(tooling-actions) branch main updated: Use new paths and do not allow audience to be modified

sbp Thu, 11 Sep 2025 21:13:32 -0700

This is an automated email from the ASF dual-hosted git repository.

sbp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-actions.git



The following commit(s) were added to refs/heads/main by this push:
     new 12f29cf  Use new paths and do not allow audience to be modified
12f29cf is described below

commit 12f29cfe2ceeac16e9aabfe880462d2a45425e82
Author: Sean B. Palmer <[email protected]>
AuthorDate: Mon Sep 8 16:43:41 2025 +0100

    Use new paths and do not allow audience to be modified
---
 release-on-atr/README.md  |  1 -
 release-on-atr/action.yml | 19 +++++++++----------
 upload-to-atr/README.md   |  1 -
 upload-to-atr/action.yml  | 12 ++++++------
 4 files changed, 15 insertions(+), 18 deletions(-)

diff --git a/release-on-atr/README.md b/release-on-atr/README.md
index 8c00f21..c0e098a 100644
--- a/release-on-atr/README.md
+++ b/release-on-atr/README.md
@@ -12,7 +12,6 @@ Status: EXPERIMENTAL
 
 - **version (required)**: Release version (e.g. `1.2.3`).
 - **atr-host**: ATR host. Default: `release-test.apache.org`. Must match 
`*.apache.org`.
-- **audience**: OIDC audience for the JWT request. Default: `atr-test`.
 - **resolve**: If `"true"`, resolve the vote. Default: `"false"`.
 - **resolve-resolution**: Resolution when resolving: `passed` or `failed`. 
Required when `resolve == "true"`.
 - **announce**: If `"true"`, announce the release. Default: `"false"`.
diff --git a/release-on-atr/action.yml b/release-on-atr/action.yml
index 6dd1e75..a72a44b 100644
--- a/release-on-atr/action.yml
+++ b/release-on-atr/action.yml
@@ -23,7 +23,6 @@ branding: {icon: upload-cloud, color: blue}
 inputs:
   version: {description: "Release version", required: true}
   atr-host: {description: "ATR host", default: "release-test.apache.org"}
-  audience: {description: "OIDC audience", default: "atr-test"}
 
   resolve: {description: "Resolve vote (true or false)", default: "false"}
   resolve-resolution: {description: "Vote resolution (passed or failed)"}
@@ -43,12 +42,10 @@ runs:
       shell: bash
       run: |
         set -euo pipefail
-        url="${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=${INPUTS_AUDIENCE}"
+        url="${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=atr-test-v1"
         jwt="$(curl -sS --fail-with-body -H "Authorization: bearer 
${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "$url" | jq -r .value)"
         echo "::add-mask::$jwt"
         echo "jwt=$jwt" >> "$GITHUB_OUTPUT"
-      env:
-        INPUTS_AUDIENCE: ${{ inputs.audience }}
 
     - name: Resolve vote (optional)
       if: ${{ inputs.resolve == 'true' }}
@@ -60,12 +57,13 @@ runs:
           *) echo "atr-host must match *.apache.org"; exit 1;;
         esac
         : "${INPUTS_RESOLVE_RESOLUTION:?resolve-resolution is required when 
resolve == true}"
-        jq -n --arg jwt "$JWT" \
+        jq -n --arg publisher github \
+              --arg jwt "$JWT" \
               --arg version "$INPUTS_VERSION" \
               --arg resolution "$INPUTS_RESOLVE_RESOLUTION" \
-              '{jwt:$jwt, version:$version, resolution:$resolution}' |
+              '{publisher:$publisher, jwt:$jwt, version:$version, 
resolution:$resolution}' |
           curl -sS --fail-with-body -X POST -H 'Content-Type: 
application/json' -d @- \
-            "https://${INPUTS_ATR_HOST}/api/github/vote/resolve";
+            "https://${INPUTS_ATR_HOST}/api/publisher/vote/resolve";
       env:
         INPUTS_ATR_HOST: ${{ inputs.atr-host }}
         INPUTS_VERSION: ${{ inputs.version }}
@@ -93,16 +91,17 @@ runs:
         : "${INPUTS_ANNOUNCE_SUBJECT:?announce-subject is required when 
announce == true}"
         : "${INPUTS_ANNOUNCE_BODY:?announce-body is required when announce == 
true}"
         : "${INPUTS_ANNOUNCE_PATH_SUFFIX:?announce-path-suffix is required 
when announce == true}"
-        jq -n --arg jwt "$JWT" \
+        jq -n --arg publisher github \
+              --arg jwt "$JWT" \
               --arg version "$INPUTS_VERSION" \
               --arg revision "$INPUTS_ANNOUNCE_REVISION" \
               --arg email_to "$INPUTS_ANNOUNCE_EMAIL_TO" \
               --arg subject "$INPUTS_ANNOUNCE_SUBJECT" \
               --arg body "$INPUTS_ANNOUNCE_BODY" \
               --arg path_suffix "$INPUTS_ANNOUNCE_PATH_SUFFIX" \
-              '{jwt:$jwt, version:$version, revision:$revision, 
email_to:$email_to, subject:$subject, body:$body, path_suffix:$path_suffix}' |
+              '{publisher:$publisher, jwt:$jwt, version:$version, 
revision:$revision, email_to:$email_to, subject:$subject, body:$body, 
path_suffix:$path_suffix}' |
           curl -sS --fail-with-body -X POST -H 'Content-Type: 
application/json' -d @- \
-            "https://${INPUTS_ATR_HOST}/api/github/release/announce";
+            "https://${INPUTS_ATR_HOST}/api/publisher/release/announce";
       env:
         INPUTS_ATR_HOST: ${{ inputs.atr-host }}
         INPUTS_VERSION: ${{ inputs.version }}
diff --git a/upload-to-atr/README.md b/upload-to-atr/README.md
index 70f6405..95dfb78 100644
--- a/upload-to-atr/README.md
+++ b/upload-to-atr/README.md
@@ -14,7 +14,6 @@ Status: EXPERIMENTAL
 - **project (required)**: Project name segment in the remote path.
 - **version (required)**: Version segment in the remote path.
 - **src**: Local directory to upload. Default: `dist`. A trailing slash will 
be added automatically if omitted.
-- **audience**: OIDC audience for the JWT request. Default: `atr-test`.
 - **atr-host**: ATR host to upload to. Default: `release-test.apache.org`.
 - **ssh-port**: SSH port on ATR. Default: `2222`.
 - **rsync-args**: Arguments passed to `rsync`. Default: `-av`.
diff --git a/upload-to-atr/action.yml b/upload-to-atr/action.yml
index 6813fbd..ca0d60e 100644
--- a/upload-to-atr/action.yml
+++ b/upload-to-atr/action.yml
@@ -25,7 +25,6 @@ inputs:
   project: {description: "Project", required: true}
   version: {description: "Version", required: true}
   src: {description: "Local directory", default: "dist"}
-  audience: {description: "OIDC audience", default: "atr-test"}
   atr-host: {description: "ATR host", default: "release-test.apache.org"}
   ssh-port: {description: "SSH port", default: "2222"}
 
@@ -37,13 +36,11 @@ runs:
       shell: bash
       run: |
         set -euo pipefail
-        url="${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=${INPUTS_AUDIENCE}"
+        url="${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=atr-test-v1"
         jwt="$(curl -sS -H "Authorization: bearer 
${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "$url" \
              | python3 -c 'import json, sys; 
print(json.load(sys.stdin)["value"])')"
         echo "::add-mask::$jwt"
         echo "jwt=$jwt" >> "$GITHUB_OUTPUT"
-      env:
-        INPUTS_AUDIENCE: ${{ inputs.audience }}
 
     - name: Generate an ephemeral SSH key
       id: generate-ssh-key
@@ -58,9 +55,12 @@ runs:
       shell: bash
       run: |
         set -euxo pipefail
-        jq -n --arg jwt "$JWT" --arg key "$SSH_PUBLIC_KEY" '{jwt:$jwt, 
ssh_key:$key}' |
+        jq -n --arg publisher github \
+              --arg jwt "$JWT" \
+              --arg key "$SSH_PUBLIC_KEY" \
+              '{publisher:$publisher, jwt:$jwt, ssh_key:$key}' |
           curl -sS -X POST -H 'Content-Type: application/json' \
-            -d @- "https://${INPUTS_ATR_HOST}/api/github/ssh/register";
+            -d @- "https://${INPUTS_ATR_HOST}/api/publisher/ssh/register";
       env:
         INPUTS_ATR_HOST: ${{ inputs.atr-host }}
         JWT: ${{ steps.create-github-jwt.outputs.jwt }}


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

(tooling-actions) branch main updated: Use new paths and do not allow audience to be modified

Reply via email to