@backstage/plugin-scaffolder-backend 0.15.23-next.1 → 0.15.23

package/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @backstage/plugin-scaffolder-backend
 
+## 0.15.23
+
+### Patch Changes
+
+- 2e0dbb0e50: Migrate from deprecated package @octokit/rest to octokit
+- c95df1631e: Added support for templating secrets into actions input, and also added an extra `token` input argument to all publishers to provide a token that would override the `integrations.config`.
+  You can find more information over at [Writing Templates](https://backstage.io/docs/features/software-templates/writing-templates#using-the-users-oauth-token)
+- Updated dependencies
+  - @backstage/plugin-catalog-backend@0.21.2
+  - @backstage/backend-common@0.10.6
+  - @backstage/plugin-scaffolder-backend-module-cookiecutter@0.1.10
+
 ## 0.15.23-next.1
 
 ### Patch Changes

package/dist/index.cjs.js

@@ -854,8 +854,14 @@ function createPublishAzureAction(options) {
             description: `Sets the default branch on the repository. The default value is 'master'`
           },
           sourcePath: {
-            title: "Path within the workspace that will be used as the repository root. If omitted, the entire workspace will be published as the repository.",
+            title: "Source Path",
+            description: "Path within the workspace that will be used as the repository root. If omitted, the entire workspace will be published as the repository.",
             type: "string"
+          },
+          token: {
+            title: "Authentication Token",
+            type: "string",
+            description: "The token to use for authorization to Azure"
           }
         }
       },
@@ -874,6 +880,7 @@ function createPublishAzureAction(options) {
       }
     },
     async handler(ctx) {
+      var _a;
       const { repoUrl, defaultBranch = "master" } = ctx.input;
       const { owner, repo, host, organization } = parseRepoUrl(repoUrl, integrations);
       if (!organization) {
@@ -883,10 +890,11 @@ function createPublishAzureAction(options) {
       if (!integrationConfig) {
         throw new errors.InputError(`No matching integration configuration for host ${host}, please check your integrations config`);
       }
-      if (!integrationConfig.config.token) {
+      if (!integrationConfig.config.token && !ctx.input.token) {
         throw new errors.InputError(`No token provided for Azure Integration ${host}`);
       }
-      const authHandler = azureDevopsNodeApi.getPersonalAccessTokenHandler(integrationConfig.config.token);
+      const token = (_a = ctx.input.token) != null ? _a : integrationConfig.config.token;
+      const authHandler = azureDevopsNodeApi.getPersonalAccessTokenHandler(token);
       const webApi = new azureDevopsNodeApi.WebApi(`https://${host}/${organization}`, authHandler);
       const client = await webApi.getGitApi();
       const createOptions = { name: repo };
@@ -910,7 +918,7 @@ function createPublishAzureAction(options) {
         defaultBranch,
         auth: {
           username: "notempty",
-          password: integrationConfig.config.token
+          password: token
         },
         logger: ctx.logger,
         commitMessage: config.getOptionalString("scaffolder.defaultCommitMessage"),
@@ -1056,12 +1064,19 @@ function createPublishBitbucketAction(options) {
             description: `Sets the default branch on the repository. The default value is 'master'`
           },
           sourcePath: {
-            title: "Path within the workspace that will be used as the repository root. If omitted, the entire workspace will be published as the repository.",
+            title: "Source Path",
+            description: "Path within the workspace that will be used as the repository root. If omitted, the entire workspace will be published as the repository.",
             type: "string"
           },
           enableLFS: {
-            title: "Enable LFS for the repository. Only available for hosted Bitbucket.",
+            title: "Enable LFS?",
+            description: "Enable LFS for the repository. Only available for hosted Bitbucket.",
             type: "boolean"
+          },
+          token: {
+            title: "Authentication Token",
+            type: "string",
+            description: "The token to use for authorization to BitBucket"
           }
         }
       },
@@ -1101,7 +1116,7 @@ function createPublishBitbucketAction(options) {
       if (!integrationConfig) {
         throw new errors.InputError(`No matching integration configuration for host ${host}, please check your integrations config`);
       }
-      const authorization = getAuthorizationHeader(integrationConfig.config);
+      const authorization = getAuthorizationHeader(ctx.input.token ? { host: integrationConfig.config.host, token: ctx.input.token } : integrationConfig.config);
       const apiBaseUrl = integrationConfig.config.apiBaseUrl;
       const createMethod = host === "bitbucket.org" ? createBitbucketCloudRepository : createBitbucketServerRepository;
       const { remoteUrl, repoContentsUrl } = await createMethod({
@@ -1118,13 +1133,22 @@ function createPublishBitbucketAction(options) {
         name: config.getOptionalString("scaffolder.defaultAuthor.name"),
         email: config.getOptionalString("scaffolder.defaultAuthor.email")
       };
+      let auth;
+      if (ctx.input.token) {
+        auth = {
+          username: "x-token-auth",
+          password: ctx.input.token
+        };
+      } else {
+        auth = {
+          username: integrationConfig.config.username ? integrationConfig.config.username : "x-token-auth",
+          password: integrationConfig.config.appPassword ? integrationConfig.config.appPassword : (_a = integrationConfig.config.token) != null ? _a : ""
+        };
+      }
       await initRepoAndPush({
         dir: getRepoSourceDirectory(ctx.workspacePath, ctx.input.sourcePath),
         remoteUrl,
-        auth: {
-          username: integrationConfig.config.username ? integrationConfig.config.username : "x-token-auth",
-          password: integrationConfig.config.appPassword ? integrationConfig.config.appPassword : (_a = integrationConfig.config.token) != null ? _a : ""
-        },
+        auth,
         defaultBranch,
         logger: ctx.logger,
         commitMessage: config.getOptionalString("scaffolder.defaultCommitMessage"),
@@ -1172,7 +1196,7 @@ class OctokitProvider {
     this.integrations = integrations;
     this.githubCredentialsProvider = githubCredentialsProvider || integration.DefaultGithubCredentialsProvider.fromIntegrations(this.integrations);
   }
-  async getOctokit(repoUrl) {
+  async getOctokit(repoUrl, options) {
     var _a;
     const { owner, repo, host } = parseRepoUrl(repoUrl, this.integrations);
     if (!owner) {
@@ -1182,6 +1206,14 @@ class OctokitProvider {
     if (!integrationConfig) {
       throw new errors.InputError(`No integration for host ${host}`);
     }
+    if (options == null ? void 0 : options.token) {
+      const client2 = new octokit.Octokit({
+        auth: options.token,
+        baseUrl: integrationConfig.apiBaseUrl,
+        previews: ["nebula-preview"]
+      });
+      return { client: client2, token: options.token, owner, repo };
+    }
     const { token } = await this.githubCredentialsProvider.getCredentials({
       url: `https://${host}/${encodeURIComponent(owner)}/${encodeURIComponent(repo)}`
     });
@@ -1223,7 +1255,8 @@ function createPublishGithubAction(options) {
             type: "string"
           },
           requireCodeOwnerReviews: {
-            title: "Require an approved review in PR including files with a designated Code Owner",
+            title: "Require CODEOWNER Reviews?",
+            description: "Require an approved review in PR including files with a designated Code Owner",
             type: "boolean"
           },
           repoVisibility: {
@@ -1237,7 +1270,8 @@ function createPublishGithubAction(options) {
             description: `Sets the default branch on the repository. The default value is 'master'`
           },
           sourcePath: {
-            title: "Path within the workspace that will be used as the repository root. If omitted, the entire workspace will be published as the repository.",
+            title: "Source Path",
+            description: "Path within the workspace that will be used as the repository root. If omitted, the entire workspace will be published as the repository.",
             type: "string"
           },
           collaborators: {
@@ -1260,6 +1294,11 @@ function createPublishGithubAction(options) {
               }
             }
           },
+          token: {
+            title: "Authentication Token",
+            type: "string",
+            description: "The token to use for authorization to GitHub"
+          },
           topics: {
             title: "Topics",
             type: "array",
@@ -1292,9 +1331,10 @@ function createPublishGithubAction(options) {
         repoVisibility = "private",
         defaultBranch = "master",
         collaborators,
-        topics
+        topics,
+        token: providedToken
       } = ctx.input;
-      const { client, token, owner, repo } = await octokitProvider.getOctokit(repoUrl);
+      const { client, token, owner, repo } = await octokitProvider.getOctokit(repoUrl, { token: providedToken });
       const user = await client.rest.users.getByUsername({
         username: owner
       });
@@ -1402,13 +1442,21 @@ const defaultClientFactory = async ({
   githubCredentialsProvider,
   owner,
   repo,
-  host = "github.com"
+  host = "github.com",
+  token: providedToken
 }) => {
   var _a;
   const integrationConfig = (_a = integrations.github.byHost(host)) == null ? void 0 : _a.config;
+  const OctokitPR = octokit.Octokit.plugin(octokitPluginCreatePullRequest.createPullRequest);
   if (!integrationConfig) {
     throw new errors.InputError(`No integration for host ${host}`);
   }
+  if (providedToken) {
+    return new OctokitPR({
+      auth: providedToken,
+      baseUrl: integrationConfig.apiBaseUrl
+    });
+  }
   const credentialsProvider = githubCredentialsProvider || integration.SingleInstanceGithubCredentialsProvider.create(integrationConfig);
   const { token } = await credentialsProvider.getCredentials({
     url: `https://${host}/${encodeURIComponent(owner)}/${encodeURIComponent(repo)}`
@@ -1416,7 +1464,6 @@ const defaultClientFactory = async ({
   if (!token) {
     throw new errors.InputError(`No token available for host: ${host}, with owner ${owner}, and repo ${repo}`);
   }
-  const OctokitPR = octokit.Octokit.plugin(octokitPluginCreatePullRequest.createPullRequest);
   return new OctokitPR({
     auth: token,
     baseUrl: integrationConfig.apiBaseUrl
@@ -1463,6 +1510,11 @@ const createPublishGithubPullRequestAction = ({
             type: "string",
             title: "Repository Subdirectory",
             description: "Subdirectory of repository to apply changes to"
+          },
+          token: {
+            title: "Authentication Token",
+            type: "string",
+            description: "The token to use for authorization to GitHub"
           }
         }
       },
@@ -1485,7 +1537,8 @@ const createPublishGithubPullRequestAction = ({
         title,
         description,
         targetPath,
-        sourcePath
+        sourcePath,
+        token: providedToken
       } = ctx.input;
       const { owner, repo, host } = parseRepoUrl(repoUrl, integrations);
       if (!owner) {
@@ -1496,7 +1549,8 @@ const createPublishGithubPullRequestAction = ({
         githubCredentialsProvider,
         host,
         owner,
-        repo
+        repo,
+        token: providedToken
       });
       const fileRoot = sourcePath ? backendCommon.resolveSafeChildPath(ctx.workspacePath, sourcePath) : ctx.workspacePath;
       const localFilePaths = await globby__default["default"](["./**", "./**/.*", "!.git"], {
@@ -1570,8 +1624,14 @@ function createPublishGitlabAction(options) {
             description: `Sets the default branch on the repository. The default value is 'master'`
           },
           sourcePath: {
-            title: "Path within the workspace that will be used as the repository root. If omitted, the entire workspace will be published as the repository.",
+            title: "Source Path",
+            description: "Path within the workspace that will be used as the repository root. If omitted, the entire workspace will be published as the repository.",
             type: "string"
+          },
+          token: {
+            title: "Authentication Token",
+            type: "string",
+            description: "The token to use for authorization to GitLab"
           }
         }
       },
@@ -1603,12 +1663,13 @@ function createPublishGitlabAction(options) {
       if (!integrationConfig) {
         throw new errors.InputError(`No matching integration configuration for host ${host}, please check your integrations config`);
       }
-      if (!integrationConfig.config.token) {
+      if (!integrationConfig.config.token && !ctx.input.token) {
         throw new errors.InputError(`No token available for host ${host}`);
       }
+      const token = ctx.input.token || integrationConfig.config.token;
       const client = new node.Gitlab({
         host: integrationConfig.config.baseUrl,
-        token: integrationConfig.config.token
+        token
       });
       let { id: targetNamespace } = await client.Namespaces.show(owner);
       if (!targetNamespace) {
@@ -1632,7 +1693,7 @@ function createPublishGitlabAction(options) {
         defaultBranch,
         auth: {
           username: "oauth2",
-          password: integrationConfig.config.token
+          password: token
         },
         logger: ctx.logger,
         commitMessage: config.getOptionalString("scaffolder.defaultCommitMessage"),
@@ -1682,6 +1743,11 @@ const createPublishGitlabMergeRequestAction = (options) => {
             type: "string",
             title: "Repository Subdirectory",
             description: "Subdirectory of repository to apply changes to"
+          },
+          token: {
+            title: "Authentication Token",
+            type: "string",
+            description: "The token to use for authorization to GitLab"
           }
         }
       },
@@ -1701,6 +1767,7 @@ const createPublishGitlabMergeRequestAction = (options) => {
       }
     },
     async handler(ctx) {
+      var _a;
       const repoUrl = ctx.input.repoUrl;
       const { host } = parseRepoUrl(repoUrl, integrations);
       const integrationConfig = integrations.gitlab.byHost(host);
@@ -1709,12 +1776,13 @@ const createPublishGitlabMergeRequestAction = (options) => {
       if (!integrationConfig) {
         throw new errors.InputError(`No matching integration configuration for host ${host}, please check your integrations config`);
       }
-      if (!integrationConfig.config.token) {
+      if (!integrationConfig.config.token && !ctx.input.token) {
         throw new errors.InputError(`No token available for host ${host}`);
       }
+      const token = (_a = ctx.input.token) != null ? _a : integrationConfig.config.token;
       const api = new node.Gitlab({
         host: integrationConfig.config.baseUrl,
-        token: integrationConfig.config.token
+        token
       });
       const fileRoot = ctx.workspacePath;
       const localFilePaths = await globby__default["default"]([`${ctx.input.targetPath}/**`], {
@@ -1788,14 +1856,25 @@ function createGithubActionsDispatchAction(options) {
             title: "Workflow Inputs",
             description: "Inputs keys and values to send to GitHub Action configured on the workflow file. The maximum number of properties is 10. ",
             type: "object"
+          },
+          token: {
+            title: "Authentication Token",
+            type: "string",
+            description: "The GITHUB_TOKEN to use for authorization to GitHub"
           }
         }
       }
     },
     async handler(ctx) {
-      const { repoUrl, workflowId, branchOrTagName, workflowInputs } = ctx.input;
+      const {
+        repoUrl,
+        workflowId,
+        branchOrTagName,
+        workflowInputs,
+        token: providedToken
+      } = ctx.input;
       ctx.logger.info(`Dispatching workflow ${workflowId} for repo ${repoUrl} on ${branchOrTagName}`);
-      const { client, owner, repo } = await octokitProvider.getOctokit(repoUrl);
+      const { client, owner, repo } = await octokitProvider.getOctokit(repoUrl, { token: providedToken });
       await client.rest.actions.createWorkflowDispatch({
         owner,
         repo,
@@ -1869,6 +1948,11 @@ function createGithubWebhookAction(options) {
             title: "Insecure SSL",
             type: "boolean",
             description: `Determines whether the SSL certificate of the host for url will be verified when delivering payloads. Default 'false'`
+          },
+          token: {
+            title: "Authentication Token",
+            type: "string",
+            description: "The GITHUB_TOKEN to use for authorization to GitHub"
           }
         }
       }
@@ -1881,10 +1965,11 @@ function createGithubWebhookAction(options) {
         events = ["push"],
         active = true,
         contentType = "form",
-        insecureSsl = false
+        insecureSsl = false,
+        token: providedToken
       } = ctx.input;
       ctx.logger.info(`Creating webhook ${webhookUrl} for repo ${repoUrl}`);
-      const { client, owner, repo } = await octokitProvider.getOctokit(repoUrl);
+      const { client, owner, repo } = await octokitProvider.getOctokit(repoUrl, { token: providedToken });
       try {
         const insecure_ssl = insecureSsl ? "1" : "0";
         await client.rest.repos.createWebhook({
@@ -2557,7 +2642,7 @@ class NunjucksWorkflowRunner {
     });
   }
   async execute(task) {
-    var _a, _b, _c, _d;
+    var _a, _b, _c, _d, _e;
     if (!isValidTaskSpec(task.spec)) {
       throw new errors.InputError("Wrong template version executed with the workflow engine");
     }
@@ -2591,8 +2676,8 @@ class NunjucksWorkflowRunner {
           });
           const action = this.options.actionRegistry.get(step.action);
           const { taskLogger, streamLogger } = createStepLogger({ task, step });
-          const input = (_a = step.input && this.render(step.input, context, renderTemplate)) != null ? _a : {};
-          if ((_b = action.schema) == null ? void 0 : _b.input) {
+          const input = (_b = step.input && this.render(step.input, { ...context, secrets: (_a = task.secrets) != null ? _a : {} }, renderTemplate)) != null ? _b : {};
+          if ((_c = action.schema) == null ? void 0 : _c.input) {
             const validateResult = jsonschema.validate(input, action.schema.input);
             if (!validateResult.valid) {
               const errors$1 = validateResult.errors.join(", ");
@@ -2607,8 +2692,8 @@ class NunjucksWorkflowRunner {
           await action.handler({
             baseUrl: task.spec.baseUrl,
             input,
-            token: (_c = task.secrets) == null ? void 0 : _c.token,
-            secrets: (_d = task.secrets) != null ? _d : {},
+            token: (_d = task.secrets) == null ? void 0 : _d.token,
+            secrets: (_e = task.secrets) != null ? _e : {},
             logger: taskLogger,
             logStream: streamLogger,
             workspacePath,