fix: add workflow input to override org secrets, detect old token

sshrihar · sshrihar · commit e035d859161f · 2025-12-08T18:17:55.000+04:00
diff --git a/.github/workflows/test_cloudflare_purge.yml b/.github/workflows/test_cloudflare_purge.yml
@@ -5,6 +5,11 @@ on:
     branches:
       - test-cloudflare-purge
   workflow_dispatch:
+    inputs:
+      cloudflare_auth_key:
+        required: false
+        type: string
+        description: "Cloudflare API Token (overrides secret if provided)"
 
 jobs:
   test_cloudflare_purge:
@@ -31,7 +36,46 @@ jobs:
         run: |
           # Get raw values first (before any processing)
           RAW_ZONE_ID="${{ secrets.CLOUDFLARE_ZONE }}"
-          RAW_AUTH_TOKEN="${{ secrets.CLOUDFLARE_AUTH_KEY }}"
+          
+          # Check if input token is provided (overrides secret)
+          if [ -n "${{ inputs.cloudflare_auth_key }}" ]; then
+            echo "✅ Using token from workflow input (overrides organization secret)"
+            RAW_AUTH_TOKEN="${{ inputs.cloudflare_auth_key }}"
+          else
+            echo "Using token from secrets (may be from organization level)"
+            RAW_AUTH_TOKEN="${{ secrets.CLOUDFLARE_AUTH_KEY }}"
+            
+            # Check if we're reading the old token (from org secrets)
+            if [ -n "$RAW_AUTH_TOKEN" ] && [ "${RAW_AUTH_TOKEN:0:3}" = "ObW" ]; then
+              echo ""
+              echo "⚠️  WARNING: Reading OLD token from organization secrets!"
+              echo "   Token starts with: ${RAW_AUTH_TOKEN:0:3}"
+              echo "   This is the OLD token that should be deleted."
+              echo ""
+              echo "The organization secret is overriding your repository secret."
+              echo ""
+              echo "SOLUTIONS:"
+              echo "1. Ask an org admin to delete CLOUDFLARE_AUTH_KEY from org secrets"
+              echo "2. OR use workflow_dispatch with input parameter to override:"
+              echo "   - Go to Actions → Test Cloudflare Cache Purge → Run workflow"
+              echo "   - Enter your NEW token (starting with 'fjx') in 'cloudflare_auth_key' field"
+              echo "   - This will override the org secret"
+              echo ""
+              echo "❌ Cannot proceed with old token. Please use workflow_dispatch with token input."
+              exit 1
+            fi
+          fi
+          
+          # Check if token is empty
+          if [ -z "$RAW_AUTH_TOKEN" ]; then
+            echo "❌ ERROR: CLOUDFLARE_AUTH_KEY is empty!"
+            echo ""
+            echo "SOLUTION: Use workflow_dispatch and provide the token as an input:"
+            echo "1. Go to Actions → Test Cloudflare Cache Purge → Run workflow"
+            echo "2. Enter your token in 'cloudflare_auth_key' field"
+            echo "3. Click 'Run workflow'"
+            exit 1
+          fi
           
           echo "=== Raw Secret Inspection ==="
           echo "Raw Zone ID length: ${#RAW_ZONE_ID}"
