Merge pull request #15 from infralovers/env-passing

fix: Define secrets on workflow calls
infralovers · May 8, 2024 · e0a636c · e0a636c
2 parents 9b4b974 + c58dd69
commit e0a636c
Show file tree

Hide file tree

Showing 7 changed files with 63 additions and 36 deletions.
diff --git a/.github/workflows/changelog-automation.yml b/.github/workflows/changelog-automation.yml
@@ -2,12 +2,11 @@
 name: "Infralovers Changelog Automation template"
 
 on:
-  # push:
-  #   branches: [ "main" ]
-  # pull_request:
-  #   branches: [ "main" ]
-
   workflow_call:
+    secrets:
+      BOT_ACCESS_TOKEN:
+        description: 'The GitHub token for the bot account'
+        required: true
 
 
 jobs:

diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
@@ -10,4 +10,5 @@ on:
 jobs:
   changelog-automation:
     uses: ./.github/workflows/changelog-automation.yml
-    secrets: inherit
+    secrets:
+      BOT_ACCESS_TOKEN: ${{ secrets.BOT_ACCESS_TOKEN }}
diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
@@ -4,8 +4,25 @@ name: Container Workflow template"
 
 on:
   workflow_call:
+    secrets:
+      BOT_ACCESS_TOKEN:
+        description: 'The GitHub token for the bot account'
+        required: true
+      QUAY_USER:
+        description: 'The username for the Quay account'
+        required: false
+      QUAY_TOKEN:
+        description: 'The token for the Quay account'
+        required: false
+      MONDOO_SERVICE_ACCOUNT:
+        description: 'The service account for the Mondo service'
+        required: false
     inputs:
-
+      release:
+        description: 'also run release workflow'
+        required: false
+        type: boolean
+        default: false
       dockerfile:
         description: 'The path to the Dockerfile'
         required: true
@@ -36,7 +53,8 @@ jobs:
 
   pre-commit:
     uses: ./.github/workflows/pre-commit.yml
-    secrets: inherit
+    secrets:
+      BOT_ACCESS_TOKEN: ${{ secrets.BOT_ACCESS_TOKEN }}
 
   build:
     runs-on: ubuntu-latest
@@ -55,6 +73,7 @@ jobs:
       id: get_dir
       run: |
         echo "docker_directory=$(dirname ${{ inputs.dockerfile }})" >> $GITHUB_OUTPUT
+        env
 
     - name: Prepare tagging
       id: prep
@@ -74,40 +93,37 @@ jobs:
         GHCR_IMAGE="ghcr.io/${{ github.repository }}"
         TAGS="${GHCR_IMAGE}:${VERSION}"
 
-        if [[ -n "${{ env.QUAY_USER }}" ]]; then
+        if [[ -n "${{ secrets.QUAY_USER }}" ]]; then
           QUAY_IMAGE="quay.io/$IMAGE_REPO/$IMAGE_NAME"
           tags="${TAGS}:${QUAY_IMAGE}:${VERSION}"
         fi
 
         if [[ $VERSION =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
           TAGS="$TAGS,${GHCR_IMAGE}:latest"
-          if [[ -n "${{ env.QUAY_USER }}" ]]; then
+          if [[ -n "${{ secrets.QUAY_USER }}" ]]; then
             TAGS="$TAGS,${QUAY_IMAGE}:latest"
           fi
         fi
         echo "settings tag ${TAGS}"
         echo "tags=${TAGS}" >> $GITHUB_OUTPUT
         echo "ghcr_tag=${GHCR_IMAGE}:${VERSION}" >> $GITHUB_OUTPUT
+        echo "quay_user=${{ secrets.QUAY_USER }}" >> $GITHUB_OUTPUT
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
 
     - name: Set up Docker Buildx
-      id: buildx
       uses: docker/setup-buildx-action@v3
 
-    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
-      with:
-        platforms: ${{ inputs.platforms }}
 
     - name: Build Container Image
       id: docker_build
       uses: docker/build-push-action@v5
       with:
-          builder: ${{ steps.buildx.outputs.name }}
-          context: ${{ steps.get_dir.outputs.docker_directory }}
-          file: ${{ inputs.dockerfile }}
-          load: true
-          tags: ${{ steps.prep.outputs.tags }}
-          platforms: ${{ inputs.platforms }}
+        load: true
+        context: ${{ steps.get_dir.outputs.docker_directory }}
+        file: ${{ inputs.dockerfile }}
+        tags: ${{ steps.prep.outputs.tags }}
 
     - name: Scan Docker Image
       uses: mondoohq/actions/[email protected]
@@ -118,28 +134,34 @@ jobs:
           score-threshold: ${{ inputs.score }}
 
     - name: Login to Quay
-      if: needs.pre-commit.outputs.version != '' && env.QUAY_USER != ''
+      if: needs.pre-commit.outputs.version != '' && steps.prep.outputs.quay_user != ''
       uses: docker/login-action@v3
       with:
          registry: quay.io
-         username: ${{ env.QUAY_USER }}
-         password: ${{ env.QUAY_TOKEN }}
+         username: ${{ secrets.QUAY_USER }}
+         password: ${{ secrets.QUAY_TOKEN }}
 
     - name: Login to GitHub Container Registry
       if: needs.pre-commit.outputs.version != ''
       uses: docker/login-action@v3
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
-        password: ${{ env.BOT_ACCESS_TOKEN }}
+        password: ${{ secrets.BOT_ACCESS_TOKEN }}
 
     - name: Publish container
       if: needs.pre-commit.outputs.version != ''
       uses: docker/build-push-action@v5
       with:
-          builder: ${{ steps.buildx.outputs.name }}
           context: ${{ steps.get_dir.outputs.docker_directory }}
           file: ${{ inputs.dockerfile }}
-          push: ${{ github.event_name != 'pull_request' && needs.prebuild.outputs.version != '' }}
+          push: ${{ github.event_name != 'pull_request' && needs.pre-commit.outputs.version != '' }}
           tags: ${{ steps.prep.outputs.tags }}
           platforms: ${{ inputs.platforms }}
+
+  release:
+    needs: [ pre-commit, build ]
+    if: inputs.release && github.event_name != 'pull_request'
+    uses: ./.github/workflows/release.yml
+    secrets:
+      BOT_ACCESS_TOKEN: ${{ secrets.BOT_ACCESS_TOKEN }}
diff --git a/.github/workflows/pr-valid.yml b/.github/workflows/pr-valid.yml
@@ -15,4 +15,5 @@ on:
 jobs:
   pr-validation:
     uses: ./.github/workflows/pr-validation.yml
-    secrets: inherit
+    secrets:
+      BOT_ACCESS_TOKEN: "${{ fromJSON(secrets.VAULT_KV_1D187965_OP_GITHUB_INFRALOVERS).PAT }}"
diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml
@@ -9,6 +9,10 @@ on:
   #     - synchronize
 
   workflow_call:
+    secrets:
+      BOT_ACCESS_TOKEN:
+        description: 'The GitHub token for the bot account'
+        required: true
 
 permissions:
   pull-requests: write

diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -3,10 +3,11 @@
 name: Pre-Commit validation
 
 on:
-  # pull_request:
-  #   branches:
-  #     - main
   workflow_call:
+    secrets:
+      BOT_ACCESS_TOKEN:
+        description: 'The GitHub token for the bot account'
+        required: true
     outputs:
       version:
         description: 'The version of the release'

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,11 +4,10 @@ name: Release Automation template"
 
 on:
   workflow_call:
-
-  # workflow_dispatch:
-  # push:
-  #   branches:
-  #     - main
+    secrets:
+      BOT_ACCESS_TOKEN:
+        description: 'The GitHub token for the bot account'
+        required: true
 
 jobs:
   release: