@backstage/plugin-scaffolder-backend 0.15.21 → 0.15.23

package/CHANGELOG.md

@@ -1,5 +1,46 @@
 # @backstage/plugin-scaffolder-backend
 
+## 0.15.23
+
+### Patch Changes
+
+- 2e0dbb0e50: Migrate from deprecated package @octokit/rest to octokit
+- c95df1631e: Added support for templating secrets into actions input, and also added an extra `token` input argument to all publishers to provide a token that would override the `integrations.config`.
+  You can find more information over at [Writing Templates](https://backstage.io/docs/features/software-templates/writing-templates#using-the-users-oauth-token)
+- Updated dependencies
+  - @backstage/plugin-catalog-backend@0.21.2
+  - @backstage/backend-common@0.10.6
+  - @backstage/plugin-scaffolder-backend-module-cookiecutter@0.1.10
+
+## 0.15.23-next.1
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/backend-common@0.10.6-next.0
+  - @backstage/plugin-catalog-backend@0.21.2-next.1
+  - @backstage/plugin-scaffolder-backend-module-cookiecutter@0.1.10-next.1
+
+## 0.15.23-next.0
+
+### Patch Changes
+
+- 2e0dbb0e50: Migrate from deprecated package @octokit/rest to octokit
+- Updated dependencies
+  - @backstage/plugin-catalog-backend@0.21.2-next.0
+  - @backstage/plugin-scaffolder-backend-module-cookiecutter@0.1.10-next.0
+
+## 0.15.22
+
+### Patch Changes
+
+- b09dd8f43b: chore(deps): bump `@gitbeaker/node` from 34.6.0 to 35.1.0
+- ac2f1eeec0: This change is for adding the option of inputs on the `github:actions:dispatch` Backstage Action. This will allow users to pass data from Backstage to the GitHub Action.
+- 0d5e846a78: Expose a new option to provide additional template filters via `@backstage/scaffolder-backend`'s `createRouter()` function.
+- Updated dependencies
+  - @backstage/plugin-catalog-backend@0.21.1
+  - @backstage/backend-common@0.10.5
+
 ## 0.15.21
 
 ### Patch Changes

package/dist/index.cjs.js

@@ -17,7 +17,7 @@ var child_process = require('child_process');
 var stream = require('stream');
 var azureDevopsNodeApi = require('azure-devops-node-api');
 var fetch = require('node-fetch');
-var rest = require('@octokit/rest');
+var octokit = require('octokit');
 var lodash = require('lodash');
 var octokitPluginCreatePullRequest = require('octokit-plugin-create-pull-request');
 var node = require('@gitbeaker/node');
@@ -361,6 +361,12 @@ const { render, renderCompat } = (() => {
     });
   }
 
+  if (typeof additionalTemplateFilters !== 'undefined') {
+    for (const [filterName, filterFn] of Object.entries(additionalTemplateFilters)) {
+      env.addFilter(filterName, (...args) => JSON.parse(filterFn(...args)));
+    }
+  }
+
   let uninstallCompat = undefined;
 
   function render(str, values) {
@@ -393,12 +399,16 @@ const { render, renderCompat } = (() => {
 `;
 class SecureTemplater {
   static async loadRenderer(options = {}) {
-    const { parseRepoUrl, cookiecutterCompat } = options;
-    let sandbox = void 0;
+    const { parseRepoUrl, cookiecutterCompat, additionalTemplateFilters } = options;
+    const sandbox = {};
     if (parseRepoUrl) {
-      sandbox = {
-        parseRepoUrl: (url) => JSON.stringify(parseRepoUrl(url))
-      };
+      sandbox.parseRepoUrl = (url) => JSON.stringify(parseRepoUrl(url));
+    }
+    if (additionalTemplateFilters) {
+      sandbox.additionalTemplateFilters = Object.fromEntries(Object.entries(additionalTemplateFilters).filter(([_, filterFunction]) => !!filterFunction).map(([filterName, filterFunction]) => [
+        filterName,
+        (...args) => JSON.stringify(filterFunction(...args))
+      ]));
     }
     const vm = new vm2.VM({ sandbox });
     const nunjucksSource = await fs__default["default"].readFile(backendCommon.resolvePackagePath("@backstage/plugin-scaffolder-backend", "assets/nunjucks.js.txt"), "utf-8");
@@ -419,7 +429,7 @@ class SecureTemplater {
 }
 
 function createFetchTemplateAction(options) {
-  const { reader, integrations } = options;
+  const { reader, integrations, additionalTemplateFilters } = options;
   return createTemplateAction({
     id: "fetch:template",
     description: "Downloads a skeleton, templates variables into file and directory names and content, and places the result in the workspace, or optionally in a subdirectory specified by the 'targetPath' input option.",
@@ -510,7 +520,8 @@ function createFetchTemplateAction(options) {
       };
       ctx.logger.info(`Processing ${allEntriesInTemplate.length} template files/directories with input values`, ctx.input.values);
       const renderTemplate = await SecureTemplater.loadRenderer({
-        cookiecutterCompat: ctx.input.cookiecutterCompat
+        cookiecutterCompat: ctx.input.cookiecutterCompat,
+        additionalTemplateFilters
       });
       for (const location of allEntriesInTemplate) {
         let renderFilename;
@@ -730,7 +741,7 @@ const enableBranchProtectionOnDefaultRepoBranch = async ({
 }) => {
   const tryOnce = async () => {
     try {
-      await client.repos.updateBranchProtection({
+      await client.rest.repos.updateBranchProtection({
         mediaType: {
           previews: ["luke-cage-preview"]
         },
@@ -843,8 +854,14 @@ function createPublishAzureAction(options) {
             description: `Sets the default branch on the repository. The default value is 'master'`
           },
           sourcePath: {
-            title: "Path within the workspace that will be used as the repository root. If omitted, the entire workspace will be published as the repository.",
+            title: "Source Path",
+            description: "Path within the workspace that will be used as the repository root. If omitted, the entire workspace will be published as the repository.",
             type: "string"
+          },
+          token: {
+            title: "Authentication Token",
+            type: "string",
+            description: "The token to use for authorization to Azure"
           }
         }
       },
@@ -863,6 +880,7 @@ function createPublishAzureAction(options) {
       }
     },
     async handler(ctx) {
+      var _a;
       const { repoUrl, defaultBranch = "master" } = ctx.input;
       const { owner, repo, host, organization } = parseRepoUrl(repoUrl, integrations);
       if (!organization) {
@@ -872,10 +890,11 @@ function createPublishAzureAction(options) {
       if (!integrationConfig) {
         throw new errors.InputError(`No matching integration configuration for host ${host}, please check your integrations config`);
       }
-      if (!integrationConfig.config.token) {
+      if (!integrationConfig.config.token && !ctx.input.token) {
         throw new errors.InputError(`No token provided for Azure Integration ${host}`);
       }
-      const authHandler = azureDevopsNodeApi.getPersonalAccessTokenHandler(integrationConfig.config.token);
+      const token = (_a = ctx.input.token) != null ? _a : integrationConfig.config.token;
+      const authHandler = azureDevopsNodeApi.getPersonalAccessTokenHandler(token);
       const webApi = new azureDevopsNodeApi.WebApi(`https://${host}/${organization}`, authHandler);
       const client = await webApi.getGitApi();
       const createOptions = { name: repo };
@@ -899,7 +918,7 @@ function createPublishAzureAction(options) {
         defaultBranch,
         auth: {
           username: "notempty",
-          password: integrationConfig.config.token
+          password: token
         },
         logger: ctx.logger,
         commitMessage: config.getOptionalString("scaffolder.defaultCommitMessage"),
@@ -1045,12 +1064,19 @@ function createPublishBitbucketAction(options) {
             description: `Sets the default branch on the repository. The default value is 'master'`
           },
           sourcePath: {
-            title: "Path within the workspace that will be used as the repository root. If omitted, the entire workspace will be published as the repository.",
+            title: "Source Path",
+            description: "Path within the workspace that will be used as the repository root. If omitted, the entire workspace will be published as the repository.",
             type: "string"
           },
           enableLFS: {
-            title: "Enable LFS for the repository. Only available for hosted Bitbucket.",
+            title: "Enable LFS?",
+            description: "Enable LFS for the repository. Only available for hosted Bitbucket.",
             type: "boolean"
+          },
+          token: {
+            title: "Authentication Token",
+            type: "string",
+            description: "The token to use for authorization to BitBucket"
           }
         }
       },
@@ -1090,7 +1116,7 @@ function createPublishBitbucketAction(options) {
       if (!integrationConfig) {
         throw new errors.InputError(`No matching integration configuration for host ${host}, please check your integrations config`);
       }
-      const authorization = getAuthorizationHeader(integrationConfig.config);
+      const authorization = getAuthorizationHeader(ctx.input.token ? { host: integrationConfig.config.host, token: ctx.input.token } : integrationConfig.config);
       const apiBaseUrl = integrationConfig.config.apiBaseUrl;
       const createMethod = host === "bitbucket.org" ? createBitbucketCloudRepository : createBitbucketServerRepository;
       const { remoteUrl, repoContentsUrl } = await createMethod({
@@ -1107,13 +1133,22 @@ function createPublishBitbucketAction(options) {
         name: config.getOptionalString("scaffolder.defaultAuthor.name"),
         email: config.getOptionalString("scaffolder.defaultAuthor.email")
       };
+      let auth;
+      if (ctx.input.token) {
+        auth = {
+          username: "x-token-auth",
+          password: ctx.input.token
+        };
+      } else {
+        auth = {
+          username: integrationConfig.config.username ? integrationConfig.config.username : "x-token-auth",
+          password: integrationConfig.config.appPassword ? integrationConfig.config.appPassword : (_a = integrationConfig.config.token) != null ? _a : ""
+        };
+      }
       await initRepoAndPush({
         dir: getRepoSourceDirectory(ctx.workspacePath, ctx.input.sourcePath),
         remoteUrl,
-        auth: {
-          username: integrationConfig.config.username ? integrationConfig.config.username : "x-token-auth",
-          password: integrationConfig.config.appPassword ? integrationConfig.config.appPassword : (_a = integrationConfig.config.token) != null ? _a : ""
-        },
+        auth,
         defaultBranch,
         logger: ctx.logger,
         commitMessage: config.getOptionalString("scaffolder.defaultCommitMessage"),
@@ -1161,7 +1196,7 @@ class OctokitProvider {
     this.integrations = integrations;
     this.githubCredentialsProvider = githubCredentialsProvider || integration.DefaultGithubCredentialsProvider.fromIntegrations(this.integrations);
   }
-  async getOctokit(repoUrl) {
+  async getOctokit(repoUrl, options) {
     var _a;
     const { owner, repo, host } = parseRepoUrl(repoUrl, this.integrations);
     if (!owner) {
@@ -1171,13 +1206,21 @@ class OctokitProvider {
     if (!integrationConfig) {
       throw new errors.InputError(`No integration for host ${host}`);
     }
+    if (options == null ? void 0 : options.token) {
+      const client2 = new octokit.Octokit({
+        auth: options.token,
+        baseUrl: integrationConfig.apiBaseUrl,
+        previews: ["nebula-preview"]
+      });
+      return { client: client2, token: options.token, owner, repo };
+    }
     const { token } = await this.githubCredentialsProvider.getCredentials({
       url: `https://${host}/${encodeURIComponent(owner)}/${encodeURIComponent(repo)}`
     });
     if (!token) {
       throw new errors.InputError(`No token available for host: ${host}, with owner ${owner}, and repo ${repo}`);
     }
-    const client = new rest.Octokit({
+    const client = new octokit.Octokit({
       auth: token,
       baseUrl: integrationConfig.apiBaseUrl,
       previews: ["nebula-preview"]
@@ -1212,7 +1255,8 @@ function createPublishGithubAction(options) {
             type: "string"
           },
           requireCodeOwnerReviews: {
-            title: "Require an approved review in PR including files with a designated Code Owner",
+            title: "Require CODEOWNER Reviews?",
+            description: "Require an approved review in PR including files with a designated Code Owner",
             type: "boolean"
           },
           repoVisibility: {
@@ -1226,7 +1270,8 @@ function createPublishGithubAction(options) {
             description: `Sets the default branch on the repository. The default value is 'master'`
           },
           sourcePath: {
-            title: "Path within the workspace that will be used as the repository root. If omitted, the entire workspace will be published as the repository.",
+            title: "Source Path",
+            description: "Path within the workspace that will be used as the repository root. If omitted, the entire workspace will be published as the repository.",
             type: "string"
           },
           collaborators: {
@@ -1249,6 +1294,11 @@ function createPublishGithubAction(options) {
               }
             }
           },
+          token: {
+            title: "Authentication Token",
+            type: "string",
+            description: "The token to use for authorization to GitHub"
+          },
           topics: {
             title: "Topics",
             type: "array",
@@ -1281,19 +1331,20 @@ function createPublishGithubAction(options) {
         repoVisibility = "private",
         defaultBranch = "master",
         collaborators,
-        topics
+        topics,
+        token: providedToken
       } = ctx.input;
-      const { client, token, owner, repo } = await octokitProvider.getOctokit(repoUrl);
-      const user = await client.users.getByUsername({
+      const { client, token, owner, repo } = await octokitProvider.getOctokit(repoUrl, { token: providedToken });
+      const user = await client.rest.users.getByUsername({
         username: owner
       });
-      const repoCreationPromise = user.data.type === "Organization" ? client.repos.createInOrg({
+      const repoCreationPromise = user.data.type === "Organization" ? client.rest.repos.createInOrg({
         name: repo,
         org: owner,
         private: repoVisibility === "private",
         visibility: repoVisibility,
         description
-      }) : client.repos.createForAuthenticatedUser({
+      }) : client.rest.repos.createForAuthenticatedUser({
         name: repo,
         private: repoVisibility === "private",
         description
@@ -1301,7 +1352,7 @@ function createPublishGithubAction(options) {
       const { data: newRepo } = await repoCreationPromise;
       if (access == null ? void 0 : access.startsWith(`${owner}/`)) {
         const [, team] = access.split("/");
-        await client.teams.addOrUpdateRepoPermissionsInOrg({
+        await client.rest.teams.addOrUpdateRepoPermissionsInOrg({
           org: owner,
           team_slug: team,
           owner,
@@ -1309,7 +1360,7 @@ function createPublishGithubAction(options) {
           permission: "admin"
         });
       } else if (access && access !== owner) {
-        await client.repos.addCollaborator({
+        await client.rest.repos.addCollaborator({
           owner,
           repo,
           username: access,
@@ -1322,7 +1373,7 @@ function createPublishGithubAction(options) {
           username: team_slug
         } of collaborators) {
           try {
-            await client.teams.addOrUpdateRepoPermissionsInOrg({
+            await client.rest.teams.addOrUpdateRepoPermissionsInOrg({
               org: owner,
               team_slug,
               owner,
@@ -1337,7 +1388,7 @@ function createPublishGithubAction(options) {
       }
       if (topics) {
         try {
-          await client.repos.replaceAllTopics({
+          await client.rest.repos.replaceAllTopics({
             owner,
             repo,
             names: topics.map((t) => t.toLowerCase())
@@ -1391,13 +1442,21 @@ const defaultClientFactory = async ({
   githubCredentialsProvider,
   owner,
   repo,
-  host = "github.com"
+  host = "github.com",
+  token: providedToken
 }) => {
   var _a;
   const integrationConfig = (_a = integrations.github.byHost(host)) == null ? void 0 : _a.config;
+  const OctokitPR = octokit.Octokit.plugin(octokitPluginCreatePullRequest.createPullRequest);
   if (!integrationConfig) {
     throw new errors.InputError(`No integration for host ${host}`);
   }
+  if (providedToken) {
+    return new OctokitPR({
+      auth: providedToken,
+      baseUrl: integrationConfig.apiBaseUrl
+    });
+  }
   const credentialsProvider = githubCredentialsProvider || integration.SingleInstanceGithubCredentialsProvider.create(integrationConfig);
   const { token } = await credentialsProvider.getCredentials({
     url: `https://${host}/${encodeURIComponent(owner)}/${encodeURIComponent(repo)}`
@@ -1405,7 +1464,6 @@ const defaultClientFactory = async ({
   if (!token) {
     throw new errors.InputError(`No token available for host: ${host}, with owner ${owner}, and repo ${repo}`);
   }
-  const OctokitPR = rest.Octokit.plugin(octokitPluginCreatePullRequest.createPullRequest);
   return new OctokitPR({
     auth: token,
     baseUrl: integrationConfig.apiBaseUrl
@@ -1452,6 +1510,11 @@ const createPublishGithubPullRequestAction = ({
             type: "string",
             title: "Repository Subdirectory",
             description: "Subdirectory of repository to apply changes to"
+          },
+          token: {
+            title: "Authentication Token",
+            type: "string",
+            description: "The token to use for authorization to GitHub"
           }
         }
       },
@@ -1474,7 +1537,8 @@ const createPublishGithubPullRequestAction = ({
         title,
         description,
         targetPath,
-        sourcePath
+        sourcePath,
+        token: providedToken
       } = ctx.input;
       const { owner, repo, host } = parseRepoUrl(repoUrl, integrations);
       if (!owner) {
@@ -1485,7 +1549,8 @@ const createPublishGithubPullRequestAction = ({
         githubCredentialsProvider,
         host,
         owner,
-        repo
+        repo,
+        token: providedToken
       });
       const fileRoot = sourcePath ? backendCommon.resolveSafeChildPath(ctx.workspacePath, sourcePath) : ctx.workspacePath;
       const localFilePaths = await globby__default["default"](["./**", "./**/.*", "!.git"], {
@@ -1559,8 +1624,14 @@ function createPublishGitlabAction(options) {
             description: `Sets the default branch on the repository. The default value is 'master'`
           },
           sourcePath: {
-            title: "Path within the workspace that will be used as the repository root. If omitted, the entire workspace will be published as the repository.",
+            title: "Source Path",
+            description: "Path within the workspace that will be used as the repository root. If omitted, the entire workspace will be published as the repository.",
             type: "string"
+          },
+          token: {
+            title: "Authentication Token",
+            type: "string",
+            description: "The token to use for authorization to GitLab"
           }
         }
       },
@@ -1592,12 +1663,13 @@ function createPublishGitlabAction(options) {
       if (!integrationConfig) {
         throw new errors.InputError(`No matching integration configuration for host ${host}, please check your integrations config`);
       }
-      if (!integrationConfig.config.token) {
+      if (!integrationConfig.config.token && !ctx.input.token) {
         throw new errors.InputError(`No token available for host ${host}`);
       }
+      const token = ctx.input.token || integrationConfig.config.token;
       const client = new node.Gitlab({
         host: integrationConfig.config.baseUrl,
-        token: integrationConfig.config.token
+        token
       });
       let { id: targetNamespace } = await client.Namespaces.show(owner);
       if (!targetNamespace) {
@@ -1621,7 +1693,7 @@ function createPublishGitlabAction(options) {
         defaultBranch,
         auth: {
           username: "oauth2",
-          password: integrationConfig.config.token
+          password: token
         },
         logger: ctx.logger,
         commitMessage: config.getOptionalString("scaffolder.defaultCommitMessage"),
@@ -1671,6 +1743,11 @@ const createPublishGitlabMergeRequestAction = (options) => {
             type: "string",
             title: "Repository Subdirectory",
             description: "Subdirectory of repository to apply changes to"
+          },
+          token: {
+            title: "Authentication Token",
+            type: "string",
+            description: "The token to use for authorization to GitLab"
           }
         }
       },
@@ -1690,6 +1767,7 @@ const createPublishGitlabMergeRequestAction = (options) => {
       }
     },
     async handler(ctx) {
+      var _a;
       const repoUrl = ctx.input.repoUrl;
       const { host } = parseRepoUrl(repoUrl, integrations);
       const integrationConfig = integrations.gitlab.byHost(host);
@@ -1698,12 +1776,13 @@ const createPublishGitlabMergeRequestAction = (options) => {
       if (!integrationConfig) {
         throw new errors.InputError(`No matching integration configuration for host ${host}, please check your integrations config`);
       }
-      if (!integrationConfig.config.token) {
+      if (!integrationConfig.config.token && !ctx.input.token) {
         throw new errors.InputError(`No token available for host ${host}`);
       }
+      const token = (_a = ctx.input.token) != null ? _a : integrationConfig.config.token;
       const api = new node.Gitlab({
         host: integrationConfig.config.baseUrl,
-        token: integrationConfig.config.token
+        token
       });
       const fileRoot = ctx.workspacePath;
       const localFilePaths = await globby__default["default"]([`${ctx.input.targetPath}/**`], {
@@ -1772,19 +1851,36 @@ function createGithubActionsDispatchAction(options) {
             title: "Branch or Tag name",
             description: "The git branch or tag name used to dispatch the workflow",
             type: "string"
+          },
+          workflowInputs: {
+            title: "Workflow Inputs",
+            description: "Inputs keys and values to send to GitHub Action configured on the workflow file. The maximum number of properties is 10. ",
+            type: "object"
+          },
+          token: {
+            title: "Authentication Token",
+            type: "string",
+            description: "The GITHUB_TOKEN to use for authorization to GitHub"
           }
         }
       }
     },
     async handler(ctx) {
-      const { repoUrl, workflowId, branchOrTagName } = ctx.input;
+      const {
+        repoUrl,
+        workflowId,
+        branchOrTagName,
+        workflowInputs,
+        token: providedToken
+      } = ctx.input;
       ctx.logger.info(`Dispatching workflow ${workflowId} for repo ${repoUrl} on ${branchOrTagName}`);
-      const { client, owner, repo } = await octokitProvider.getOctokit(repoUrl);
+      const { client, owner, repo } = await octokitProvider.getOctokit(repoUrl, { token: providedToken });
       await client.rest.actions.createWorkflowDispatch({
         owner,
         repo,
         workflow_id: workflowId,
-        ref: branchOrTagName
+        ref: branchOrTagName,
+        inputs: workflowInputs
       });
       ctx.logger.info(`Workflow ${workflowId} dispatched successfully`);
     }
@@ -1852,6 +1948,11 @@ function createGithubWebhookAction(options) {
             title: "Insecure SSL",
             type: "boolean",
             description: `Determines whether the SSL certificate of the host for url will be verified when delivering payloads. Default 'false'`
+          },
+          token: {
+            title: "Authentication Token",
+            type: "string",
+            description: "The GITHUB_TOKEN to use for authorization to GitHub"
           }
         }
       }
@@ -1864,13 +1965,14 @@ function createGithubWebhookAction(options) {
         events = ["push"],
         active = true,
         contentType = "form",
-        insecureSsl = false
+        insecureSsl = false,
+        token: providedToken
       } = ctx.input;
       ctx.logger.info(`Creating webhook ${webhookUrl} for repo ${repoUrl}`);
-      const { client, owner, repo } = await octokitProvider.getOctokit(repoUrl);
+      const { client, owner, repo } = await octokitProvider.getOctokit(repoUrl, { token: providedToken });
       try {
         const insecure_ssl = insecureSsl ? "1" : "0";
-        await client.repos.createWebhook({
+        await client.rest.repos.createWebhook({
           owner,
           repo,
           config: {
@@ -1892,7 +1994,14 @@ function createGithubWebhookAction(options) {
 }
 
 const createBuiltinActions = (options) => {
-  const { reader, integrations, containerRunner, catalogClient, config } = options;
+  const {
+    reader,
+    integrations,
+    containerRunner,
+    catalogClient,
+    config,
+    additionalTemplateFilters
+  } = options;
   const githubCredentialsProvider = integration.DefaultGithubCredentialsProvider.fromIntegrations(integrations);
   const actions = [
     createFetchPlainAction({
@@ -1901,7 +2010,8 @@ const createBuiltinActions = (options) => {
     }),
     createFetchTemplateAction({
       integrations,
-      reader
+      reader,
+      additionalTemplateFilters
     }),
     createPublishGithubAction({
       integrations,
@@ -2532,7 +2642,7 @@ class NunjucksWorkflowRunner {
     });
   }
   async execute(task) {
-    var _a, _b, _c, _d;
+    var _a, _b, _c, _d, _e;
     if (!isValidTaskSpec(task.spec)) {
       throw new errors.InputError("Wrong template version executed with the workflow engine");
     }
@@ -2541,7 +2651,8 @@ class NunjucksWorkflowRunner {
     const renderTemplate = await SecureTemplater.loadRenderer({
       parseRepoUrl(url) {
         return parseRepoUrl(url, integrations);
-      }
+      },
+      additionalTemplateFilters: this.options.additionalTemplateFilters
     });
     try {
       await fs__default["default"].ensureDir(workspacePath);
@@ -2565,8 +2676,8 @@ class NunjucksWorkflowRunner {
           });
           const action = this.options.actionRegistry.get(step.action);
           const { taskLogger, streamLogger } = createStepLogger({ task, step });
-          const input = (_a = step.input && this.render(step.input, context, renderTemplate)) != null ? _a : {};
-          if ((_b = action.schema) == null ? void 0 : _b.input) {
+          const input = (_b = step.input && this.render(step.input, { ...context, secrets: (_a = task.secrets) != null ? _a : {} }, renderTemplate)) != null ? _b : {};
+          if ((_c = action.schema) == null ? void 0 : _c.input) {
             const validateResult = jsonschema.validate(input, action.schema.input);
             if (!validateResult.valid) {
               const errors$1 = validateResult.errors.join(", ");
@@ -2581,8 +2692,8 @@ class NunjucksWorkflowRunner {
           await action.handler({
             baseUrl: task.spec.baseUrl,
             input,
-            token: (_c = task.secrets) == null ? void 0 : _c.token,
-            secrets: (_d = task.secrets) != null ? _d : {},
+            token: (_d = task.secrets) == null ? void 0 : _d.token,
+            secrets: (_e = task.secrets) != null ? _e : {},
             logger: taskLogger,
             logStream: streamLogger,
             workspacePath,
@@ -2632,7 +2743,8 @@ class TaskWorker {
       logger,
       actionRegistry,
       integrations,
-      workingDirectory
+      workingDirectory,
+      additionalTemplateFilters
     } = options;
     const legacyWorkflowRunner = new HandlebarsWorkflowRunner({
       logger,
@@ -2644,7 +2756,8 @@ class TaskWorker {
       actionRegistry,
       integrations,
       logger,
-      workingDirectory
+      workingDirectory,
+      additionalTemplateFilters
     });
     return new TaskWorker({
       taskBroker,
@@ -2741,7 +2854,8 @@ async function createRouter(options) {
     catalogClient,
     actions,
     containerRunner,
-    taskWorkers
+    taskWorkers,
+    additionalTemplateFilters
   } = options;
   const logger = parentLogger.child({ plugin: "scaffolder" });
   const workingDirectory = await getWorkingDirectory(config, logger);
@@ -2764,7 +2878,8 @@ async function createRouter(options) {
       actionRegistry,
       integrations,
       logger,
-      workingDirectory
+      workingDirectory,
+      additionalTemplateFilters
     });
     workers.push(worker);
   }
@@ -2773,7 +2888,8 @@ async function createRouter(options) {
     catalogClient,
     containerRunner,
     reader,
-    config
+    config,
+    additionalTemplateFilters
   });
   actionsToRegister.forEach((action) => actionRegistry.register(action));
   workers.forEach((worker) => worker.start());