From 424e396658e7720904533de27571acb49f75adf9 Mon Sep 17 00:00:00 2001 From: Larry Gritz Date: Wed, 8 Jan 2025 08:43:35 -0800 Subject: [PATCH] ci: Only pass build-steps the secrets it needs (#4576) Safer than letting it inherit all secrets. Signed-off-by: Larry Gritz --- .github/workflows/analysis.yml | 6 ++++-- .github/workflows/build-steps.yml | 9 +++++++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml index 7d853071ad..4a11134184 100644 --- a/.github/workflows/analysis.yml +++ b/.github/workflows/analysis.yml @@ -51,8 +51,10 @@ jobs: # account credentials. if: github.repository == 'AcademySoftwareFoundation/OpenImageIO' uses: ./.github/workflows/build-steps.yml - # Must let the called steps workflow inherit our secrets - secrets: inherit + # Must let the called steps workflow inherit necessary secrets + secrets: + PASSED_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PASSED_SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} with: nametag: ${{ matrix.nametag || 'unnamed!' }} runner: ${{ matrix.runner || 'ubuntu-latest' }} diff --git a/.github/workflows/build-steps.yml b/.github/workflows/build-steps.yml index d5a765b1e0..d2da331d22 100644 --- a/.github/workflows/build-steps.yml +++ b/.github/workflows/build-steps.yml @@ -64,6 +64,11 @@ on: type: string nametag: type: string + secrets: + PASSED_GITHUB_TOKEN: + required: false + PASSED_SONAR_TOKEN: + required: false permissions: read-all @@ -145,8 +150,8 @@ jobs: - name: Sonar-scanner if: inputs.sonar == 1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + GITHUB_TOKEN: ${{ secrets.PASSED_GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.PASSED_SONAR_TOKEN }} run: | which sonar-scanner ls -l /__w/OpenImageIO/OpenImageIO/bw_output