fix: standardize token usage in GitHub Actions workflows

ShawnDen-coder · ShawnDen-coder · commit 6ae8f7b00a02 · 2025-02-17T22:55:49.000+08:00
diff --git a/.github/workflows/bump_version.yaml b/.github/workflows/bump_version.yaml
@@ -22,29 +22,34 @@ permissions:
   pull-requests: write  # 用于创建 PR
 
 jobs:
+  setup:
+    uses: ./.github/workflows/setup.yaml
+    secrets: inherit
+
   bump-version:
     if: "!startsWith(github.event.head_commit.message, 'bump:')"
+    needs: setup
     runs-on: ubuntu-latest
     name: "Bump version and create changelog with commitizen"
     steps:
       - name: Check out
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ needs.setup.outputs.personal-access-token || github.token }}
+          token: ${{ needs.setup.outputs.PERSONAL_ACCESS_TOKEN }}
 
       - id: cz
         name: Create bump and changelog
         uses: commitizen-tools/commitizen-action@master
         with:
-          github_token: ${{ needs.setup.outputs.personal-access-token || github.token }}
+          github_token: ${{ needs.setup.outputs.PERSONAL_ACCESS_TOKEN }}
           changelog_increment_filename: body.md
           increment: ${{ github.event.inputs.increment }}
 
-      - name: Release
-        uses: softprops/action-gh-release@v1
+      - name: Create Release
+        uses: softprops/action-gh-release@v2
         with:
           body_path: body.md
           tag_name: ${{ env.REVISION }}
         env:
-          GITHUB_TOKEN: ${{ needs.setup.outputs.personal-access-token || github.token }}
+          GITHUB_TOKEN: ${{ needs.setup.outputs.PERSONAL_ACCESS_TOKEN }}
diff --git a/.github/workflows/deploy_docs.yaml b/.github/workflows/deploy_docs.yaml
@@ -17,6 +17,8 @@ jobs:
     secrets:
       OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
       PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+    outputs:
+      PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
 
   deploy:
     needs: setup
@@ -25,4 +27,4 @@ jobs:
       - name: Build and deploy documentation
         run: uvx mkdocs gh-deploy --force
         env:
-          GITHUB_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+          GITHUB_TOKEN: ${{ needs.setup.outputs.PERSONAL_ACCESS_TOKEN || github.token }}
diff --git a/.github/workflows/release_build.yaml b/.github/workflows/release_build.yaml
@@ -24,6 +24,8 @@ jobs:
     secrets:
       OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
       PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+    outputs:
+      personal-access-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
 
   build:
     needs: setup
@@ -39,6 +41,7 @@ jobs:
         id: create_release
         uses: softprops/action-gh-release@v2
         with:
+          token: ${{ needs.setup.outputs.PERSONAL_ACCESS_TOKEN || github.token }}
           tag_name: ${{ github.event.inputs.version || github.ref_name }}
           draft: false
           prerelease: false
diff --git a/.github/workflows/setup.yaml b/.github/workflows/setup.yaml
@@ -19,12 +19,16 @@ on:
       python-version:
         description: "The Python version that was set up"
         value: ${{ jobs.setup.outputs.python-version }}
+      PERSONAL_ACCESS_TOKEN:
+        description: "The personal access token"
+        value: ${{ jobs.setup.outputs.PERSONAL_ACCESS_TOKEN }}
 
 jobs:
   setup:
     runs-on: ubuntu-latest
     outputs:
       python-version: ${{ steps.setup-python.outputs.python-version }}
+      PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
     steps:
       - name: Load secret
         if: ${{ inputs.install-deps != 'none' }}
diff --git a/repo_scaffold/templates/template-python/{{cookiecutter.project_slug}}/.github/workflows/bump_version.yaml b/repo_scaffold/templates/template-python/{{cookiecutter.project_slug}}/.github/workflows/bump_version.yaml
@@ -36,20 +36,20 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ needs.setup.outputs.personal-access-token || github.token }}
+          token: ${{ needs.setup.outputs.PERSONAL_ACCESS_TOKEN }}
 
       - id: cz
         name: Create bump and changelog
         uses: commitizen-tools/commitizen-action@master
         with:
-          github_token: ${{ needs.setup.outputs.personal-access-token || github.token }}
+          github_token: ${{ needs.setup.outputs.PERSONAL_ACCESS_TOKEN }}
           changelog_increment_filename: body.md
           increment: ${{ github.event.inputs.increment }}
 
-      - name: Release
-        uses: softprops/action-gh-release@v1
+      - name: Create Release
+        uses: softprops/action-gh-release@v2
         with:
           body_path: body.md
           tag_name: ${{ env.REVISION }}
         env:
-          GITHUB_TOKEN: ${{ needs.setup.outputs.personal-access-token || github.token }}
+          GITHUB_TOKEN: ${{ needs.setup.outputs.PERSONAL_ACCESS_TOKEN }}
diff --git a/repo_scaffold/templates/template-python/{{cookiecutter.project_slug}}/.github/workflows/deploy_docs.yaml b/repo_scaffold/templates/template-python/{{cookiecutter.project_slug}}/.github/workflows/deploy_docs.yaml
@@ -15,10 +15,7 @@ jobs:
     uses: ./.github/workflows/setup.yaml
     with:
       install-deps: docs
-      python-version: "{{ cookiecutter.max_python_version }}"
-    secrets:
-      OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-      PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+    secrets: inherit
 
   deploy:
     needs: setup
@@ -27,5 +24,5 @@ jobs:
       - name: Build and deploy documentation
         run: uvx mkdocs gh-deploy --force
         env:
-          GITHUB_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+          GITHUB_TOKEN: ${{ needs.setup.outputs.PERSONAL_ACCESS_TOKEN || github.token }}
 {% endif %}
diff --git a/repo_scaffold/templates/template-python/{{cookiecutter.project_slug}}/.github/workflows/release_build.yaml b/repo_scaffold/templates/template-python/{{cookiecutter.project_slug}}/.github/workflows/release_build.yaml
@@ -24,6 +24,8 @@ jobs:
     secrets:
       OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
       PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+    outputs:
+      personal-access-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
 
   build:
     needs: setup
@@ -39,6 +41,7 @@ jobs:
         id: create_release
         uses: softprops/action-gh-release@v2
         with:
+          token: ${{ needs.setup.outputs.PERSONAL_ACCESS_TOKEN || github.token }}
           tag_name: ${{ github.event.inputs.version || github.ref_name }}
           draft: false
           prerelease: false
diff --git a/repo_scaffold/templates/template-python/{{cookiecutter.project_slug}}/.github/workflows/setup.yaml b/repo_scaffold/templates/template-python/{{cookiecutter.project_slug}}/.github/workflows/setup.yaml
@@ -20,12 +20,16 @@ on:
       python-version:
         description: "The Python version that was set up"
         value: ${{ jobs.setup.outputs.python-version }}
+      PERSONAL_ACCESS_TOKEN:
+        description: "The personal access token"
+        value: ${{ jobs.setup.outputs.PERSONAL_ACCESS_TOKEN }}
 
 jobs:
   setup:
     runs-on: ubuntu-latest
     outputs:
       python-version: ${{ steps.setup-python.outputs.python-version }}
+      PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
     steps:
       - name: Load secret
         if: ${{ inputs.install-deps != 'none' }}
