Skip to content

Commit dffa049

Browse files
gontzessgontzess
committed
fix: use explicit RELENG_GITHUB_TOKEN instead of secrets: inherit
Pass only the specific secret needed for private repo access rather than all org secrets. Limits exposure in the reusable workflow chain.
1 parent cf696c9 commit dffa049

3 files changed

Lines changed: 11 additions & 6 deletions

File tree

.github/workflows/verify.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -84,4 +84,5 @@ jobs:
8484
uses: ConductorOne/baton-regression/.github/workflows/regression.yml@main
8585
with:
8686
connector: ${{ inputs.connector }}
87-
secrets: inherit
87+
secrets:
88+
RELENG_GITHUB_TOKEN: ${{ secrets.RELENG_GITHUB_TOKEN }}

README.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -159,7 +159,8 @@ jobs:
159159
with:
160160
ref: ${{ github.event.pull_request.head.sha || github.sha }}
161161
connector: baton-okta # optional: enables regression testing
162-
secrets: inherit
162+
secrets:
163+
RELENG_GITHUB_TOKEN: ${{ secrets.RELENG_GITHUB_TOKEN }}
163164
```
164165

165166
| Parameter | Required | Default | Description |

docs/verify-workflow.md

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ Calls the [baton-regression](https://github.com/ConductorOne/baton-regression) r
3131
5. Uploads verification reports as artifacts
3232
6. Posts a summary with coverage metrics
3333

34-
The regression job requires `secrets: inherit` in the caller workflow so that `RELENG_GITHUB_TOKEN` flows through for private repo access.
34+
The regression job requires `RELENG_GITHUB_TOKEN` to be passed from the caller workflow for private repo access.
3535

3636
## Inputs
3737

@@ -66,7 +66,8 @@ jobs:
6666
uses: ConductorOne/github-workflows/.github/workflows/verify.yaml@v4
6767
with:
6868
ref: ${{ github.event.pull_request.head.sha || github.sha }}
69-
secrets: inherit
69+
secrets:
70+
RELENG_GITHUB_TOKEN: ${{ secrets.RELENG_GITHUB_TOKEN }}
7071
```
7172
7273
### With regression testing
@@ -78,7 +79,8 @@ jobs:
7879
with:
7980
ref: ${{ github.event.pull_request.head.sha || github.sha }}
8081
connector: baton-okta
81-
secrets: inherit
82+
secrets:
83+
RELENG_GITHUB_TOKEN: ${{ secrets.RELENG_GITHUB_TOKEN }}
8284
```
8385
8486
### Skip tests
@@ -90,7 +92,8 @@ jobs:
9092
with:
9193
ref: ${{ github.event.pull_request.head.sha || github.sha }}
9294
run_tests: false
93-
secrets: inherit
95+
secrets:
96+
RELENG_GITHUB_TOKEN: ${{ secrets.RELENG_GITHUB_TOKEN }}
9497
```
9598
9699
## Controlling Regression per Connector

0 commit comments

Comments
 (0)