROFILE;
+            const configDir = path.join(homeDir, ".config", "cue");
+            const loginsPath = path.join(configDir, "logins.json");
+
+            fs.mkdirSync(configDir, { recursive: true });
+
+            let logins = {};
             if (fs.existsSync(loginsPath)) {
               try {
-                const content = fs.readFileSync(loginsPath, 'utf8')
+                const content = fs.readFileSync(loginsPath, "utf8");
                 if (content.trim()) {
-                  logins = JSON.parse(content)
+                  logins = JSON.parse(content);
                 }
               } catch (err) {
-                console.warn('Failed to parse existing logins.json, will overwrite:', err.message)
+                console.warn(
+                  "Failed to parse existing logins.json, will overwrite:",
+                  err.message,
+                );
               }
             }
-            
-            logins.registries = logins.registries || {}
-            
+
+            logins.registries = logins.registries || {};
+
             logins.registries[registry] = {
               access_token: data.access_token,
-              token_type: "Bearer"
-            }
-            
-            fs.writeFileSync(loginsPath, JSON.stringify(logins, null, 2) + '\n')
+              token_type: "Bearer",
+            };
+
+            fs.writeFileSync(loginsPath, JSON.stringify(logins, null, 2) + "\\n");
           }

gen.go

@@ -0,0 +1,3 @@
+package action
+
+//go:generate go tool cue export -f -o action.yml

internal/ci/github/trybot.cue

@@ -29,9 +29,15 @@ workflows: trybot: _repo.bashWorkflow & {
 
 	jobs: test: {
 		"runs-on": _repo.linuxMachine
+		permissions: "id-token": "write"
 
 		steps: [
 			for v in _repo.checkoutCode {v},
+
+			{
+				name: "Login to CUE Central Registry"
+				uses: "./"
+			},
 		]
 	}
 }