feat: Improve inputs

.github/README.md

@@ -10,7 +10,7 @@
 Reusable GitHub Actions to help Entur teams:
 
 - Lint OpenAPI specs with Spectral
-- Publish OpenAPI specs to the developer portal storage (with visibility control)
+- Publish OpenAPI specs to the developer portal storage
 
 ## Get started
 

.github/workflows/publish.yml

@@ -1,62 +1,20 @@
-name: Publish OpenAPI specs to developer portal
+name: Publish OpenAPI spec to developer portal
 
 on:
   workflow_call:
     inputs:
-      spec:
-        description: "OpenAPI specs to publish, as a glob pattern."
-        type: string
-        default: "specs/*.json"
       artifact:
-        description: "OpenAPI specs to publish, as a GitHub artifact glob pattern."
-        type: string
-      artifact_contents:
-        description: "Glob pattern inside artifacts to include in publishing, only used if artifact is provided."
+        description: "Artifact where OpenAPI spec is located."
         type: string
-        default: "*"
-      visibility:
-        description: "Visibility of the published specs. Can be 'public', 'partner' or 'internal'."
+      path:
+        required: true
+        description: "Path to OpenAPI spec"
         type: string
-        default: "public"
 
 jobs:
-  validate-input:
-    name: Validate input
-    if: ${{ github.actor != 'dependabot[bot]' }}
-    runs-on: ubuntu-latest
-    steps:
-      - name: Validate inputs
-        env:
-          GHA_API_SPEC: ${{ inputs.spec }}
-          GHA_API_ARTIFACT: ${{ inputs.artifact }}
-          GHA_API_VISIBILITY: ${{ inputs.visibility }}
-        run: |
-          set -o errexit  #Exits immediately if any command fails (returns non-zero)
-          set -o nounset  #Treats unset variables as errors          
-          set -o pipefail #Makes a pipeline fail if any command in it fails (not just the last)
-
-          # Ensure not both inputs are empty.
-          if [ -z "$GHA_API_ARTIFACT" ] && [ -z "$GHA_API_SPEC" ]; then            
-            echo "::error::Exactly one of spec OR artifact is required."
-            exit 1
-          fi          
-
-          # Ensure not both inputs are provided.
-          if [ -n "$GHA_API_ARTIFACT" ] && [ -n "$GHA_API_SPEC" ] && [ "$GHA_API_SPEC" != "specs/*.json" ]; then            
-            echo "::error::Both spec and artifact were provided. Please provide only one."
-            exit 1
-          fi
-
-          # Ensure visibility is valid
-          if [[ ! "$GHA_API_VISIBILITY" =~ ^(public|partner|internal)$ ]]; then
-            echo "::error::Invalid visibility '$GHA_API_VISIBILITY'. Must be one of: public, partner, internal."
-            exit 1
-          fi
-
   validate-spec:
-    name: Validate Spec
+    name: Validate spec
     runs-on: ubuntu-latest
-    needs: validate-input
     permissions:
       contents: read
     steps:
@@ -67,9 +25,8 @@ jobs:
         if: ${{ inputs.artifact != '' }}
         uses: actions/download-artifact@v7
         with:
-          pattern: ${{ inputs.artifact }}
-          path: /tmp/artifacts
-          merge-multiple: true
+          name: ${{ inputs.artifact }}
+          path: /tmp/artifact
       - name: Checkout linting rulesets
         uses: actions/checkout@v6
         with:
@@ -85,32 +42,33 @@ jobs:
         shell: bash
         env:
           GHA_API_ARTIFACT:       ${{ inputs.artifact }}
-          GHA_API_SPEC:           ${{ inputs.spec }}
-          GHA_API_CONTENTS:       ${{ inputs.artifact_contents }}
+          GHA_API_PATH:           ${{ inputs.path }}
         run: |
           set -o errexit
           set -o nounset
           set -o pipefail          
           shopt -s globstar
 
           if [ -n "$GHA_API_ARTIFACT" ]; then
-            spec_glob="/tmp/artifacts/$GHA_API_CONTENTS"
+            spec_path="/tmp/artifact/$GHA_API_PATH"
           else
-            spec_glob="$GHA_API_SPEC"
+            spec_path="$GHA_API_PATH"
           fi                         
 
-          if ! spectral lint "$spec_glob" --ruleset "rulesets/.spectral-required.yml"; then
+          if ! spectral lint "$spec_path" --ruleset "rulesets/.spectral-required.yml"; then
             echo "::error::Spec validation failed. Failing workflow."
             exit 1
           fi  
 
-  upload-to-bucket:
-    name: Upload to bucket
+  upload:
+    name: Upload spec
     needs: validate-spec
     permissions:
       contents: read
       id-token: write
     runs-on: ubuntu-latest
+    env:
+      CLOUD_RUN_ENDPOINT: https://europe-west1-ent-apidata-prd.cloudfunctions.net/publish-spec
     steps:
       - name: Checkout repository (if spec provided)
         if: ${{ inputs.artifact == '' }}
@@ -119,56 +77,53 @@ jobs:
         if: ${{ inputs.artifact != '' }}
         uses: actions/download-artifact@v7
         with:
-          pattern: ${{ inputs.artifact }}
-          path: /tmp/artifacts
-          merge-multiple: true
-      - name: Check ENTUR_API_DATA_SA secret exists
-        env:
-          ENTUR_API_DATA_SA: ${{ secrets.ENTUR_API_DATA_SA }}
-          REPO_VISIBILITY: ${{ github.event.repository.visibility }}
-        run: |
-          if [ -z "$ENTUR_API_DATA_SA" ]; then
-            if [ "$REPO_VISIBILITY" = "public" ]; then
-              echo "::error::Upload to bucket will not work out of the box for public repositories, due to the \
-          repository secret ENTUR_API_DATA_SA not being available. Ask Team Plattform to add it."
-            else
-              echo "::error::The repository secret ENTUR_API_DATA_SA is not available. Please ensure it is configured."
-            fi
-            exit 1
-          fi
+          name: ${{ inputs.artifact }}
+          path: /tmp/artifact
+
       - name: Authenticate with Google Cloud
+        id: auth
         uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
         with:
-          credentials_json: "${{ secrets.ENTUR_API_DATA_SA }}"
-      - name: Set up Cloud SDK
-        uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
-      - name: Copy specs to temporary directory
+          workload_identity_provider: ${{ vars.CI_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ vars.CI_SERVICE_ACCOUNT }}
+          token_format: id_token
+          id_token_audience: ${{ env.CLOUD_RUN_ENDPOINT }}
+          id_token_include_email: true
+          create_credentials_file: false
+
+      - name: Publish spec
         env:
           GHA_API_ARTIFACT: ${{ inputs.artifact }}
-          GHA_API_SPEC: ${{ inputs.spec }}
-          GHA_API_CONTENTS: ${{ inputs.artifact_contents }}
-          GHA_API_VISIBILITY: ${{ inputs.visibility }}
-
+          GHA_API_PATH: ${{ inputs.path }}
+          ID_TOKEN: ${{ steps.auth.outputs.id_token }}
+          CLOUD_RUN_ENDPOINT: ${{ env.CLOUD_RUN_ENDPOINT }}
         run: |
           set -o errexit
           set -o nounset
           set -o pipefail
           shopt -s globstar
 
-          mkdir -p /tmp/specs
-
+          # Determine spec glob pattern based on input type
           if [ -z "$GHA_API_ARTIFACT" ]; then            
-            cp $GHA_API_SPEC /tmp/specs
+            spec_path="$GHA_API_PATH"
           else
-            #Since gcloud storage rsync does not support GLOB, copy files matching artifact_contents to /tmp/specs for upload 
-            cp /tmp/artifacts/$GHA_API_CONTENTS /tmp/specs
+            spec_path="/tmp/artifacts/$GHA_API_PATH"
           fi
-      - name: Upload specs to GCS
-        env:
-          GHA_API_VISIBILITY: ${{ inputs.visibility }}
-        run: |
-          set -o errexit
-          set -o nounset
-          set -o pipefail
-          echo "Starting to sync files in /tmp/specs/ to GCS Bucket to path /${GHA_API_VISIBILITY}/${GITHUB_REPOSITORY#*/}"
-          gcloud storage rsync /tmp/specs/ "gs://ent-gcs-api-specs-developer-portal-prd-001/${GHA_API_VISIBILITY}/${GITHUB_REPOSITORY#*/}"
+
+          # Extract repository name (without owner)
+          REPO_NAME="${GITHUB_REPOSITORY#*/}"
+
+          # Create metadata JSON
+          METADATA="{\"repository\": \"$REPO_NAME\"}"
+
+          # Iterate through all matching spec files and PUT them
+          echo "Publishing spec: $spec_path"
+
+          curl --fail-with-body -sS \
+            -X PUT \
+            -H "Authorization: Bearer $ID_TOKEN" \
+            -F "metadata=$METADATA;type=application/json" \
+            -F "spec=@$spec_path" \
+            "$CLOUD_RUN_ENDPOINT"
+
+          echo "Successfully published: $spec_path"

README-publish.md

@@ -4,12 +4,10 @@
 
 <!-- AUTO-DOC-INPUT:START - Do not remove or modify this section -->
 
-|                                        INPUT                                        |  TYPE  | REQUIRED |     DEFAULT      |                                             DESCRIPTION                                             |
-|-------------------------------------------------------------------------------------|--------|----------|------------------|-----------------------------------------------------------------------------------------------------|
-|              <a name="input_artifact"></a>[artifact](#input_artifact)               | string |  false   |                  |                  OpenAPI specs to publish, as <br>a GitHub artifact glob pattern.                   |
-| <a name="input_artifact_contents"></a>[artifact_contents](#input_artifact_contents) | string |  false   |      `"*"`       | Glob pattern inside artifacts to <br>include in publishing, only used <br>if artifact is provided.  |
-|                    <a name="input_spec"></a>[spec](#input_spec)                     | string |  false   | `"specs/*.json"` |                          OpenAPI specs to publish, as <br>a glob pattern.                           |
-|           <a name="input_visibility"></a>[visibility](#input_visibility)            | string |  false   |    `"public"`    |        Visibility of the published specs. <br>Can be 'public', 'partner' or <br>'internal'.         |
+|                          INPUT                           |  TYPE  | REQUIRED | DEFAULT |                 DESCRIPTION                  |
+|----------------------------------------------------------|--------|----------|---------|----------------------------------------------|
+| <a name="input_artifact"></a>[artifact](#input_artifact) | string |  false   |         | Artifact where OpenAPI spec is <br>located.  |
+|       <a name="input_path"></a>[path](#input_path)       | string |   true   |         |             Path to OpenAPI spec             |
 
 <!-- AUTO-DOC-INPUT:END -->
 
@@ -76,25 +74,4 @@ jobs:
     with:
       artifact: myArtifactName
       artifact_contents: "*.yaml"
-```
-
-## Specifying visibility of API
-
-By default, your API will be publicly available, if you wish to change the visibility of your API spec, set visibility to one of
-
-- public (default)
-- partner
-- internal
-
-```yml
-jobs:
-  openapi-publish:
-    #[...]
-    with:
-      visibility: internal
-```
-
-### For public repositories
-
-This reusable workflow will not work out of the box for public repositories, due to the secret `ENTUR_API_DATA_SA` not being available.
-For these repositories, you must ask team plattform to manually add `ENTUR_API_DATA_SA` as a repository secret.
+```