fix(ci): require bridge auth token before deploy

2026-06-06 19:11:13 +08:00 · 2026-06-06 19:11:13 +08:00 · 6db48ee738
commit 6db48ee738
parent 49637e87ea
1 changed files with 13 additions and 1 deletions
--- a/.github/workflows/pipeline.yml
+++ b/.github/workflows/pipeline.yml
@ -229,9 +229,21 @@ jobs:
      - name: Export deploy secrets
        run: |
          {
-            echo "BRIDGE_AUTH_TOKEN=${{ github.event_name == 'workflow_dispatch' && inputs.internal_service_token || steps.vault.outputs.INTERNAL_SERVICE_TOKEN }}"
+            if [[ "${{ github.event_name }}" == "workflow_dispatch" && -n "${{ inputs.internal_service_token }}" ]]; then
+              echo "BRIDGE_AUTH_TOKEN=${{ inputs.internal_service_token }}"
+            else
+              echo "BRIDGE_AUTH_TOKEN=${{ steps.vault.outputs.INTERNAL_SERVICE_TOKEN }}"
+            fi
          } >> "$GITHUB_ENV"

+      - name: Validate deploy secrets
+        run: |
+          if [[ -z "${BRIDGE_AUTH_TOKEN}" ]]; then
+            echo "::error::BRIDGE_AUTH_TOKEN is empty. Provide it via the workflow_dispatch input, or ensure kv/data/github-actions/xworkmate-bridge INTERNAL_SERVICE_TOKEN is readable from Vault."
+            exit 1
+          fi
+          echo "BRIDGE_AUTH_TOKEN length=${#BRIDGE_AUTH_TOKEN}"
+
      - name: Checkout playbooks repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with: