diff --git a/src/main.ts b/src/main.ts index 8e0217fd..f83a7c0c 100644 --- a/src/main.ts +++ b/src/main.ts @@ -18,6 +18,7 @@ import { exportVariable, getIDToken, getInput, + saveState, setFailed, setOutput, setSecret, @@ -203,6 +204,9 @@ export async function run(logger: Logger) { // GOOGLE_GHA_CREDS_PATH is used by other Google GitHub Actions. exportVariable('GOOGLE_GHA_CREDS_PATH', credentialsPath); } + + // Save the credentials file path to state for cleanup in the post action. + saveState('credentials_file_path', credentialsPath); } // Set the project ID environment variables to the computed values. diff --git a/src/post.ts b/src/post.ts index 0d162a5f..7189ab79 100644 --- a/src/post.ts +++ b/src/post.ts @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -import { getInput, setFailed } from '@actions/core'; +import { getInput, getState, setFailed } from '@actions/core'; import { errorMessage, forceRemove, parseBoolean } from '@google-github-actions/actions-utils'; @@ -32,13 +32,12 @@ export async function run(logger: Logger) { return; } - // Look up the credentials path, if one exists. Note that we only check the - // environment variable set by our action, since we don't want to - // accidentally clean up if someone set GOOGLE_APPLICATION_CREDENTIALS or - // another environment variable manually. - const credentialsPath = process.env['GOOGLE_GHA_CREDS_PATH']; + // Look up the credentials path from the state saved by the main action. + // We use state instead of environment variables to avoid accidentally + // cleaning up credentials that were set manually by the user. + const credentialsPath = getState('credentials_file_path'); if (!credentialsPath) { - logger.info(`Skipping credential cleanup - $GOOGLE_GHA_CREDS_PATH is not set.`); + logger.info(`Skipping credential cleanup - credentials file path is not set.`); return; }