fix(ci): private repo auth, for real this time (#510)

.github/actions/setup-haxe/action.yml

@@ -71,14 +71,18 @@ runs:
       path: .haxelib
       key: haxe-hmm-${{ runner.os }}-${{ hashFiles('**/hmm.json') }}
 
+  - if: ${{ steps.cache-hmm.outputs.cache-hit != 'true' }}
+    name: Prep git for dependency install
+    uses: gacts/run-and-post-run@v1
+    with:
+      run: git config --global 'url.https://x-access-token:${{ inputs.gh-token }}@github.com/.insteadOf' https://github.com/
+      post: git config --global --unset 'url.https://x-access-token:${{ inputs.gh-token }}@github.com/.insteadOf'
+
   - if: ${{ steps.cache-hmm.outputs.cache-hit != 'true' }}
     name: Install dependencies
     shell: bash
     run: |
-      git config --global --unset 'url.https://x-access-token:${{ inputs.gh-token }}@github.com/.insteadOf' || true
-      git config --global 'url.https://x-access-token:${{ inputs.gh-token }}@github.com/.insteadOf' https://github.com/
       haxelib --global run hmm install -q
-      git config --global --unset 'url.https://x-access-token:${{ inputs.gh-token }}@github.com/.insteadOf'
       echo "TIMER_DONE=$(date +%s)" >> "$GITHUB_ENV"
 
   # by default use a shared hxcpp cache

.github/workflows/build-docker-image.yml

@@ -4,8 +4,8 @@ on:
   workflow_dispatch:
   push:
     paths:
-      - '**/Dockerfile'
-      - '.github/workflows/build-docker-image.yml'
+    - '**/Dockerfile'
+    - '.github/workflows/build-docker-image.yml'
 
 jobs:
   build-and-push-image:
@@ -15,39 +15,39 @@ jobs:
       packages: write
 
     steps:
-      - name: Get checkout token
-        uses: actions/create-github-app-token@v1
-        id: app_token
-        with:
-          app-id: ${{ vars.APP_ID }}
-          private-key: ${{ secrets.APP_PEM }}
-          owner: ${{ github.repository_owner }}
+    - name: Get checkout token
+      uses: actions/create-github-app-token@v1
+      id: app_token
+      with:
+        app-id: ${{ vars.APP_ID }}
+        private-key: ${{ secrets.APP_PEM }}
+        owner: ${{ github.repository_owner }}
 
-      - name: Checkout repo
-        uses: funkincrew/ci-checkout@v6
-        with:
-          submodules: false
-          token: ${{ steps.app_token.outputs.token }}
+    - name: Checkout repo
+      uses: funkincrew/ci-checkout@v6
+      with:
+        submodules: false
+        token: ${{ steps.app_token.outputs.token }}
 
-      - name: Log into GitHub Container Registry
-        uses: docker/login-action@v3.1.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+    - name: Log into GitHub Container Registry
+      uses: docker/login-action@v3.1.0
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v5.3.0
-        with:
-          context: ./build
-          push: true
-          tags: |
-            ghcr.io/funkincrew/build-dependencies:latest
-            ghcr.io/funkincrew/build-dependencies:${{ github.sha }}
-          labels: |
-            org.opencontainers.image.description=precooked haxe build-dependencies
-            org.opencontainers.image.revision=${{ github.sha }}
-            org.opencontainers.image.source=https://github.com/${{ github.repository }}
-            org.opencontainers.image.title=${{ github.repository_owner }}/build-dependencies
-            org.opencontainers.image.url=https://github.com/${{ github.repository }}
-            org.opencontainers.image.version=${{ github.sha }}
+    - name: Build and push Docker image
+      uses: docker/build-push-action@v5.3.0
+      with:
+        context: ./build
+        push: true
+        tags: |
+          ghcr.io/funkincrew/build-dependencies:latest
+          ghcr.io/funkincrew/build-dependencies:${{ github.sha }}
+        labels: |
+          org.opencontainers.image.description=precooked haxe build-dependencies
+          org.opencontainers.image.revision=${{ github.sha }}
+          org.opencontainers.image.source=https://github.com/${{ github.repository }}
+          org.opencontainers.image.title=${{ github.repository_owner }}/build-dependencies
+          org.opencontainers.image.url=https://github.com/${{ github.repository }}
+          org.opencontainers.image.version=${{ github.sha }}

.github/workflows/build-game.yml

@@ -39,6 +39,7 @@ jobs:
       with:
         submodules: 'recursive'
         token: ${{ steps.app_token.outputs.token }}
+        persist-credentials: false
 
     - name: Setup build environment
       uses: ./.github/actions/setup-haxe

.github/workflows/cancel-merged-branches.yml

@@ -3,7 +3,7 @@ name: Cancel queued workflows on PR merge
 on:
   pull_request:
     types:
-      - closed
+    - closed
 
 jobs:
 

build/Dockerfile

@@ -71,8 +71,6 @@ RUN <<EOF
 cat <<EOC >> /etc/gitconfig
 [safe]
   directory = *
-[credential]
-  helper = cache
 EOC
 
 ssh-keyscan -t rsa,ecdsa,ed25519 github.com >> /etc/ssh/ssh_known_hosts