Configurable GitHub token env var key

CHANGELOG.md

@@ -1,5 +1,8 @@
 # Changelog
 
+## [0.29.0] - 13-05-2024
+Allows the environment variable key that is looked up to enable token based authentication to be configurable. The default is now `GH_TOKEN`.
+
 ## [0.28.1] - 09-05-2024
 Fixed a bug with GITHUB_TOKEN authentication where pushes would fail when configured to use a GitHub token.
 Fixed version of golangci-lint to work with more recent golang versions.

README.md

@@ -142,11 +142,37 @@ You can address the error `ssh: handshake failed: knownhosts: key is unknown ` w
 - Calling `ssh-keyscan -H github.com >> ~/.ssh/known_hosts` prior to pushing your vergo tag to introduce github to your known hosts.
 - Calling `vergo` with the `--disable-strict-host-check` flag. This should only be used on CI where known hosts are not cached.
 
-## Using GITHUB_TOKEN inside GitHub Actions
+## Authentication
 
-Vergo will first try to use Token Bearer Authentication using the GITHUB_TOKEN environment variable when running inside a GitHub Action/Workflow. It will fallback to ssh based authentication if the GITHUB_TOKEN is not present.
+Vergo supports 2 method of Git authentication:
+- SSH
+- Access token
 
-Inside github actions please ensure that the GITHUB_TOKEN environment variable is set with the `${{ secrets.GITHUB_TOKEN }}` in order to push to the current repository.
+### SSH
+
+SSH authentication is enabled when the `SSH_AUTH_SOCK` environment variable is present. To use SSH `SSH_AUTH_SOCK` will need to contain the path of the unix file socket that the SSH client uses to connect to the SSH agent.
+
+### Access token
+
+Access token authentication is enabled when an environment variable with the same key as what is configured by the `--token-env-var-key` CLI arg exists. This takes precedence over `SSH_AUTH_SOCK`, so if both are set then access token auth will be used. The configurability of `--token-env-var-key` allows the following:
+- `GITHUB_TOKEN` is set but SHOULD NOT be used by `vergo`
+- `GH_TOKEN` is set and SHOULD be used by `vergo`
+
+The above can be achieved with `vergo --token-env-var-key GH_TOKEN`.
+
+## Using token authentication inside GitHub Actions
+
+Inside GitHub Actions please ensure that the value of the `GH_TOKEN` environment variable is set to `${{ secrets.GITHUB_TOKEN }}` in order to push to the current repository. As above, `GH_TOKEN` can be changed to something else by setting `--token-env-var-key`.
+
+Example workflow job step using the provided GITHUB_TOKEN with `vergo`:
+```yaml
+      - name: Tag release
+        run: |
+          vergo check release -t my-app
+          vergo bump minor -t my-app --push-tag
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+```
 
 Please see  [token authentication](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow) for further details.
 

cmd/cmd_bump.go

@@ -47,7 +47,7 @@ func BumpCmd(bumpFunc bump.Func, pushTag vergo.PushTagFunc) *cobra.Command {
 				return err
 			}
 			if pushTagParam {
-				err = pushTag(repo, version.String(), rootFlags.tagPrefix, rootFlags.remote, rootFlags.dryRun, rootFlags.disableStrictHostChecking)
+				err = pushTag(repo, version.String(), rootFlags.tagPrefix, rootFlags.remote, rootFlags.dryRun, rootFlags.disableStrictHostChecking, rootFlags.tokenEnvVarKey)
 				if err != nil {
 					return err
 				}

cmd/cmd_consts.go

@@ -16,3 +16,5 @@ const withMetadata = "with-metadata"
 
 const sortDirection = "sort-direction"
 const maxListSize = "max-list-size"
+
+const tokenEnvVarKey = "token-env-var-key"

cmd/common_test.go

@@ -25,11 +25,11 @@ func bumpSuccess(t *testing.T) bump.Func {
 	}
 }
 
-func mockPushTagSuccess(_ *git.Repository, _, _, _ string, _ bool, _ bool) error {
+func mockPushTagSuccess(_ *git.Repository, _, _, _ string, _ bool, _ bool, _ string) error {
 	return nil
 }
 
-func mockPushTagFailure(_ *git.Repository, _, _, _ string, _ bool, _ bool) error {
+func mockPushTagFailure(_ *git.Repository, _, _, _ string, _ bool, _ bool, _ string) error {
 	return errors.New("push tag failed")
 }
 

cmd/push.go

@@ -24,7 +24,7 @@ func PushCmd() *cobra.Command {
 			if err != nil {
 				return err
 			}
-			err = vergo.PushTag(repo, ref.Version.String(), rootFlags.tagPrefix, rootFlags.remote, rootFlags.dryRun, rootFlags.disableStrictHostChecking)
+			err = vergo.PushTag(repo, ref.Version.String(), rootFlags.tagPrefix, rootFlags.remote, rootFlags.dryRun, rootFlags.disableStrictHostChecking, rootFlags.tokenEnvVarKey)
 			if err != nil {
 				return err
 			}

cmd/root.go

@@ -21,6 +21,7 @@ func RootCmd() *cobra.Command {
 	rootCmd.PersistentFlags().StringP(repositoryLocation, "l", ".", "repository location")
 	rootCmd.PersistentFlags().String(logLevel, "Info", "set log level")
 	rootCmd.PersistentFlags().BoolP(strictHostChecking, "d", false, "disable strict host checking for git. should only be enabled on ci.")
+	rootCmd.PersistentFlags().StringP(tokenEnvVarKey, "k", "GH_TOKEN", "environment variable key to use for lookup when deciding if token based git auth should be used")
 	rootCmd.PersistentFlags().Bool(dryRun, false, "dry run")
 	rootCmd.PersistentFlags().StringSlice(versionedBranchNames, []string{"master", "main"},
 		"names of the main working branches")
@@ -30,6 +31,7 @@ func RootCmd() *cobra.Command {
 
 type RootFlags struct {
 	remote, tagPrefix, tagPrefixRaw, repositoryLocation string
+	tokenEnvVarKey                                      string
 	logLevel                                            log.Level
 	withPrefix, dryRun, disableStrictHostChecking       bool
 	versionedBranches                                   []string
@@ -68,6 +70,10 @@ func readRootFlags(cmd *cobra.Command) (*RootFlags, error) {
 	if err != nil {
 		return nil, err
 	}
+	tokenEnvVarKey, err := cmd.Flags().GetString(tokenEnvVarKey)
+	if err != nil {
+		return nil, err
+	}
 	logLevel, err := log.ParseLevel(logLevelParam)
 	if err != nil {
 		log.WithError(err).Errorln("invalid log level, using INFO instead")
@@ -85,6 +91,7 @@ func readRootFlags(cmd *cobra.Command) (*RootFlags, error) {
 		dryRun:                    dryRun,
 		withPrefix:                withPrefix,
 		disableStrictHostChecking: disableStrictHostChecking,
+		tokenEnvVarKey:            tokenEnvVarKey,
 	}, nil
 }
 

git/git.go

@@ -116,14 +116,14 @@ func CreateTag(repo *gogit.Repository, version, prefix string, dryRun bool) erro
 type PushTagFunc func(
 	repo *gogit.Repository,
 	version, prefix, remote string,
-	dryRun bool, disableStrictHostChecking bool) error
+	dryRun bool, disableStrictHostChecking bool, tokenEnvVarKey string) error
 
-func PushTag(r *gogit.Repository, version, prefix, remote string, dryRun bool, disableStrictHostChecking bool) error {
+func PushTag(r *gogit.Repository, version, prefix, remote string, dryRun bool, disableStrictHostChecking bool, tokenEnvVarKey string) error {
 	tag := prefix + version
 
 	var auth transport.AuthMethod
 
-	if githubToken, ok := os.LookupEnv("GITHUB_TOKEN"); ok {
+	if githubToken, ok := os.LookupEnv(tokenEnvVarKey); ok {
 		log.Debug("Using Github Bearer Token Auth")
 		auth = &http.BasicAuth{
 			Username: "can-be-anything",