/.github/workflows/bump-dependency.yaml: force client auth token before proceeding

2025-12-30 16:12:39 -06:00 · 2025-10-28 13:56:37 -07:00
parent 8b89b3c81f
commit d1fa5c2aa5
1 changed files with 23 additions and 0 deletions
--- a/.github/workflows/bump-dependency.yaml
+++ b/.github/workflows/bump-dependency.yaml
@@ -5,7 +5,30 @@ on:
    types: [ bump-dependency ]

 jobs:
+    auth:
+    name: Authenticate Caller
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Check client token
+        env:
+          PAYLOAD_TOKEN: ${{ github.event.client_payload.token }}
+          EXPECTED_TOKEN: ${{ secrets.CLIENT_AUTH_TOKEN }}
+        run: |
+          set -euo pipefail
+          # refuse to proceed without a token
+          if [ -z "${PAYLOAD_TOKEN:-}" ]; then
+            echo "Unauthorized: missing token"
+            exit 1
+          fi
+          # simple equality check; doesn't echo secrets
+          if [ "${PAYLOAD_TOKEN}" != "${EXPECTED_TOKEN}" ]; then
+            echo "Unauthorized: bad token"
+            exit 1
+          fi
+          echo "Caller authenticated"
+
  get-label:
+    needs: auth
    name: Get Label
    outputs:
      label: ${{ steps.get-label.outputs.label }}