fix: auto connect for aat tokens (#162)

janb87 · web-flow · commit 2681afe5d172 · 2025-07-03T11:20:14.000+02:00
## Summary by Sourcery

Fix auto-connect logic to disable automatic workspace connection when
using application access tokens by default, add a helper to derive
auto-connect behavior, update related docs, action metadata, and tests.

Bug Fixes:
- Default auto-connect to false for application access tokens to prevent
unintended connections

Enhancements:
- Introduce getAutoConnect helper to derive auto-connect behavior based
on token type or explicit input
- Convert auto-connect flag to a boolean and remove its default true
from action inputs

Documentation:
- Update README and action.yml to reflect new auto-connect defaults and
improve formatting

Tests:
- Add test for application access token scenario to verify no login or
connect is performed when auto-connect is not enabled
diff --git a/README.md b/README.md
@@ -72,27 +72,27 @@ steps:
 
 ### Optional
 
-| Input              | Description                        | Default                                                             |
-| ------------------ | ---------------------------------- | ------------------------------------------------------------------- |
-| command            | CLI command to execute             | -                                                                   |
-| version            | CLI version to install             | 'latest'                                                            |
-| auto-connect       | Automatically connect to workspace | 'true' (only executed when access-token is a personal access token) |
-| instance           | SettleMint instance URL            | 'https://console.settlemint.com'                                    |
-| workspace          | Workspace unique name              | -                                                                   |
-| application        | Application unique name            | -                                                                   |
-| blockchain-network | Blockchain network unique name     | -                                                                   |
-| blockchain-node    | Blockchain node unique name        | -                                                                   |
-| load-balancer      | Load balancer unique name          | -                                                                   |
-| hasura             | Hasura unique name                 | -                                                                   |
-| thegraph           | TheGraph unique name               | -                                                                   |
-| portal             | Portal unique name                 | -                                                                   |
-| hd-private-key     | HD private key                     | -                                                                   |
-| minio              | MinIO unique name                  | -                                                                   |
-| ipfs               | IPFS unique name                   | -                                                                   |
-| custom-deployment  | Custom deployment unique name      | -                                                                   |
-| blockscout         | Blockscout unique name             | -                                                                   |
-| dotEnvFile         | .env file content (store in secrets) | -                                                                 |
-| dotEnvLocalFile    | .env.local file content (store in secrets) | -                                                           |
+| Input              | Description                                | Default                                                           |
+| ------------------ | ------------------------------------------ | ----------------------------------------------------------------- |
+| command            | CLI command to execute                     | -                                                                 |
+| version            | CLI version to install                     | 'latest'                                                          |
+| auto-connect       | Automatically connect to workspace         | 'true' (personal access token) 'false' (application access token) |
+| instance           | SettleMint instance URL                    | 'https://console.settlemint.com'                                  |
+| workspace          | Workspace unique name                      | -                                                                 |
+| application        | Application unique name                    | -                                                                 |
+| blockchain-network | Blockchain network unique name             | -                                                                 |
+| blockchain-node    | Blockchain node unique name                | -                                                                 |
+| load-balancer      | Load balancer unique name                  | -                                                                 |
+| hasura             | Hasura unique name                         | -                                                                 |
+| thegraph           | TheGraph unique name                       | -                                                                 |
+| portal             | Portal unique name                         | -                                                                 |
+| hd-private-key     | HD private key                             | -                                                                 |
+| minio              | MinIO unique name                          | -                                                                 |
+| ipfs               | IPFS unique name                           | -                                                                 |
+| custom-deployment  | Custom deployment unique name              | -                                                                 |
+| blockscout         | Blockscout unique name                     | -                                                                 |
+| dotEnvFile         | .env file content (store in secrets)       | -                                                                 |
+| dotEnvLocalFile    | .env.local file content (store in secrets) | -                                                                 |
 
 ## Common Use Cases
 
@@ -212,35 +212,43 @@ steps:
 ### Common Issues
 
 #### Invalid Access Token
+
 **Error**: `Failed to authenticate with SettleMint: Error: Process completed with exit code 1. Please check your access token.`
 
-**Solution**: 
+**Solution**:
+
 - Ensure your access token is correctly stored in GitHub Secrets
 - Verify the token hasn't expired
 - Check that you're using the correct token format:
   - Personal Access Tokens: `sm_pat_xxxxx`
   - Application Tokens: `sm_app_xxxxx`
 
 #### Command Injection Prevention
+
 **Error**: `Command contains potentially dangerous characters. Please use simple commands only.`
 
 **Solution**:
+
 - Avoid using shell operators like `&&`, `||`, `;`, `|`, or backticks
 - Use simple, direct commands
 - If you need to run multiple commands, use multiple action steps
 
 #### Version Installation Failures
+
 **Error**: `Invalid version format: x.x.x. Must be a valid semver version or 'latest'`
 
 **Solution**:
+
 - Use valid semantic version numbers (e.g., `1.0.0`, `2.1.3`)
 - Use `latest` for the most recent version
 - Don't use version ranges or npm tags other than `latest`
 
 #### Environment Variable Issues
+
 **Problem**: Environment variables from `.env` files aren't being loaded
 
 **Solution**:
+
 - Ensure the env file content is stored in GitHub Secrets
 - Check that the file content follows the correct format:
   ```
@@ -251,16 +259,19 @@ steps:
 - Verify no shell metacharacters are in your values
 
 #### CLI Not Found
+
 **Error**: `settlemint: command not found`
 
 **Solution**:
+
 - The action should automatically install the CLI
 - If using a self-hosted runner, ensure npm is available
 - Check the action logs for installation errors
 
 ### Debugging Tips
 
 1. **Enable Debug Logging**:
+
    ```yaml
    - name: Run SettleMint CLI
      uses: settlemint/settlemint-action@main
@@ -276,6 +287,7 @@ steps:
 
 3. **Verify Workspace Connection**:
    If auto-connect fails, try connecting manually first:
+
    ```yaml
    - name: Connect to Workspace
      uses: settlemint/settlemint-action@main
diff --git a/__tests__/main.test.ts b/__tests__/main.test.ts
@@ -96,8 +96,6 @@ describe('action', () => {
           return 'status';
         case 'version':
           return 'latest';
-        case 'auto-connect':
-          return 'true';
         case 'access-token':
           return 'sm_pat_1234567890';
         default:
@@ -149,6 +147,34 @@ describe('action', () => {
     expect(execMock).toHaveBeenCalledWith('npx -y @settlemint/sdk-cli@latest', ['status']);
   }, 30_000);
 
+  it('does not login and does not connect when using an application access token without auto-connect', async () => {
+    getInputMock.mockImplementation((name) => {
+      switch (name) {
+        case 'command':
+          return 'status';
+        case 'version':
+          return 'latest';
+        case 'access-token':
+          return 'sm_app_1234567890';
+        default:
+          return '';
+      }
+    });
+
+    await main.run();
+
+    // Application token should be set as environment variable
+    expect(process.env.SETTLEMINT_ACCESS_TOKEN).toBe('sm_app_1234567890');
+
+    // Access token should be masked
+    expect(_setSecretMock).toHaveBeenCalledWith('sm_app_1234567890');
+
+    // Should NOT login with app token, but should still connect because auto-connect is true
+    expect(execMock).not.toHaveBeenCalledWith('npx -y @settlemint/sdk-cli@latest', ['login', '-a']);
+    expect(execMock).not.toHaveBeenCalledWith('npx -y @settlemint/sdk-cli@latest', ['connect', '-a']);
+    expect(execMock).toHaveBeenCalledWith('npx -y @settlemint/sdk-cli@latest', ['status']);
+  }, 30_000);
+
   it('sets environment variables when provided', async () => {
     getInputMock.mockImplementation((name) => {
       switch (name) {
diff --git a/action.yml b/action.yml
@@ -1,75 +1,73 @@
-name: 'SettleMint CLI Action'
-description: 'Execute SettleMint CLI commands in your GitHub Actions workflow'
-author: 'SettleMint'
+name: "SettleMint CLI Action"
+description: "Execute SettleMint CLI commands in your GitHub Actions workflow"
+author: "SettleMint"
 
 branding:
-  icon: 'terminal'
-  color: 'blue'
+  icon: "terminal"
+  color: "blue"
 
 inputs:
   command:
-    description: 'The SettleMint CLI command to execute'
+    description: "The SettleMint CLI command to execute"
     required: false
   access-token:
-    description: 'SettleMint Access Token (can be a personal or an application access token)'
+    description: "SettleMint Access Token (can be a personal or an application access token)"
     required: false
   auto-connect:
-    description: 'Automatically connect to SettleMint'
+    description: "Automatically connect to SettleMint"
     required: false
-    default: 'true'
   version:
-    description: 'SettleMint CLI version to install (defaults to latest)'
+    description: "SettleMint CLI version to install (defaults to latest)"
     required: false
-    default: 'latest'
+    default: "latest"
   instance:
-    description:
-      'SettleMint instance URL (defaults to https://console.settlemint.com)'
+    description: "SettleMint instance URL (defaults to https://console.settlemint.com)"
     required: false
-    default: 'https://console.settlemint.com'
+    default: "https://console.settlemint.com"
   workspace:
-    description: 'SettleMint workspace unique name'
+    description: "SettleMint workspace unique name"
     required: false
   application:
-    description: 'SettleMint application unique name'
+    description: "SettleMint application unique name"
     required: false
   blockchain-network:
-    description: 'SettleMint blockchain network unique name'
+    description: "SettleMint blockchain network unique name"
     required: false
   blockchain-node:
-    description: 'SettleMint blockchain node unique name'
+    description: "SettleMint blockchain node unique name"
     required: false
   load-balancer:
-    description: 'SettleMint load balancer unique name'
+    description: "SettleMint load balancer unique name"
     required: false
   hasura:
-    description: 'SettleMint Hasura unique name'
+    description: "SettleMint Hasura unique name"
     required: false
   thegraph:
-    description: 'SettleMint TheGraph unique name'
+    description: "SettleMint TheGraph unique name"
     required: false
   portal:
-    description: 'SettleMint Portal unique name'
+    description: "SettleMint Portal unique name"
     required: false
   hd-private-key:
-    description: 'SettleMint HD private key unique name'
+    description: "SettleMint HD private key unique name"
     required: false
   minio:
-    description: 'SettleMint MinIO unique name'
+    description: "SettleMint MinIO unique name"
     required: false
   ipfs:
-    description: 'SettleMint IPFS unique name'
+    description: "SettleMint IPFS unique name"
     required: false
   custom-deployment:
-    description: 'SettleMint custom deployment unique name'
+    description: "SettleMint custom deployment unique name"
     required: false
   blockscout:
-    description: 'SettleMint Blockscout unique name'
+    description: "SettleMint Blockscout unique name"
     required: false
   dotEnvFile:
-    description: 'A Github Actions secret containing the .env file, loaded in one go for easy updates'
+    description: "A Github Actions secret containing the .env file, loaded in one go for easy updates"
     required: false
   dotEnvLocalFile:
-    description: 'A Github Actions secret containing the .env.local file, loaded in one go for easy updates'
+    description: "A Github Actions secret containing the .env.local file, loaded in one go for easy updates"
     required: false
 
 runs:
diff --git a/dist/index.js b/dist/index.js
diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/src/main.ts b/src/main.ts
@@ -259,6 +259,14 @@ function setEnvironmentVariables(inputs: Map<string, string>): void {
   }
 }
 
+function getAutoConnect(accessToken: string): boolean {
+  const autoConnectValue = core.getInput('auto-connect');
+  if (!autoConnectValue) {
+    return isPersonalAccessToken(accessToken);
+  }
+  return autoConnectValue === 'true';
+}
+
 /**
  * The main function for the action.
  * @returns {Promise<void>} Resolves when the action is complete.
@@ -268,7 +276,7 @@ export async function run(): Promise<void> {
     const command = core.getInput('command');
     const version = core.getInput('version');
     const accessToken = core.getInput('access-token');
-    const autoConnect = core.getInput('auto-connect');
+    const autoConnect = getAutoConnect(accessToken);
     const instance = core.getInput('instance');
 
     // Validate version
@@ -311,7 +319,7 @@ export async function run(): Promise<void> {
     }
 
     // Only connect if not in standalone mode and auto-connect is enabled
-    if (!isStandalone && autoConnect === 'true') {
+    if (!isStandalone && autoConnect) {
       await exec.exec(settlemintCmd, ['connect', '-a']);
     }
 
