ci: replace secrets: inherit with explicit pass-throughs + suppress intentional artipacked

Author: nicktrn

.github/workflows/changesets-pr.yml

@@ -25,7 +25,7 @@ jobs:
     if: github.repository == 'triggerdotdev/trigger.dev'
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # zizmor: ignore[artipacked] changesets/action pushes the release branch; no artifact upload here so no leak path
         with:
           fetch-depth: 0
 

.github/workflows/e2e-webapp.yml

@@ -5,6 +5,11 @@ permissions:
 
 on:
   workflow_call:
+    secrets:
+      DOCKERHUB_USERNAME:
+        required: false
+      DOCKERHUB_TOKEN:
+        required: false
 
 jobs:
   e2eTests:

.github/workflows/pr_checks.yml

@@ -19,18 +19,17 @@ permissions:
 jobs:
   typecheck:
     uses: ./.github/workflows/typecheck.yml
-    secrets: inherit
 
   units:
     uses: ./.github/workflows/unit-tests.yml
-    secrets: inherit
+    secrets:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
 
   e2e:
     uses: ./.github/workflows/e2e.yml
     with:
       package: cli-v3
-    secrets: inherit
 
   sdk-compat:
     uses: ./.github/workflows/sdk-compat.yml
-    secrets: inherit

.github/workflows/publish-webapp.yml

@@ -13,6 +13,9 @@ on:
         type: string
         required: false
         default: ""
+    secrets:
+      SENTRY_AUTH_TOKEN:
+        required: false
 
 jobs:
   publish:

.github/workflows/publish-worker.yml

@@ -8,6 +8,11 @@ on:
         type: string
         required: false
         default: ""
+    secrets:
+      DOCKERHUB_USERNAME:
+        required: false
+      DOCKERHUB_TOKEN:
+        required: false
   push:
     tags:
       - "infra-dev-*"

.github/workflows/publish.yml

@@ -8,6 +8,13 @@ on:
         description: The image tag to publish
         required: true
         type: string
+    secrets:
+      DOCKERHUB_USERNAME:
+        required: false
+      DOCKERHUB_TOKEN:
+        required: false
+      SENTRY_AUTH_TOKEN:
+        required: false
   push:
     branches:
       - main
@@ -48,11 +55,12 @@ env:
 jobs:
   typecheck:
     uses: ./.github/workflows/typecheck.yml
-    secrets: inherit
 
   units:
     uses: ./.github/workflows/unit-tests.yml
-    secrets: inherit
+    secrets:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
 
   publish-webapp:
     needs: [typecheck]
@@ -61,7 +69,8 @@ jobs:
       packages: write
       id-token: write
     uses: ./.github/workflows/publish-webapp.yml
-    secrets: inherit
+    secrets:
+      SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
     with:
       image_tag: ${{ inputs.image_tag }}
 
@@ -71,7 +80,9 @@ jobs:
       contents: read
       packages: write
     uses: ./.github/workflows/publish-worker.yml
-    secrets: inherit
+    secrets:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
     with:
       image_tag: ${{ inputs.image_tag }}
 
@@ -82,6 +93,5 @@ jobs:
       packages: write
       id-token: write
     uses: ./.github/workflows/publish-worker-v4.yml
-    secrets: inherit
     with:
       image_tag: ${{ inputs.image_tag }}

.github/workflows/release.yml

@@ -66,7 +66,7 @@ jobs:
       published_package_version: ${{ steps.get_version.outputs.package_version }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # zizmor: ignore[artipacked] needs persisted git creds for tag push; no artifact upload here so no leak path
         with:
           fetch-depth: 0
           ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.ref || github.sha }}
@@ -170,7 +170,10 @@ jobs:
       packages: write
       id-token: write
     uses: ./.github/workflows/publish.yml
-    secrets: inherit
+    secrets:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+      SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
     with:
       image_tag: v${{ needs.release.outputs.published_package_version }}
 
@@ -185,7 +188,6 @@ jobs:
       contents: write
       packages: write
     uses: ./.github/workflows/release-helm.yml
-    secrets: inherit
     with:
       chart_version: ${{ needs.release.outputs.published_package_version }}
 

.github/workflows/unit-tests-internal.yml

@@ -5,6 +5,11 @@ permissions:
 
 on:
   workflow_call:
+    secrets:
+      DOCKERHUB_USERNAME:
+        required: false
+      DOCKERHUB_TOKEN:
+        required: false
 
 jobs:
   unitTests:

.github/workflows/unit-tests-packages.yml

@@ -5,6 +5,11 @@ permissions:
 
 on:
   workflow_call:
+    secrets:
+      DOCKERHUB_USERNAME:
+        required: false
+      DOCKERHUB_TOKEN:
+        required: false
 
 jobs:
   unitTests:

.github/workflows/unit-tests-webapp.yml

@@ -5,6 +5,11 @@ permissions:
 
 on:
   workflow_call:
+    secrets:
+      DOCKERHUB_USERNAME:
+        required: false
+      DOCKERHUB_TOKEN:
+        required: false
 
 jobs:
   unitTests: