Release v1.1.0 (#17)

* feat: secrets input accepts a map; log per-call API timing

Three changes from the latest deploy run feedback.

1. Map-shaped `secrets` input
   Mirror the `tags` refactor: accept a YAML block mapping (the canonical
   workflow form) or a JSON object string, instead of multi-line
   `KEY=VALUE` lines. Same key validation as before — must start with a
   letter or underscore, alphanumeric + underscores only — and secret
   values can still contain any characters. Each value is added to the
   runner's secret-mask list before any API call.

2. Per-call API response time
   Every Spice Cloud Management API call now logs
   `<METHOD> <path> → <status> <statusText> (<durationMs>ms)` so the
   user can see each request's latency inline. Network failures log
   `<METHOD> <path> → network error in <durationMs>ms: <message>`.
   Removed the redundant pre-call path logs in deploy.ts that the
   timing line now covers.

3. Branch missing from step summary
   The list-deployments endpoint sometimes returns Deployment objects
   without `branch` even when the create request set it. The summary
   now falls back to the `branch` and `commit-sha` inputs we sent so
   the right values surface even when the API echoes them inconsistently.

Tests: 107 passing (up from 101). New cases cover the YAML and JSON
secret forms (incl. quote-stripping, special characters in values, and
JSON validation) and the post-rebuild `dist/` round-trip.

* chore: bump version to 1.1.0 for release

- package.json: 1.0.0 → 1.1.0.
- CHANGELOG.md: collapse the [Unreleased] block into a [1.1.0] section
  dated 2026-05-03, with explicit Breaking changes / Added / Changed /
  Fixed buckets. Added an empty [Unreleased] header for future entries.

The release rolls up everything since v1.0.0:

- Breaking: secrets input switched from KEY=VALUE to YAML/JSON map
  (matches `tags`); tag-value validation tightened to alphanumeric +
  `_@-` only.
- Added: `org`, `flight-url`, `dataset-ready-timeout-seconds` inputs;
  `datasets` output; auto-captured `repository` tag; per-call
  `<METHOD> <path> → <status> (<ms>ms)` API timing in logs.
- Changed: action runtime bumped from Node 20 to Node 24.
- Fixed: app-url URL pattern, SQL probe gRPC connection, api-key field
  names, step-summary branch fallback, punycode deprecation warning,
  action.yml `${{ … }}` example evaluation bug.

* Revert "chore: bump version to 1.1.0 for release"

This reverts commit 57ecfd2.

* chore: bump version to 1.1.0 for release

- package.json: 1.0.0 → 1.1.0.
- CHANGELOG.md: collapse the [Unreleased] block into a [1.1.0] section
  dated 2026-05-03, with explicit Breaking changes / Added / Changed /
  Fixed buckets. Added an empty [Unreleased] header for future entries.

The release rolls up everything since v1.0.0:

- Breaking: secrets input switched from KEY=VALUE to YAML/JSON map
  (matches `tags`); tag-value validation tightened to alphanumeric +
  `_@-` only.
- Added: `org`, `flight-url`, `dataset-ready-timeout-seconds` inputs;
  `datasets` output; auto-captured `repository` tag; per-call
  `<METHOD> <path> → <status> (<ms>ms)` API timing in logs.
- Changed: action runtime bumped from Node 20 to Node 24.
- Fixed: app-url URL pattern, SQL probe gRPC connection, api-key field
  names, step-summary branch fallback, punycode deprecation warning,
  action.yml `${{ … }}` example evaluation bug.

* fix: address PR review comments

- src/main.ts: Use a length-aware fallback (deployment.branch?.length
  ? deployment.branch : inputs.branch ?? "") so the step summary still
  falls back when the API returns an empty string, while documenting
  why we treat empty-string as equivalent to missing here.
- src/secrets.ts: Stop calling `.trim()` on secret values. Strip only
  the leading whitespace separator after `:` and a matching pair of
  outer quotes; trailing whitespace and inner whitespace are preserved
  verbatim. Also pass the un-trimmed raw input to parseBlockMap so a
  trailing space on the last line isn't lost. Whitespace-significant
  values still need quoting to make the boundaries explicit.
- src/api.ts: Move the timing log to AFTER the response body is read
  so the duration reflects true end-to-end request latency, not just
  time-to-first-byte. Body-read errors retry on the next attempt and
  fail with a clear `Failed to read response body for …` message on
  exhaustion.

New tests cover trailing whitespace preserved in unquoted secret
values, leading whitespace preserved inside quoted secret values, and
multiple-spaces-after-colon handling.

Author: lukekim

CHANGELOG.md

@@ -6,32 +6,39 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
-### Changed
-- `secrets` input now accepts the same YAML block mapping or JSON object form as `tags`, instead of multi-line `KEY=VALUE` lines. Existing key validation is unchanged (must start with a letter or underscore, alphanumeric + underscores only); values can contain any characters and are added to the runner's secret-mask list. Update your workflows to swap `=` for `:` between key and value.
-- Every Spice Cloud Management API call now logs `<METHOD> <path> → <status> <statusText> (<durationMs>ms)` so you can see latency for each request inline in the action logs. Network failures log `<METHOD> <path> → network error in <durationMs>ms: <message>`. Removed the redundant pre-call path logs in `deploy.ts` since the timing line covers them.
-
-### Fixed
-- The step-summary "Branch" cell was empty when the management API's list-deployments response omitted the `branch` field even though the create request set it. The summary now falls back to the `branch` and `commit-sha` inputs we sent so the right values surface even when the API echoes them inconsistently.
-
-### Added
-- New `org` input. The action now constructs the `app-url` output as `https://spice.ai/<org>/<app-name>` (the canonical Spice Cloud portal URL pattern). When `org` is unset, it falls back to the owner part of `GITHUB_REPOSITORY`, which matches the Spice org slug for personal orgs and orgs created from a connected GitHub organization.
-- New `flight-url` input. The action now passes a regional Apache Arrow Flight gRPC endpoint to the `@spiceai/spice` SDK so the SQL probe uses gRPC instead of falling through to localhost. When `flight-url` is unset, it's derived from the resolved app's region as `<region>-prod-aws-flight.spiceai.io:443` (mirrors the data hostname with `-data` swapped for `-flight`). A `grpc+tls://` / `grpc://` scheme prefix on the input is stripped automatically.
-
-### Fixed
-- The `app-url` output was previously `https://<app-name>.spice.ai`, which doesn't resolve. It is now `https://spice.ai/<org>/<app-name>` (e.g. `https://spice.ai/lukekim/home`).
-- SQL smoke test failed with `14 UNAVAILABLE: No connection established` because the SDK initialized a gRPC client with no `flightUrl` configured for Spice Cloud. The action now derives a regional flight URL by default; the SDK uses gRPC for SQL queries with HTTP fallback as it was designed to.
+## [1.1.0] — 2026-05-03
+
+### Breaking changes
+- **`secrets` input is now a YAML/JSON map, not `KEY=VALUE` lines.** Mirrors the `tags` input shape. Update existing workflows to swap `=` for `:` between key and value:
+  ```yaml
+  # Before (1.0.0)
+  secrets: |
+    OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
+  # After (1.1.0)
+  secrets: |
+    OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+  ```
+  Secret-name validation is unchanged (must start with a letter or underscore, alphanumeric + underscores only). Secret values can contain any characters and are added to the runner's secret-mask list before any API call.
+- **Tag values are now strictly validated against the Spice Cloud API's allowed character set** (alphanumeric plus `_@-`). Previously the action only enforced length, so values like `repo: foo/bar` would round-trip to the API and fail there with a generic `400`. Workflows that passed `/`, `:`, spaces, or other special characters in tag values must update to use only `_@-` (the action also auto-sanitizes the auto-captured `repository` tag).
 
 ### Added
-- Auto-capture a `repository` tag from `GITHUB_REPOSITORY` when set, sanitized to fit the API's tag-value rule (`/` → `_`). Users can override by setting `repository:` explicitly in the `tags` input.
-- New post-deploy dataset readiness check: poll `GET /v1/datasets?status=true` until every dataset reaches a terminal-ok state (`ready`, `disabled`, or `refreshing`); fail the job immediately on `error` or on timeout-while-pending — regardless of `fail-on-test-error`, which still only governs runtime-probe results. Statuses like `shuttingdown` and any unrecognized values are treated as still-pending so the loop never returns a false-positive "loaded". Configured via `dataset-ready-timeout-seconds` (default `300`, set `0` to skip). Dataset states are surfaced as a `datasets` action output and as a table in the GitHub job step summary.
+- **`org` input** controlling the `app-url` output, which is now constructed as `https://spice.ai/<org>/<app-name>` (the canonical Spice Cloud portal URL). When `org` is unset, it falls back to the owner part of `GITHUB_REPOSITORY`, which matches the Spice org slug for personal orgs and orgs created from a connected GitHub organization.
+- **`flight-url` input** for the regional Apache Arrow Flight gRPC endpoint. When unset, derived from the resolved app's region as `<region>-prod-aws-flight.spiceai.io:443` (mirrors the data hostname with `-data` swapped for `-flight`). A `grpc+tls://` / `grpc://` scheme prefix on the input is stripped automatically.
+- **`dataset-ready-timeout-seconds` input** for a post-deploy dataset readiness check. The action polls `GET /v1/datasets?status=true` until every dataset reaches a terminal-ok state (`ready`, `disabled`, or `refreshing`) and fails immediately on `error` or on timeout-while-pending — independent of `fail-on-test-error`, which only governs runtime-probe results. Statuses like `shuttingdown` and any unrecognized values are treated as still-pending so the loop never returns a false-positive "loaded". Default `300` seconds, set `0` to skip.
+- **`datasets` action output** — JSON array of `{ name, status, from?, error?, error_message? }` from the `/v1/datasets?status=true` response. Also rendered as a "Datasets" table in the GitHub job step summary.
+- **Auto-captured `repository` tag** from `GITHUB_REPOSITORY` when set, sanitized to fit the API's tag-value rule (`/` → `_`). Users can override by setting `repository:` explicitly in the `tags` input.
+- **Per-call response time logging.** Every Spice Cloud Management API call now logs `<METHOD> <path> → <status> <statusText> (<durationMs>ms)` so request latency is visible inline in the action logs. Network failures log `<METHOD> <path> → network error in <durationMs>ms: <message>`.
 
 ### Changed
-- `parseTags` now validates tag values against the Spice Cloud API rule (alphanumeric plus `_@-`). Previously the action only enforced length, so values like `repo: foo/bar` would round-trip to the API and fail there with a generic 400.
-- Bump the action runtime from Node 20 to Node 24 (`runs.using: node24`). Node 20 actions are deprecated by GitHub and will be force-defaulted to Node 24 on June 2, 2026, with Node 20 removed from the runner on September 16, 2026. The build target, CI matrix, `engines.node`, and `.nvmrc` are aligned to Node 24.
+- Bump the action runtime from Node 20 to Node 24 (`runs.using: node24`). Node 20 actions are deprecated by GitHub and will be force-defaulted to Node 24 on June 2, 2026, with Node 20 removed from the runner on September 16, 2026. Build target, CI matrix, `engines.node`, and `.nvmrc` are aligned to Node 24.
 
 ### Fixed
+- `app-url` output was previously `https://<app-name>.spice.ai`, which doesn't resolve. It is now `https://spice.ai/<org>/<app-name>`.
+- SQL smoke test failed with `14 UNAVAILABLE: No connection established` because the SDK initialized a gRPC client with no `flightUrl` configured for Spice Cloud. The action now derives a regional flight URL by default; the SDK uses gRPC for SQL queries with HTTP fallback as designed.
 - The Spice Cloud `GET /v1/apps/{appId}/api-keys` response is `{ api_key, api_key_2 }`, but the action was reading `{ primary, secondary }` and bailing with `Cannot run runtime probes: no API key returned for app …` whenever runtime probes were enabled. Smoke tests now correctly retrieve the primary (or secondary) key.
-- Suppress the `(node:NNNN) [DEP0040] DeprecationWarning: The 'punycode' module is deprecated` runtime warning by aliasing the bare `punycode` specifier to the userland `punycode@2` package at bundle time. The transitive chain `@spiceai/spice → node-fetch@2 → whatwg-url@5 → tr46@0.0.3` previously resolved to Node's deprecated built-in.
+- Step-summary "Branch" cell was empty when the management API's list-deployments response omitted the `branch` field even though the create request set it. The summary now falls back to the `branch` and `commit-sha` inputs we sent.
+- Suppress the `(node:NNNN) [DEP0040] DeprecationWarning: The 'punycode' module is deprecated` runtime warning by aliasing the bare `punycode` specifier to the userland `punycode@2` package at bundle time.
+- `action.yml` no longer embeds literal `${{ … }}` example tokens in `description:` blocks, which the runner was evaluating at action-load time and erroring out with `Unrecognized named-value: 'github'` / `'secrets'`.
 
 ## [1.0.0] — 2026-05-02
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "spice-cloud-deploy-action",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "private": true,
   "description": "GitHub Action to deploy apps to the Spice.ai Cloud Platform via the Management API.",
   "license": "Apache-2.0",