Use WINGET_CREATE_GITHUB_TOKEN env var instead of -t flag for wingetcreate

Copilot · dscho · Copilot · commit eaa273d89b57 · 2026-01-14T09:41:39.000Z
Co-authored-by: dscho &lt;127790+dscho@users.noreply.github.com&gt;
diff --git a/.github/workflows/release-winget.yml b/.github/workflows/release-winget.yml
@@ -27,7 +27,8 @@ jobs:
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
-      - name: Publish manifest with winget-create
+      - name: Create manifests with winget-create
+        id: manifests
         run: |
           # Enabling stop on error and tracing
           Set-PSDebug -Trace 2
@@ -72,12 +73,30 @@ jobs:
                  "$($asset_arm64_url)|arm64|machine" `
                  "$($asset_arm64_url)|arm64|user"
 
-          # Download the token from Azure Key Vault and mask it in the logs
-          az keyvault secret download --name ${{ secrets.WINGET_TOKEN_SECRET_NAME }} --vault-name ${{ secrets.AZURE_VAULT }} --file token.txt
-          Write-Host -NoNewLine "::add-mask::$(Get-Content token.txt)"
+          # Output the version and tag name for use in the next step
+          "version=$version" >> $env:GITHUB_OUTPUT
+          "tag_name=$env:TAG_NAME" >> $env:GITHUB_OUTPUT
+        shell: powershell
+
+      - name: Retrieve winget token
+        id: token
+        run: |
+          $token = az keyvault secret show `
+            --name ${{ secrets.WINGET_TOKEN_SECRET_NAME }} `
+            --vault-name ${{ secrets.AZURE_VAULT }} `
+            --query "value" -o tsv
+          if ([string]::IsNullOrWhiteSpace($token)) {
+            throw "Failed to retrieve token from Azure Key Vault"
+          }
+          Write-Host -NoNewLine "::add-mask::$token"
+          "result=$token" >> $env:GITHUB_OUTPUT
+        shell: powershell
 
-          # Submit the manifest to the winget-pkgs repository
-          $manifestDirectory = "$PWD\manifests\m\Microsoft\Git\$version"
-          Write-Host -NoNewLine "::notice::Submitting ${env:TAG_NAME} to winget... "
-          .\wingetcreate.exe submit -t "$(Get-Content token.txt)" $manifestDirectory
+      - name: Submit manifest to winget-pkgs
+        run: |
+          $manifestDirectory = "$PWD\manifests\m\Microsoft\Git\${{ steps.manifests.outputs.version }}"
+          Write-Host -NoNewLine "::notice::Submitting ${{ steps.manifests.outputs.tag_name }} to winget... "
+          .\wingetcreate.exe submit $manifestDirectory
         shell: powershell
+        env:
+          WINGET_CREATE_GITHUB_TOKEN: ${{ steps.token.outputs.result }}
