refactor: Split authentication validation into separate steps

Changes:
- Step 1: Validate authentication inputs (checks at least one is present)
- Step 2: Validate API token (runs only if token provided)
- Step 3: Validate SSH key (runs only if SSH key provided)

Benefits:
- Clearer separation of concerns
- Easier to read and maintain
- Each validation only runs when relevant
- SSH key validation now checks format

Author: vaind

updater/action.yml

@@ -122,7 +122,7 @@ runs:
         }
         Write-Output "✓ Post-update script path '${{ inputs.post-update-script }}' is valid"
 
-    - name: Validate authentication
+    - name: Validate authentication inputs
       shell: pwsh
       env:
         GH_TOKEN: ${{ inputs.api-token }}
@@ -136,68 +136,102 @@ runs:
           exit 1
         }
 
-        if ($hasToken -and $env:GH_TOKEN -match '-----BEGIN') {
+        if ($hasToken -and $hasSshKey) {
+          Write-Output "✓ Using both SSH key (for git) and token (for GitHub API)"
+        } elseif ($hasToken) {
+          Write-Output "✓ Using token authentication"
+        } else {
+          Write-Output "✓ Using SSH key authentication"
+        }
+
+    - name: Validate API token
+      if: ${{ inputs.api-token != '' }}
+      shell: pwsh
+      env:
+        GH_TOKEN: ${{ inputs.api-token }}
+      run: |
+        # Check if token is actually an SSH key
+        if ($env:GH_TOKEN -match '-----BEGIN') {
           Write-Output "::error::The api-token input appears to contain an SSH private key."
           Write-Output "::error::Please use the ssh-key input for SSH authentication instead of api-token."
           exit 1
         }
 
-        if ($hasToken -and $hasSshKey) {
-          Write-Output "Using both SSH key (for git) and token (for GitHub API)"
+        # Check for whitespace
+        if ($env:GH_TOKEN -match '\s') {
+          $tokenLength = $env:GH_TOKEN.Length
+          $whitespaceMatch = [regex]::Match($env:GH_TOKEN, '\s')
+          $position = $whitespaceMatch.Index
+          $char = $whitespaceMatch.Value
+          $charName = switch ($char) {
+            "`n" { "newline (LF)" }
+            "`r" { "carriage return (CR)" }
+            "`t" { "tab" }
+            " " { "space" }
+            default { "whitespace character (code: $([int][char]$char))" }
+          }
+          Write-Output "::error::GitHub token contains whitespace at position $position of $tokenLength characters: $charName"
+          Write-Output "::error::This suggests the token secret may be malformed. Check for extra newlines when setting the secret."
+          exit 1
         }
 
-        # Token-specific validation
-        if ($hasToken) {
-          if ($env:GH_TOKEN -match '\s') {
-            $tokenLength = $env:GH_TOKEN.Length
-            $whitespaceMatch = [regex]::Match($env:GH_TOKEN, '\s')
-            $position = $whitespaceMatch.Index
-            $char = $whitespaceMatch.Value
-            $charName = switch ($char) {
-              "`n" { "newline (LF)" }
-              "`r" { "carriage return (CR)" }
-              "`t" { "tab" }
-              " " { "space" }
-              default { "whitespace character (code: $([int][char]$char))" }
+        # Check token scopes (works for classic PATs only)
+        $headers = curl -sS -I -H "Authorization: token $env:GH_TOKEN" https://api.github.com 2>&1
+        $scopeLine = $headers | Select-String -Pattern '^x-oauth-scopes:' -CaseSensitive:$false
+        if ($scopeLine) {
+          $scopes = $scopeLine -replace '^x-oauth-scopes:\s*', '' -replace '\r', ''
+          if ([string]::IsNullOrWhiteSpace($scopes)) {
+            Write-Output "::warning::Token has no scopes. If using a fine-grained PAT, ensure it has Contents (write) and Pull Requests (write) permissions."
+          } else {
+            Write-Output "Token scopes: $scopes"
+            if ($scopes -notmatch '\brepo\b' -and $scopes -notmatch '\bpublic_repo\b') {
+              Write-Output "::warning::Token may be missing 'repo' or 'public_repo' scope. This may cause issues with private repositories."
             }
-            Write-Output "::error::GitHub token contains whitespace at position $position of $tokenLength characters: $charName"
-            Write-Output "::error::This suggests the token secret may be malformed. Check for extra newlines when setting the secret."
-            exit 1
           }
+        } else {
+          Write-Output "::notice::Could not detect token scopes (this is normal for fine-grained PATs). Ensure token has Contents (write) and Pull Requests (write) permissions."
+        }
 
-          # Check token scopes (works for classic PATs only)
-          $headers = curl -sS -I -H "Authorization: token $env:GH_TOKEN" https://api.github.com 2>&1
-          $scopeLine = $headers | Select-String -Pattern '^x-oauth-scopes:' -CaseSensitive:$false
-          if ($scopeLine) {
-            $scopes = $scopeLine -replace '^x-oauth-scopes:\s*', '' -replace '\r', ''
-            if ([string]::IsNullOrWhiteSpace($scopes)) {
-              Write-Output "::warning::Token has no scopes. If using a fine-grained PAT, ensure it has Contents (write) and Pull Requests (write) permissions."
-            } else {
-              Write-Output "Token scopes: $scopes"
-              if ($scopes -notmatch '\brepo\b' -and $scopes -notmatch '\bpublic_repo\b') {
-                Write-Output "::warning::Token may be missing 'repo' or 'public_repo' scope. This may cause issues with private repositories."
-              }
-            }
-          } else {
-            Write-Output "::notice::Could not detect token scopes (this is normal for fine-grained PATs). Ensure token has Contents (write) and Pull Requests (write) permissions."
-          }
+        # Check token validity and access
+        gh api repos/${{ github.repository }} --silent 2>&1 | Out-Null
+        if ($LASTEXITCODE -ne 0) {
+          Write-Output "::error::GitHub token validation failed. Please verify:"
+          Write-Output "  1. Token is not empty or malformed"
+          Write-Output "  2. Token has not expired"
+          Write-Output "  3. Token has an expiration date set"
+          Write-Output "  4. Token has 'repo' and 'workflow' scopes"
+          exit 1
+        }
+
+        Write-Output "✓ GitHub token is valid and has access to this repository"
+
+    - name: Validate SSH key
+      if: ${{ inputs.ssh-key != '' }}
+      shell: pwsh
+      env:
+        SSH_KEY: ${{ inputs.ssh-key }}
+      run: |
+        # Check if SSH key looks valid
+        if ($env:SSH_KEY -notmatch '-----BEGIN') {
+          Write-Output "::warning::SSH key does not appear to start with a PEM header (-----BEGIN). Please verify the key format."
+        }
 
-          # Check token validity and access
-          gh api repos/${{ github.repository }} --silent 2>&1 | Out-Null
-          if ($LASTEXITCODE -ne 0) {
-            Write-Output "::error::GitHub token validation failed. Please verify:"
-            Write-Output "  1. Token is not empty or malformed"
-            Write-Output "  2. Token has not expired"
-            Write-Output "  3. Token has an expiration date set"
-            Write-Output "  4. Token has 'repo' and 'workflow' scopes"
-            exit 1
+        # Check for common SSH key types
+        $validKeyTypes = @('RSA', 'OPENSSH', 'DSA', 'EC', 'PRIVATE KEY')
+        $hasValidType = $false
+        foreach ($type in $validKeyTypes) {
+          if ($env:SSH_KEY -match "-----BEGIN.*$type") {
+            $hasValidType = $true
+            break
           }
+        }
 
-          Write-Output "✓ GitHub token is valid and has access to this repository"
-        } else {
-          Write-Output "✓ Using SSH key authentication"
+        if (-not $hasValidType) {
+          Write-Output "::warning::SSH key type not recognized. Supported types: RSA, OPENSSH, DSA, EC, PRIVATE KEY"
         }
 
+        Write-Output "✓ SSH key format appears valid"
+
     - name: Configure git credentials
       if: ${{ inputs.api-token != '' }}
       shell: pwsh