Copilot commented on code in PR #10233: URL: https://github.com/apache/gravitino/pull/10233#discussion_r2939006097
########## dev/release/publish-docker.sh: ########## @@ -0,0 +1,226 @@ +#!/bin/bash + +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# Build and publish Gravitino Docker images via GitHub Actions +# +# Usage: ./publish-docker.sh <tag|branch> --docker-version <version> [--trino-version <version>] [--dry-run] +# Review Comment: PR description mentions `dev/release/publish_docker.sh`, but the file added is `dev/release/publish-docker.sh` (hyphen). Consider aligning the PR description (or any external references) to the actual filename to avoid confusion. ########## dev/release/publish-docker.sh: ########## @@ -0,0 +1,226 @@ +#!/bin/bash + +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# Build and publish Gravitino Docker images via GitHub Actions +# +# Usage: ./publish-docker.sh <tag|branch> --docker-version <version> [--trino-version <version>] [--dry-run] +# +# Arguments: +# <tag> A Git tag, typically a release candidate (e.g., v1.2.0-rc5). +# The tag must already exist locally or be fetched via: +# git fetch --tags origin +# <branch> A Git branch name (e.g., main, branch-1.2). The workflow will +# build from the latest commit on that branch. +# --docker-version <ver> Docker image version tag to publish (e.g., 1.2.0-rc5). Required. +# This is used as the image tag, independent of the Git tag/branch. +# --trino-version <ver> Trino version used for the playground image (e.g., 478). +# Defaults to 478. The playground image tag will be: +# <ver>-gravitino-<docker-version> +# --dry-run Print the workflow commands that would be triggered without +# actually running them. Useful for previewing before publishing. +# +# Examples: +# ./publish-docker.sh v1.2.0-rc5 --docker-version 1.2.0-rc5 --trino-version 478 --dry-run +# ./publish-docker.sh v1.2.0-rc5 --docker-version 1.2.0-rc5 --trino-version 478 +# +# Environment variables required (set in env file or shell profile): +# DOCKER_USERNAME - Docker Hub username +# PUBLISH_DOCKER_TOKEN - Docker Hub access token with push permission Review Comment: `PUBLISH_DOCKER_TOKEN` is documented here as a “Docker Hub access token with push permission”, but the `docker-image.yml` workflow uses `${{ secrets.DOCKER_REPOSITORY_PASSWORD }}` for Docker Hub login and uses the `token` input only to compare against `${{ secrets.PUBLISH_DOCKER_TOKEN }}`. Please adjust the description so users don’t confuse these two credentials. ########## dev/release/publish-docker.sh: ########## @@ -0,0 +1,226 @@ +#!/bin/bash + +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# Build and publish Gravitino Docker images via GitHub Actions +# +# Usage: ./publish-docker.sh <tag|branch> --docker-version <version> [--trino-version <version>] [--dry-run] +# +# Arguments: +# <tag> A Git tag, typically a release candidate (e.g., v1.2.0-rc5). +# The tag must already exist locally or be fetched via: +# git fetch --tags origin Review Comment: The header comment says the tag “must already exist locally or be fetched”, but this script uses `git ls-remote` and `gh workflow run --ref`, which only require the ref to exist on the remote. Consider updating the wording to avoid misleading users. ########## dev/release/publish-docker.sh: ########## @@ -0,0 +1,226 @@ +#!/bin/bash + +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# Build and publish Gravitino Docker images via GitHub Actions +# +# Usage: ./publish-docker.sh <tag|branch> --docker-version <version> [--trino-version <version>] [--dry-run] +# +# Arguments: +# <tag> A Git tag, typically a release candidate (e.g., v1.2.0-rc5). +# The tag must already exist locally or be fetched via: +# git fetch --tags origin +# <branch> A Git branch name (e.g., main, branch-1.2). The workflow will +# build from the latest commit on that branch. +# --docker-version <ver> Docker image version tag to publish (e.g., 1.2.0-rc5). Required. +# This is used as the image tag, independent of the Git tag/branch. +# --trino-version <ver> Trino version used for the playground image (e.g., 478). +# Defaults to 478. The playground image tag will be: +# <ver>-gravitino-<docker-version> +# --dry-run Print the workflow commands that would be triggered without +# actually running them. Useful for previewing before publishing. +# +# Examples: +# ./publish-docker.sh v1.2.0-rc5 --docker-version 1.2.0-rc5 --trino-version 478 --dry-run +# ./publish-docker.sh v1.2.0-rc5 --docker-version 1.2.0-rc5 --trino-version 478 +# +# Environment variables required (set in env file or shell profile): +# DOCKER_USERNAME - Docker Hub username +# PUBLISH_DOCKER_TOKEN - Docker Hub access token with push permission +# GH_TOKEN - GitHub personal access token with repo and workflow scopes +# +# This script triggers the docker-image.yml workflow for the following images: +# - apache/gravitino:<docker-version> +# - apache/gravitino-iceberg-rest-server:<docker-version> +# - apache/gravitino-lance-rest-server:<docker-version> +# - apache/gravitino-mcp-server:<docker-version> +# - apache/gravitino-playground:<trino-version>-gravitino-<docker-version> +# + +set -e + +# Check required commands +for cmd in git gh; do + if ! command -v "$cmd" > /dev/null 2>&1; then + echo "ERROR: Required command '$cmd' is not installed or not in PATH." + exit 1 + fi +done + +# Parse arguments +DRY_RUN=false +INPUT_TAG="" +DOCKER_VERSION="" +TRINO_VER="478" + +while [[ $# -gt 0 ]]; do + case "$1" in + --dry-run) + DRY_RUN=true + shift + ;; + --docker-version) + DOCKER_VERSION="$2" + shift 2 + ;; + --trino-version) Review Comment: Argument parsing doesn’t validate that `--docker-version`/`--trino-version` are followed by a value. If either flag is last (or followed by another flag), `$2` will be empty and `shift 2` will exit with a generic error due to `set -e`. Add an explicit check and a clear error message for missing flag values. ########## dev/release/publish-docker.sh: ########## @@ -0,0 +1,226 @@ +#!/bin/bash + +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# Build and publish Gravitino Docker images via GitHub Actions +# +# Usage: ./publish-docker.sh <tag|branch> --docker-version <version> [--trino-version <version>] [--dry-run] +# +# Arguments: +# <tag> A Git tag, typically a release candidate (e.g., v1.2.0-rc5). +# The tag must already exist locally or be fetched via: +# git fetch --tags origin +# <branch> A Git branch name (e.g., main, branch-1.2). The workflow will +# build from the latest commit on that branch. +# --docker-version <ver> Docker image version tag to publish (e.g., 1.2.0-rc5). Required. +# This is used as the image tag, independent of the Git tag/branch. +# --trino-version <ver> Trino version used for the playground image (e.g., 478). +# Defaults to 478. The playground image tag will be: +# <ver>-gravitino-<docker-version> +# --dry-run Print the workflow commands that would be triggered without +# actually running them. Useful for previewing before publishing. +# +# Examples: +# ./publish-docker.sh v1.2.0-rc5 --docker-version 1.2.0-rc5 --trino-version 478 --dry-run +# ./publish-docker.sh v1.2.0-rc5 --docker-version 1.2.0-rc5 --trino-version 478 +# +# Environment variables required (set in env file or shell profile): +# DOCKER_USERNAME - Docker Hub username +# PUBLISH_DOCKER_TOKEN - Docker Hub access token with push permission +# GH_TOKEN - GitHub personal access token with repo and workflow scopes +# +# This script triggers the docker-image.yml workflow for the following images: +# - apache/gravitino:<docker-version> +# - apache/gravitino-iceberg-rest-server:<docker-version> +# - apache/gravitino-lance-rest-server:<docker-version> +# - apache/gravitino-mcp-server:<docker-version> +# - apache/gravitino-playground:<trino-version>-gravitino-<docker-version> +# + +set -e + +# Check required commands +for cmd in git gh; do + if ! command -v "$cmd" > /dev/null 2>&1; then + echo "ERROR: Required command '$cmd' is not installed or not in PATH." + exit 1 + fi +done + +# Parse arguments +DRY_RUN=false +INPUT_TAG="" +DOCKER_VERSION="" +TRINO_VER="478" + +while [[ $# -gt 0 ]]; do + case "$1" in + --dry-run) + DRY_RUN=true + shift + ;; + --docker-version) + DOCKER_VERSION="$2" + shift 2 + ;; + --trino-version) + TRINO_VER="$2" + shift 2 + ;; + -h|--help) + cat << 'EOF' +Usage: publish-docker.sh <tag|branch> --docker-version <version> [--trino-version <version>] [--dry-run] + +Arguments: + <tag|branch> Git tag (e.g., v1.2.0-rc5) or branch (e.g., main) to use as + workflow source (--ref). Must exist locally or be fetched first. + --docker-version <ver> Docker image version tag to publish (e.g., 1.2.0-rc5). Required. + --trino-version <ver> Trino version for the playground image (default: 478). + --dry-run Preview mode, print commands without triggering workflows. + +Environment variables: + DOCKER_USERNAME Docker Hub username (required for actual run) + PUBLISH_DOCKER_TOKEN Docker Hub access token (required for actual run) + GH_TOKEN GitHub token with repo/workflow permissions + +Examples: + publish-docker.sh v1.2.0-rc5 --docker-version 1.2.0-rc5 --trino-version 478 --dry-run + publish-docker.sh v1.2.0-rc5 --docker-version 1.2.0-rc5 --trino-version 478 + +Images built: + apache/gravitino:<docker-version> + apache/gravitino-iceberg-rest-server:<docker-version> + apache/gravitino-lance-rest-server:<docker-version> + apache/gravitino-mcp-server:<docker-version> + apache/gravitino-playground:<trino-version>-gravitino-<docker-version> + +EOF + exit 0 + ;; + *) + if [[ -z "$INPUT_TAG" ]]; then + INPUT_TAG="$1" + else + echo "ERROR: Unknown argument: $1" + exit 1 + fi + shift + ;; + esac +done + +# Check required arguments +if [[ -z "$INPUT_TAG" ]]; then + echo "ERROR: Missing tag/branch argument" + echo "Usage: $0 <tag|branch> --docker-version <version> [--trino-version <version>] [--dry-run]" + exit 1 +fi + +if [[ -z "$DOCKER_VERSION" ]]; then + echo "ERROR: Missing --docker-version argument" + echo "Usage: $0 <tag|branch> --docker-version <version> [--trino-version <version>] [--dry-run]" + exit 1 +fi + +# Verify tag or branch exists on the remote +if ! git ls-remote --exit-code https://github.com/apache/gravitino.git "$INPUT_TAG" > /dev/null 2>&1; then + echo "ERROR: Tag or branch '$INPUT_TAG' does not exist on remote 'apache/gravitino'" + exit 1 +fi + +echo "Verified: $INPUT_TAG exists" + +# Trino special version +TRINO_VERSION="${TRINO_VER}-gravitino-${DOCKER_VERSION}" + +if [[ "$DRY_RUN" == "true" ]]; then + echo "=== [DRY RUN] Preview Gravitino Docker Image Build ===" +else + echo "=== Building Gravitino Docker Images ===" +fi +echo "Input: ${INPUT_TAG}" +echo "Docker Version: ${DOCKER_VERSION}" +echo "Trino Version: ${TRINO_VERSION}" + +if [[ "$DRY_RUN" == "false" ]]; then + if [[ -z "$GH_TOKEN" ]]; then + echo "ERROR: GH_TOKEN environment variable not set" + exit 1 Review Comment: The script hard-fails if `GH_TOKEN` is unset, but `gh workflow run` can also work with an existing `gh auth login` session. Consider checking `gh auth status` (or attempting the command and surfacing `gh`’s error) instead of requiring `GH_TOKEN` unconditionally. ########## dev/release/publish-docker.sh: ########## @@ -0,0 +1,226 @@ +#!/bin/bash + +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# Build and publish Gravitino Docker images via GitHub Actions +# +# Usage: ./publish-docker.sh <tag|branch> --docker-version <version> [--trino-version <version>] [--dry-run] +# +# Arguments: +# <tag> A Git tag, typically a release candidate (e.g., v1.2.0-rc5). +# The tag must already exist locally or be fetched via: +# git fetch --tags origin +# <branch> A Git branch name (e.g., main, branch-1.2). The workflow will +# build from the latest commit on that branch. +# --docker-version <ver> Docker image version tag to publish (e.g., 1.2.0-rc5). Required. +# This is used as the image tag, independent of the Git tag/branch. +# --trino-version <ver> Trino version used for the playground image (e.g., 478). +# Defaults to 478. The playground image tag will be: +# <ver>-gravitino-<docker-version> +# --dry-run Print the workflow commands that would be triggered without +# actually running them. Useful for previewing before publishing. +# +# Examples: +# ./publish-docker.sh v1.2.0-rc5 --docker-version 1.2.0-rc5 --trino-version 478 --dry-run +# ./publish-docker.sh v1.2.0-rc5 --docker-version 1.2.0-rc5 --trino-version 478 +# +# Environment variables required (set in env file or shell profile): +# DOCKER_USERNAME - Docker Hub username +# PUBLISH_DOCKER_TOKEN - Docker Hub access token with push permission +# GH_TOKEN - GitHub personal access token with repo and workflow scopes +# +# This script triggers the docker-image.yml workflow for the following images: +# - apache/gravitino:<docker-version> +# - apache/gravitino-iceberg-rest-server:<docker-version> +# - apache/gravitino-lance-rest-server:<docker-version> +# - apache/gravitino-mcp-server:<docker-version> +# - apache/gravitino-playground:<trino-version>-gravitino-<docker-version> Review Comment: The “Images” list doesn’t match what the `docker-image.yml` workflow actually publishes: `gravitino-iceberg-rest-server` builds/pushes `apache/gravitino-iceberg-rest`, and `gravitino-lance-rest-server` builds/pushes `apache/gravitino-lance-rest`. Also, the playground tag is prefixed with `trino-` (e.g., `apache/gravitino-playground:trino-435-gravitino-1.2.0`). Please update this list to reflect the real image names/tags. ########## dev/release/publish-docker.sh: ########## @@ -0,0 +1,226 @@ +#!/bin/bash + +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# Build and publish Gravitino Docker images via GitHub Actions +# +# Usage: ./publish-docker.sh <tag|branch> --docker-version <version> [--trino-version <version>] [--dry-run] +# +# Arguments: +# <tag> A Git tag, typically a release candidate (e.g., v1.2.0-rc5). +# The tag must already exist locally or be fetched via: +# git fetch --tags origin +# <branch> A Git branch name (e.g., main, branch-1.2). The workflow will +# build from the latest commit on that branch. +# --docker-version <ver> Docker image version tag to publish (e.g., 1.2.0-rc5). Required. +# This is used as the image tag, independent of the Git tag/branch. +# --trino-version <ver> Trino version used for the playground image (e.g., 478). +# Defaults to 478. The playground image tag will be: +# <ver>-gravitino-<docker-version> +# --dry-run Print the workflow commands that would be triggered without +# actually running them. Useful for previewing before publishing. +# +# Examples: +# ./publish-docker.sh v1.2.0-rc5 --docker-version 1.2.0-rc5 --trino-version 478 --dry-run +# ./publish-docker.sh v1.2.0-rc5 --docker-version 1.2.0-rc5 --trino-version 478 +# +# Environment variables required (set in env file or shell profile): +# DOCKER_USERNAME - Docker Hub username +# PUBLISH_DOCKER_TOKEN - Docker Hub access token with push permission +# GH_TOKEN - GitHub personal access token with repo and workflow scopes +# +# This script triggers the docker-image.yml workflow for the following images: +# - apache/gravitino:<docker-version> +# - apache/gravitino-iceberg-rest-server:<docker-version> +# - apache/gravitino-lance-rest-server:<docker-version> +# - apache/gravitino-mcp-server:<docker-version> +# - apache/gravitino-playground:<trino-version>-gravitino-<docker-version> +# + +set -e + +# Check required commands +for cmd in git gh; do + if ! command -v "$cmd" > /dev/null 2>&1; then + echo "ERROR: Required command '$cmd' is not installed or not in PATH." + exit 1 + fi +done + +# Parse arguments +DRY_RUN=false +INPUT_TAG="" +DOCKER_VERSION="" +TRINO_VER="478" + +while [[ $# -gt 0 ]]; do + case "$1" in + --dry-run) + DRY_RUN=true + shift + ;; + --docker-version) + DOCKER_VERSION="$2" + shift 2 + ;; + --trino-version) + TRINO_VER="$2" + shift 2 + ;; + -h|--help) + cat << 'EOF' +Usage: publish-docker.sh <tag|branch> --docker-version <version> [--trino-version <version>] [--dry-run] + +Arguments: + <tag|branch> Git tag (e.g., v1.2.0-rc5) or branch (e.g., main) to use as + workflow source (--ref). Must exist locally or be fetched first. + --docker-version <ver> Docker image version tag to publish (e.g., 1.2.0-rc5). Required. + --trino-version <ver> Trino version for the playground image (default: 478). + --dry-run Preview mode, print commands without triggering workflows. + +Environment variables: + DOCKER_USERNAME Docker Hub username (required for actual run) + PUBLISH_DOCKER_TOKEN Docker Hub access token (required for actual run) + GH_TOKEN GitHub token with repo/workflow permissions + +Examples: + publish-docker.sh v1.2.0-rc5 --docker-version 1.2.0-rc5 --trino-version 478 --dry-run + publish-docker.sh v1.2.0-rc5 --docker-version 1.2.0-rc5 --trino-version 478 + +Images built: + apache/gravitino:<docker-version> + apache/gravitino-iceberg-rest-server:<docker-version> + apache/gravitino-lance-rest-server:<docker-version> + apache/gravitino-mcp-server:<docker-version> + apache/gravitino-playground:<trino-version>-gravitino-<docker-version> + +EOF + exit 0 + ;; + *) + if [[ -z "$INPUT_TAG" ]]; then + INPUT_TAG="$1" + else + echo "ERROR: Unknown argument: $1" + exit 1 + fi + shift + ;; + esac +done + +# Check required arguments +if [[ -z "$INPUT_TAG" ]]; then + echo "ERROR: Missing tag/branch argument" + echo "Usage: $0 <tag|branch> --docker-version <version> [--trino-version <version>] [--dry-run]" + exit 1 +fi + +if [[ -z "$DOCKER_VERSION" ]]; then + echo "ERROR: Missing --docker-version argument" + echo "Usage: $0 <tag|branch> --docker-version <version> [--trino-version <version>] [--dry-run]" + exit 1 +fi + +# Verify tag or branch exists on the remote +if ! git ls-remote --exit-code https://github.com/apache/gravitino.git "$INPUT_TAG" > /dev/null 2>&1; then + echo "ERROR: Tag or branch '$INPUT_TAG' does not exist on remote 'apache/gravitino'" + exit 1 +fi + +echo "Verified: $INPUT_TAG exists" + +# Trino special version +TRINO_VERSION="${TRINO_VER}-gravitino-${DOCKER_VERSION}" + +if [[ "$DRY_RUN" == "true" ]]; then + echo "=== [DRY RUN] Preview Gravitino Docker Image Build ===" +else + echo "=== Building Gravitino Docker Images ===" +fi +echo "Input: ${INPUT_TAG}" +echo "Docker Version: ${DOCKER_VERSION}" +echo "Trino Version: ${TRINO_VERSION}" + +if [[ "$DRY_RUN" == "false" ]]; then + if [[ -z "$GH_TOKEN" ]]; then + echo "ERROR: GH_TOKEN environment variable not set" + exit 1 + fi + if [[ -z "$DOCKER_USERNAME" ]]; then + echo "ERROR: DOCKER_USERNAME environment variable not set" + exit 1 + fi + if [[ -z "$PUBLISH_DOCKER_TOKEN" ]]; then + echo "ERROR: PUBLISH_DOCKER_TOKEN environment variable not set" + exit 1 + fi + # NOTE: PUBLISH_DOCKER_TOKEN is passed as a plaintext workflow input (-f token=...). + # GitHub Actions workflow_dispatch string inputs are not masked in the UI or API, + # so this value may be visible to anyone with read access to the repository. + echo "Username: ${DOCKER_USERNAME}" Review Comment: Passing `PUBLISH_DOCKER_TOKEN` via `-f token=...` sends it as a workflow_dispatch input, which is visible in the Actions run metadata and can leak via logs/CLI history. If this value is meant to be secret (the workflow compares it to `${{ secrets.PUBLISH_DOCKER_TOKEN }}`), consider updating the workflow to avoid accepting it as a plain input (e.g., rely on GitHub permissions/environments) and then remove the `token` input from this script. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
