ci: Only pass build-steps the secrets it needs (#4576)

Safer than letting it inherit all secrets. Signed-off-by: Larry Gritz <[email protected]>
AcademySoftwareFoundation · Jan 8, 2025 · 424e396 · 424e396
1 parent 85ece69
commit 424e396
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 4 deletions.
diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
@@ -51,8 +51,10 @@ jobs:
     # account credentials.
     if: github.repository == 'AcademySoftwareFoundation/OpenImageIO'
     uses: ./.github/workflows/build-steps.yml
-    # Must let the called steps workflow inherit our secrets
-    secrets: inherit
+    # Must let the called steps workflow inherit necessary secrets
+    secrets:
+      PASSED_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      PASSED_SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
     with:
       nametag: ${{ matrix.nametag || 'unnamed!' }}
       runner: ${{ matrix.runner || 'ubuntu-latest' }}

diff --git a/.github/workflows/build-steps.yml b/.github/workflows/build-steps.yml
@@ -64,6 +64,11 @@ on:
         type: string
       nametag:
         type: string
+    secrets:
+        PASSED_GITHUB_TOKEN:
+          required: false
+        PASSED_SONAR_TOKEN:
+          required: false
 
 permissions: read-all
 
@@ -145,8 +150,8 @@ jobs:
       - name: Sonar-scanner
         if: inputs.sonar == 1
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.PASSED_GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.PASSED_SONAR_TOKEN }}
         run: |
             which sonar-scanner
             ls -l /__w/OpenImageIO/OpenImageIO/bw_output