Problem
Custom jobs all receive secrets: inherit in the generated release.yml. This passes every repository secret to every reusable workflow, regardless of whether the workflow needs them.
Ex.
I'm adding a winget publishing post-announce job. The reusable workflow declares a single secret:
on:
workflow_call:
inputs:
plan:
required: true
type: string
secrets:
WINGET_TOKEN:
required: trueBut the generated caller in release.yml passes all secrets:
custom-publish-winget:
needs: [plan, announce]
uses: ./.github/workflows/publish-winget.yml
with:
plan: ${{ needs.plan.outputs.val }}
secrets: inherit # passes every repo secret, not just WINGET_TOKENI'd like to be able to configure the generated YAML to be:
custom-publish-winget:
needs: [plan, announce]
uses: ./.github/workflows/publish-winget.yml
with:
plan: ${{ needs.plan.outputs.val }}
secrets:
WINGET_TOKEN: ${{ secrets.WINGET_TOKEN }}Proposal
This follows the pattern of github-custom-job-permissions (#1179).
I'm proposing a new key in dist-workspace.toml, e.g., github-custom-job-secrets, as follows:
github-custom-job-secrets = { "publish-winget" = ["WINGET_TOKEN"], "my-other-workflow" = ["SOME_SECRET", "SOME_OTHER_SECRET"] }Happy to submit a PR for this if it would be considered :)
Problem
Custom jobs all receive secrets: inherit in the generated release.yml. This passes every repository secret to every reusable workflow, regardless of whether the workflow needs them.
Ex.
I'm adding a winget publishing post-announce job. The reusable workflow declares a single secret:
But the generated caller in release.yml passes all secrets:
I'd like to be able to configure the generated YAML to be:
Proposal
This follows the pattern of
github-custom-job-permissions(#1179).I'm proposing a new key in
dist-workspace.toml, e.g.,github-custom-job-secrets, as follows:Happy to submit a PR for this if it would be considered :)