Keep publish secrets scoped to specific steps

.github/workflows/ci.yml

@@ -15,10 +15,6 @@ on:
     tags: [v*]
 
 env:
-  PGP_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }}
-  SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
-  SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
-  PGP_SECRET: ${{ secrets.PGP_SECRET }}
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
 jobs:
@@ -132,17 +128,26 @@ jobs:
           rm targets.tar
 
       - name: Import signing key
-        if: env.PGP_SECRET != '' && env.PGP_PASSPHRASE == ''
+        if: secrets.PGP_SECRET != '' && secrets.PGP_PASSPHRASE == ''
+        env:
+          PGP_SECRET: ${{ secrets.PGP_SECRET }}
+          PGP_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }}
         run: echo $PGP_SECRET | base64 -d | gpg --import
 
       - name: Import signing key and strip passphrase
-        if: env.PGP_SECRET != '' && env.PGP_PASSPHRASE != ''
+        if: secrets.PGP_SECRET != '' && secrets.PGP_PASSPHRASE != ''
+        env:
+          PGP_SECRET: ${{ secrets.PGP_SECRET }}
+          PGP_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }}
         run: |
           echo "$PGP_SECRET" | base64 -d > /tmp/signing-key.gpg
           echo "$PGP_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --import /tmp/signing-key.gpg
           (echo "$PGP_PASSPHRASE"; echo; echo) | gpg --command-fd 0 --pinentry-mode loopback --change-passphrase $(gpg --list-secret-keys --with-colons 2> /dev/null | grep '^sec:' | cut --delimiter ':' --fields 5 | tail -n 1)
 
       - name: Publish
+        env:
+          SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
+          SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
         run: sbt '++${{ matrix.scala }}' tlRelease
 
   site:

ci-signing/src/main/scala/org/typelevel/sbt/TypelevelCiSigningPlugin.scala

@@ -29,15 +29,12 @@ object TypelevelCiSigningPlugin extends AutoPlugin {
   override def trigger = allRequirements
 
   override def buildSettings = Seq(
-    githubWorkflowEnv ++= Map(
-      "PGP_SECRET" -> s"$${{ secrets.PGP_SECRET }}",
-      "PGP_PASSPHRASE" -> s"$${{ secrets.PGP_PASSPHRASE }}"
-    ),
     githubWorkflowPublishPreamble := Seq(
       WorkflowStep.Run( // if your key is not passphrase-protected
         List("echo $PGP_SECRET | base64 -d | gpg --import"),
         name = Some("Import signing key"),
-        cond = Some("env.PGP_SECRET != '' && env.PGP_PASSPHRASE == ''")
+        cond = Some("secrets.PGP_SECRET != '' && secrets.PGP_PASSPHRASE == ''"),
+        env = env
       ),
       WorkflowStep.Run( // if your key is passphrase-protected
         List(
@@ -46,7 +43,8 @@ object TypelevelCiSigningPlugin extends AutoPlugin {
           "(echo \"$PGP_PASSPHRASE\"; echo; echo) | gpg --command-fd 0 --pinentry-mode loopback --change-passphrase $(gpg --list-secret-keys --with-colons 2> /dev/null | grep '^sec:' | cut --delimiter ':' --fields 5 | tail -n 1)"
         ),
         name = Some("Import signing key and strip passphrase"),
-        cond = Some("env.PGP_SECRET != '' && env.PGP_PASSPHRASE != ''")
+        cond = Some("secrets.PGP_SECRET != '' && secrets.PGP_PASSPHRASE != ''"),
+        env = env
       )
     )
   )
@@ -57,4 +55,9 @@ object TypelevelCiSigningPlugin extends AutoPlugin {
     gpgWarnOnFailure := isSnapshot.value
   )
 
+  private val env = Map(
+    "PGP_SECRET" -> s"$${{ secrets.PGP_SECRET }}",
+    "PGP_PASSPHRASE" -> s"$${{ secrets.PGP_PASSPHRASE }}"
+  )
+
 }

sonatype-ci-release/src/main/scala/org/typelevel/sbt/TypelevelSonatypeCiReleasePlugin.scala

@@ -41,10 +41,6 @@ object TypelevelSonatypeCiReleasePlugin extends AutoPlugin {
     Seq(tlCiReleaseTags := true, tlCiReleaseBranches := Seq())
 
   override def buildSettings = Seq(
-    githubWorkflowEnv ++= Map(
-      "SONATYPE_USERNAME" -> s"$${{ secrets.SONATYPE_USERNAME }}",
-      "SONATYPE_PASSWORD" -> s"$${{ secrets.SONATYPE_PASSWORD }}"
-    ),
     githubWorkflowPublishTargetBranches := {
       val branches =
         tlCiReleaseBranches.value.map(b => RefPredicate.Equals(Ref.Branch(b)))
@@ -59,7 +55,12 @@ object TypelevelSonatypeCiReleasePlugin extends AutoPlugin {
     },
     githubWorkflowTargetTags += "v*",
     githubWorkflowPublish := Seq(
-      WorkflowStep.Sbt(List("tlRelease"), name = Some("Publish"))
+      WorkflowStep.Sbt(List("tlRelease"), name = Some("Publish"), env = env)
     )
   )
+
+  private val env = Map(
+    "SONATYPE_USERNAME" -> s"$${{ secrets.SONATYPE_USERNAME }}",
+    "SONATYPE_PASSWORD" -> s"$${{ secrets.SONATYPE_PASSWORD }}"
+  )
 }