workflows: Replace secrets: inherit #11334
Conversation
|
This is a workflow only change, so has been tested on the branch: https://github.com/kata-containers/kata-containers/actions/runs/15322636380 and https://github.com/kata-containers/kata-containers/actions/runs/15322455621/job/43120942298 |
e14806b to
8c8b9ba
Compare
There was a problem hiding this comment.
Oh, this is nice.
I wonder if this is something that's new-ish, as I really don't remember an option to do so when we moved to GHA.
Thanks, @stevenhorsman, for improving this!
|
I'm going to convert this to a draft as I think there is an opportunity to move some secrets to envs and delete others as part of this work |
aaf65c7 to
d1284eb
Compare
|
I've added a pre-req on #11383 for cleaner code here |
d1284eb to
e59882a
Compare
|
I've also update this to switch the Azure secrets to vars now. |
e59882a to
3da9017
Compare
AUTHENTICATED_IMAGE_USER isn't sensitive, so update the secret for a var to simplify the workflows Signed-off-by: stevenhorsman <steven@uk.ibm.com>
QUAY_DEPLOYER_USERNAME isn't sensitive, so update the secret for a var to simplify the workflows Signed-off-by: stevenhorsman <steven@uk.ibm.com>
|
It has now been decided that the Azure IDs should infact be secrets again, so I'll move this into draft whilst I undo a bunch of work and re-test it. |
Having secrets unconditionally being inherited is bad practice, so update the workflows to only pass through the minimal secrets that are needed Signed-off-by: stevenhorsman <steven@uk.ibm.com>
3da9017 to
66ef1c1
Compare
|
CI-dev branch tested in https://github.com/kata-containers/kata-containers/actions/runs/15486793234 |
Indeed. These IDs are not confidential but this is to follow official docs. I will rotate the IDs. |
Having secrets unconditionally being inherited is
bad practice, so update the workflows to only pass through the minimal secrets that are needed