/.github/workflows/bump-dependency.yaml: fix auth job

coffeegoddd · coffeegoddd · commit 838d36d2ba1e · 2025-10-28T15:38:11.000-07:00
diff --git a/.github/workflows/bump-dependency.yaml b/.github/workflows/bump-dependency.yaml
@@ -6,26 +6,40 @@ on:
 
 jobs:
   auth:
-    name: Authenticate Caller
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
+    outputs:
+      token: ${{ steps.decrypt.outputs.token }}
     steps:
-      - name: Check client token
+      - name: Install age
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y age
+
+      - name: Decrypt client token
+        id: decrypt
         env:
-          PAYLOAD_TOKEN: ${{ github.event.client_payload.token }}
-          EXPECTED_TOKEN: ${{ secrets.CLIENT_AUTH_TOKEN }}
+          AGE_PRIVATE_KEY: ${{ secrets.CLIENT_AGE_PRIVATE_KEY }}
+          CIPHERTEXT: ${{ github.event.client_payload.client_auth_ciphertext }}
         run: |
           set -euo pipefail
-          # refuse to proceed without a token
-          if [ -z "${PAYLOAD_TOKEN:-}" ]; then
-            echo "Unauthorized: missing token"
-            exit 1
-          fi
-          # simple equality check; doesn't echo secrets
-          if [ "${PAYLOAD_TOKEN}" != "${EXPECTED_TOKEN}" ]; then
-            echo "Unauthorized: bad token"
+          umask 177
+          printf '%s\n' "$AGE_PRIVATE_KEY" > ./age.key
+
+          TOKEN=$(printf '%s' "$CIPHERTEXT" | age -d -i ./age.key)
+
+          echo "::add-mask::$TOKEN"
+          echo "token=$TOKEN" >> "$GITHUB_OUTPUT"
+
+      - name: Validate token
+        env:
+          TOKEN: ${{ steps.decrypt.outputs.token }}
+          EXPECTED: ${{ secrets.CLIENT_AUTH_TOKEN }}
+        run: |
+          set -euo pipefail
+          if [ "$TOKEN" != "$EXPECTED" ]; then
+            echo "Unauthorized dispatch: token mismatch" >&2
             exit 1
           fi
-          echo "Caller authenticated"
 
   get-label:
     name: Get Label
