Add support for restricted API Tokens. closes #1

Author: jakejarvis

Dockerfile

@@ -5,7 +5,7 @@ LABEL "com.github.actions.description"="Purge a zone's cache via the Cloudflare
 LABEL "com.github.actions.icon"="trash-2"
 LABEL "com.github.actions.color"="orange"
 
-LABEL version="0.2.0"
+LABEL version="0.3.0"
 LABEL repository="https://github.com/jakejarvis/cloudflare-purge-action"
 LABEL homepage="https://jarv.is/"
 LABEL maintainer="Jake Jarvis <[email protected]>"

README.md

@@ -7,16 +7,44 @@ This simple action calls the [Cloudflare API](https://api.cloudflare.com/#zone-p
 
 ## Usage
 
-### Configuration
-
 All sensitive variables should be [set as encrypted secrets](https://help.github.com/en/articles/virtual-environments-for-github-actions#creating-and-using-secrets-encrypted-variables) in the action's configuration.
 
+
+### Configuration Variables
+
 | Key | Value | Suggested Type | Required |
 | ------------- | ------------- | ------------- | ------------- |
-| `CLOUDFLARE_ZONE` | The Zone ID of your domain, which can be found in the right sidebar of your domain's overview page on the Cloudflare dashboard. For example, `xyz321xyz321xyz321xyz321xyz321xy`. | `secret` | **Yes** |
-| `CLOUDFLARE_EMAIL` | The email address you registered your Cloudflare account with. For example, `[email protected]`. | `secret` | **Yes** |
-| `CLOUDFLARE_KEY` | Your Cloudflare API key, which can be generated using [these instructions](https://support.cloudflare.com/hc/en-us/articles/200167836-Where-do-I-find-my-Cloudflare-API-key-). For example, `abc123abc123abc123abc123abc123abc123abc123abc`. | `secret` | **Yes** |
-| `PURGE_URLS` | **Optional.** An array of **fully qualified URLs** to purge. For example: `["https://jarv.is/style.css", "https://jarv.is/favicon.ico"]`. If unset, the action will purge everything (which is [suggested](#purging-specific-files)). | `env` | No |
+| `CLOUDFLARE_ZONE` | **Required for both methods below.** The Zone ID of your domain, which can be found in the right sidebar of your domain's overview page on the Cloudflare dashboard. For example, `xyz321xyz321xyz321xyz321xyz321xy`. | `secret` | **Yes** |
+| `PURGE_URLS` | **Optional.** An array of **fully qualified URLs** to purge. For example: `["https://jarv.is/style.css", "https://jarv.is/favicon.ico"]`. If unset, the action will purge everything (which is suggested — [more info below](#purging-specific-files)). | `env` | No |
+
+
+### Authentication Variables
+
+Both authentication methods below require you to grab information from the [API Tokens page in the dashboard](https://dash.cloudflare.com/profile/api-tokens). Details on the inner workings of each method can be found [in Cloudflare's API docs](https://api.cloudflare.com/#getting-started-requests).
+
+
+#### Option 1: Restricted API Token
+
+API Tokens are [a new feature](https://blog.cloudflare.com/api-tokens-general-availability/) as of August 2019. They allow you to restrict the scope of this action to only purging the cache of zones you specify. In other words, this is much safer than allowing this action complete control of your entire Cloudflare account. (I'm not evil though, I promise. 😊)
+
+| Key | Value | Type |
+| ------------- | ------------- | ------------- |
+| `CLOUDFLARE_TOKEN` | The restricted API Token with permissions to purge the cache of one or more zones. | `secret` |
+
+Creating a token can be tricky, so here's what you should enter [on this page](https://dash.cloudflare.com/profile/api-tokens) to create a token for purging the cache of a single domain on your account:
+
+![Creating an API Token for purging](tokens.png)
+
+
+#### Option 2: Global API Key
+
+This is the "traditional" method of authenticating — simply grab your "Global API Key" from [the dashboard](https://dash.cloudflare.com/profile/api-tokens). Using this method also **requires a second environment variable** with the email address linked to your account.
+
+| Key | Value | Type |
+| ------------- | ------------- | ------------- |
+| `CLOUDFLARE_EMAIL` | The email address you registered your Cloudflare account with. For example, `[email protected]`. | `secret` |
+| `CLOUDFLARE_KEY` | Your Cloudflare API key, which can be generated using [these instructions](https://support.cloudflare.com/hc/en-us/articles/200167836-Where-do-I-find-my-Cloudflare-API-key-). | `secret` |
+
 
 ### `workflow.yml` Example
 
@@ -36,7 +64,11 @@ jobs:
     - name: Purge cache
       uses: jakejarvis/cloudflare-purge-action@master
       env:
+        # Zone is required by both authentication methods
         CLOUDFLARE_ZONE: ${{ secrets.CLOUDFLARE_ZONE }}
+
+        CLOUDFLARE_TOKEN: ${{ secrets.CLOUDFLARE_TOKEN }}
+        # ...or:
         CLOUDFLARE_EMAIL: ${{ secrets.CLOUDFLARE_EMAIL }}
         CLOUDFLARE_KEY: ${{ secrets.CLOUDFLARE_KEY }}
 ```

entrypoint.sh

@@ -2,18 +2,33 @@
 
 set -e
 
-if [ -z "$CLOUDFLARE_ZONE" ]; then
-  echo "CLOUDFLARE_ZONE is not set. Quitting."
-  exit 1
-fi
+######## Check for required/optional inputs. ########
 
-if [ -z "$CLOUDFLARE_EMAIL" ]; then
-  echo "CLOUDFLARE_EMAIL is not set. Quitting."
+# Determine whether using a Global API Key or a restricted API Token.
+if [ -n "$CLOUDFLARE_KEY" ]; then
+  # If they've passed a key, the account email address is also required.
+  if [ -n "$CLOUDFLARE_EMAIL" ]; then
+    API_METHOD=1
+  else
+    echo "CLOUDFLARE_EMAIL is required when using a Global API Key. Quitting."
+    exit 1
+  fi
+
+# No key was entered, check if they're using a token.
+elif [ -n "$CLOUDFLARE_TOKEN" ]; then
+  API_METHOD=2
+
+# The user hasn't entered either a key or a token, can't do anything else.
+else
+  echo "Looks like you haven't set the required authentication variables."
+  echo "Check out the README for options: https://git.io/JeBbD"
   exit 1
 fi
 
-if [ -z "$CLOUDFLARE_KEY" ]; then
-  echo "CLOUDFLARE_KEY is not set. Quitting."
+
+# Check if Zone ID is set.
+if [ -z "$CLOUDFLARE_ZONE" ]; then
+  echo "CLOUDFLARE_ZONE is not set. Quitting."
   exit 1
 fi
 
@@ -24,13 +39,29 @@ else
   set -- --data '{"purge_everything":true}'
 fi
 
-# Call the API and store the response for later.
-HTTP_RESPONSE=$(curl -sS -X POST "https://api.cloudflare.com/client/v4/zones/${CLOUDFLARE_ZONE}/purge_cache" \
-                     -H "X-Auth-Email: ${CLOUDFLARE_EMAIL}" \
-                     -H "X-Auth-Key: ${CLOUDFLARE_KEY}" \
-                     -H "Content-Type: application/json" \
-                     -w "HTTP_STATUS:%{http_code}" \
-                     "$@")
+
+######## Call the API and store the response for later. ########
+
+# Using a global API key:
+if [ "$API_METHOD" -eq 1 ]; then
+  HTTP_RESPONSE=$(curl -sS "https://api.cloudflare.com/client/v4/zones/${CLOUDFLARE_ZONE}/purge_cache" \
+                      -H "Content-Type: application/json" \
+                      -H "X-Auth-Email: ${CLOUDFLARE_EMAIL}" \
+                      -H "X-Auth-Key: ${CLOUDFLARE_KEY}" \
+                      -w "HTTP_STATUS:%{http_code}" \
+                      "$@")
+
+# Using an API token:
+elif [ "$API_METHOD" -eq 2 ]; then
+  HTTP_RESPONSE=$(curl -sS "https://api.cloudflare.com/client/v4/zones/${CLOUDFLARE_ZONE}/purge_cache" \
+                      -H "Content-Type: application/json" \
+                      -H "Authorization: Bearer ${CLOUDFLARE_TOKEN}" \
+                      -w "HTTP_STATUS:%{http_code}" \
+                      "$@")
+fi
+
+
+######## Format response for a pretty command line output. ########
 
 # Store result and HTTP status code separately to appropriately throw CI errors.
 # https://gist.github.com/maxcnunes/9f77afdc32df354883df