Re #7777 #7778: pass GITHUB_TOKEN correctly in CI; fix test expression

Because ${FOO} is already expanded in the Makefile, which leads to syntax errors in the CI when secrets are replaced by ***, we need to use $${FOO} so expansion only takes place in the shell.

Re #7777 #7778: pass GITHUB_TOKEN correctly in CI; fix test expression
Because ${FOO} is already expanded in the Makefile, which leads to syntax errors in the CI when secrets are replaced by ***, we need to use $${FOO} so expansion only takes place in the shell.
7c9afa7f · andreas.abel · mergify-bot · a57cbc44 · 7c9afa7f · 7c9afa7f
Commit 7c9afa7f authored 3 years ago by andreas.abel Committed by mergify-bot 3 years ago
--- a/.github/workflows/users-guide.yml
+++ b/.github/workflows/users-guide.yml
@@ -71,5 +71,7 @@ jobs:
        path: html/

    - name: Check security of requirements.txt
+      env:
+        SKJOLD_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
-        make SKJOLD_GITHUB_API_TOKEN=${{ secrets.GITHUB_TOKEN }} -C doc check-requirements
+        make -C doc check-requirements
--- a/doc/Makefile
+++ b/doc/Makefile
@@ -3,14 +3,15 @@
 # skjold needs a personal github access token.  This needs no permissions,
 # it is only required to query the GitHub GraphQL API v4.
 # See: https://pythonawesome.com/security-audit-python-project-dependencies-against-security-advisory-databases/
-# We attempt to get it from the environment variable GITHUB_TOKEN.
+# We attempt to get it from the environment variable SKJOLD_GITHUB_API_TOKEN
+# or GITHUB_TOKEN.
 # It can also be passed to this Makefile via either:
 #
 #   make GITHUB_TOKEN=... (build-and-)check-requirements
 #   make SKJOLD_GITHUB_API_TOKEN=... (build-and-)check-requirements
 #
 #
-SKJOLD_GITHUB_API_TOKEN=${GITHUB_TOKEN}
+SKJOLD_GITHUB_API_TOKEN ?= ${GITHUB_TOKEN}

 .PHONY: build-and-check-requirements
 build-and-check-requirements: requirements.txt check-requirements
@@ -30,9 +31,9 @@ requirements.txt: requirements.in
 # See: https://pythonawesome.com/security-audit-python-project-dependencies-against-security-advisory-databases/
 .PHONY: check-requirements
 check-requirements:
-	@if [ "\'${SKJOLD_GITHUB_API_TOKEN}\'" == "\'\'" ] \
+	@if [ -z "$${SKJOLD_GITHUB_API_TOKEN}" ] \
 	; then \
-	  echo "WARNING: Neither SKOLD_GITHUB_API_TOKEN nor GITHUB_TOKEN is set." \
+	  echo "WARNING: Neither SKJOLD_GITHUB_API_TOKEN nor GITHUB_TOKEN is set." \
 	; echo "Vulnerability check via skjold might fail when using the GitHub GraphQL API." \
 	; fi
 	. ../.python-sphinx-virtualenv/bin/activate \
@@ -40,4 +41,10 @@ check-requirements:
 	  && skjold audit
 # NB: For portability, we use '.' (sh etc.) instead of 'source' (bash).

+# Debug print environment variables
+debug:
+	@echo "GITHUB_TOKEN = ${GITHUB_TOKEN}"
+	@echo "SKJOLD_GITHUB_API_TOKEN = $${SKJOLD_GITHUB_API_TOKEN}"
+	@echo "Is SKJOLD_GITHUB_API_TOKEN set? $${SKJOLD_GITHUB_API_TOKEN:+yes}"
+
 # EOF