OSOE-508: Every workflow that uses our checkout action should accept (and pass on) the CHECKOUT_TOKEN secret

.github/actions/checkout/action.yml

@@ -14,7 +14,19 @@ inputs:
 runs:
   using: "composite"
   steps:
+    # This step is needed when the workflow calling this action receives the checkout token as a secret, but when that
+    # parameter is not supplied, the runner sets the value of that secret to empty string, which is passed on to this
+    # action, thus the default value of the parameter will not be applied. Related bugreport:
+    # https://github.com/actions/runner/issues/924
+    - name: Set Checkout Token
+      shell: pwsh
+      env:
+        CHECKOUT_TOKEN: ${{ inputs.token }}
+      run: |
+        $checkoutToken = $Env:CHECKOUT_TOKEN ? $Env:CHECKOUT_TOKEN : "${{ github.token }}"
+        "CHECKOUT_TOKEN=$checkoutToken" >> $Env:GITHUB_ENV
+
     - uses: actions/[email protected]
       with:
-        submodules: 'recursive'
-        token: ${{ inputs.token }}
+        submodules: "recursive"
+        token: ${{ env.CHECKOUT_TOKEN }}

.github/workflows/build-and-test-dotnet.yml

@@ -125,18 +125,10 @@ jobs:
         - ${{ inputs.timeout-minutes }}
     timeout-minutes: ${{ matrix.timeout-minutes }}
     steps:
-    - name: Set Checkout Token
-      shell: pwsh
-      env:
-        CHECKOUT_TOKEN: ${{ secrets.CHECKOUT_TOKEN }}
-      run: |
-        $checkoutToken = $Env:CHECKOUT_TOKEN ? $Env:CHECKOUT_TOKEN : "${{ github.token }}"
-        "CHECKOUT_TOKEN=$checkoutToken" >> $Env:GITHUB_ENV
-
     - name: Checkout
       uses: Lombiq/GitHub-Actions/.github/actions/checkout@dev
       with:
-        token: ${{ env.CHECKOUT_TOKEN }}
+        token: ${{ secrets.CHECKOUT_TOKEN }}
 
     - name: Set up .NET
       uses: Lombiq/GitHub-Actions/.github/actions/setup-dotnet@dev

.github/workflows/build-and-test-orchard-core.yml

@@ -153,18 +153,10 @@ jobs:
           - ${{ inputs.timeout-minutes }}
     timeout-minutes: ${{ matrix.timeout-minutes }}
     steps:
-      - name: Set Checkout Token
-        shell: pwsh
-        env:
-          CHECKOUT_TOKEN: ${{ secrets.CHECKOUT_TOKEN }}
-        run: |
-          $checkoutToken = $Env:CHECKOUT_TOKEN ? $Env:CHECKOUT_TOKEN : "${{ github.token }}"
-          "CHECKOUT_TOKEN=$checkoutToken" >> $Env:GITHUB_ENV
-
       - name: Checkout
         uses: Lombiq/GitHub-Actions/.github/actions/checkout@dev
         with:
-          token: ${{ env.CHECKOUT_TOKEN }}
+          token: ${{ secrets.CHECKOUT_TOKEN }}
 
       - name: Set up .NET
         uses: Lombiq/GitHub-Actions/.github/actions/setup-dotnet@dev

.github/workflows/build-dotnet.yml

@@ -3,6 +3,13 @@ name: Build .NET solution
 
 on:
   workflow_call:
+    secrets:
+      CHECKOUT_TOKEN:
+        required: false
+        description: >
+          The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules
+          are used.
+
     inputs:
       cancel-workflow-on-failure:
         description: When set to "true", will cancel the current workflow run with all jobs if this workflow fails.
@@ -96,6 +103,8 @@ jobs:
 
     - name: Checkout
       uses: Lombiq/GitHub-Actions/.github/actions/checkout@dev
+      with:
+        token: ${{ secrets.CHECKOUT_TOKEN }}
 
     - name: Set up .NET
       uses: Lombiq/GitHub-Actions/.github/actions/setup-dotnet@dev

.github/workflows/deploy-to-azure-app-service.yml

@@ -3,10 +3,16 @@ name: Deploy to Azure App Service
 on:
   workflow_call:
     secrets:
+      CHECKOUT_TOKEN:
+        required: false
+        description: >
+          The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules
+          are used.
       AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL:
         required: true
       AZURE_APP_SERVICE_PUBLISH_PROFILE:
         required: true
+
     inputs:
       cancel-workflow-on-failure:
         description: When set to "true", will cancel the current workflow run with all jobs if this workflow fails.
@@ -124,6 +130,8 @@ jobs:
     steps:
     - name: Checkout
       uses: Lombiq/GitHub-Actions/.github/actions/checkout@dev
+      with:
+        token: ${{ secrets.CHECKOUT_TOKEN }}
 
     - name: Set up .NET
       uses: Lombiq/GitHub-Actions/.github/actions/setup-dotnet@dev

.github/workflows/msbuild-and-test.yml

@@ -75,18 +75,10 @@ jobs:
     name: Build and Test
     timeout-minutes: ${{ inputs.timeout-minutes }}
     steps:
-      - name: Set Checkout Token
-        shell: pwsh
-        env:
-          CHECKOUT_TOKEN: ${{ secrets.CHECKOUT_TOKEN }}
-        run: |
-          $checkoutToken = $Env:CHECKOUT_TOKEN ? $Env:CHECKOUT_TOKEN : "${{ github.token }}"
-          "CHECKOUT_TOKEN=$checkoutToken" >> $Env:GITHUB_ENV
-
       - name: Checkout
         uses: Lombiq/GitHub-Actions/.github/actions/checkout@dev
         with:
-          token: ${{ env.CHECKOUT_TOKEN }}
+          token: ${{ secrets.CHECKOUT_TOKEN }}
 
       - name: Enable Node corepack
         uses: Lombiq/GitHub-Actions/.github/actions/enable-corepack@dev

.github/workflows/publish-nuget.yml

@@ -2,6 +2,16 @@ name: Publish to NuGet
 
 on:
   workflow_call:
+    secrets:
+      CHECKOUT_TOKEN:
+        required: false
+        description: >
+          The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules
+          are used.
+      # We can't access org secrets here so they need to be passed in.
+      API_KEY:
+        required: true
+
     inputs:
       cancel-workflow-on-failure:
         description: When set to "true", will cancel the current workflow run with all jobs if this workflow fails.
@@ -47,10 +57,6 @@ on:
         description: >
           The desired NuGet package version used for publishing. If not specified, the GITHUB_REF_NAME environment
           variable is used which is suitable if the version is derived from a git tag.
-    secrets:
-      # We can't access org secrets here so they need to be passed in.
-      API_KEY:
-        required: true
 
 jobs:
   publish-nuget:
@@ -64,6 +70,8 @@ jobs:
     steps:
     - name: Checkout
       uses: Lombiq/GitHub-Actions/.github/actions/checkout@dev
+      with:
+        token: ${{ secrets.CHECKOUT_TOKEN }}
 
     - name: Set up .NET
       uses: Lombiq/GitHub-Actions/.github/actions/setup-dotnet@dev

.github/workflows/spelling.yml

@@ -54,18 +54,10 @@ jobs:
     name: Check Spelling
     runs-on: ubuntu-22.04
     steps:
-      - name: Set Checkout Token
-        shell: pwsh
-        env:
-          CHECKOUT_TOKEN: ${{ secrets.CHECKOUT_TOKEN }}
-        run: |
-          $checkoutToken = $Env:CHECKOUT_TOKEN ? $Env:CHECKOUT_TOKEN : "${{ github.token }}"
-          "CHECKOUT_TOKEN=$checkoutToken" >> $Env:GITHUB_ENV
-
       - name: Checkout
         uses: Lombiq/GitHub-Actions/.github/actions/checkout@dev
         with:
-          token: ${{ env.CHECKOUT_TOKEN }}
+          token: ${{ secrets.CHECKOUT_TOKEN }}
 
       # This is a workaround for the spelling workflow to check submodules too in the repository.
       - name: Stub repo layout

.github/workflows/test-analysis-failure.yml

@@ -3,6 +3,13 @@ name: Test Analysis Failure
 
 on:
   workflow_call:
+    secrets:
+      CHECKOUT_TOKEN:
+        required: false
+        description: >
+          The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules
+          are used.
+
     inputs:
       cancel-workflow-on-failure:
         description: When set to "true", will cancel the current workflow run with all jobs if this workflow fails.
@@ -81,6 +88,8 @@ jobs:
     steps:
     - name: Checkout
       uses: Lombiq/GitHub-Actions/.github/actions/checkout@dev
+      with:
+        token: ${{ secrets.CHECKOUT_TOKEN }}
 
     - name: Set up .NET
       uses: Lombiq/GitHub-Actions/.github/actions/setup-dotnet@dev