fix: secrets conflict (#248)

Signed-off-by: hlts2 <[email protected]>
vdaas · Apr 9, 2024 · ab80a89 · ab80a89
1 parent c358d73
commit ab80a89
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 14 deletions.
diff --git a/.github/workflows/_build.yaml b/.github/workflows/_build.yaml
@@ -17,19 +17,25 @@ on:
         type: boolean
         default: false
         required: false
+    secrets:
+      CI_USER:
+        required: true
+      CI_TOKEN:
+        required: true
+      GPG_PRIVATE_KEY:
+        required: true
 jobs:
   build-and-push:
     runs-on: ubuntu-20.04
     env:
-      # TODO: Check secrets
-      GITHUB_USER: ${{ secrets.DISPATCH_USER }}
-      GITHUB_TOKEN: ${{ secrets.DISPATCH_TOKEN }}
+      CI_USER: ${{ secrets.CI_USER }}
+      CI_TOKEN: ${{ secrets.CI_TOKEN }}
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
           ref: ${{ inputs.client_checkout_ref }}
-          token: ${{ env.GITHUB_TOKEN }}
+          token: ${{ env.CI_TOKEN }}
       - name: Set Git config
         run: |
           git config --global --add safe.directory ${GITHUB_WORKSPACE}
@@ -78,7 +84,7 @@ jobs:
           echo "commit and push"
           SHA="$(make vald/sha/print)"
 
-          git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/$GITHUB_REPOSITORY
+          git remote set-url origin https://${CI_USER}:${CI_TOKEN}@github.com/$GITHUB_REPOSITORY
           git add .
           git commit -S --signoff -m "Update [vald sha: ${SHA}]"
           git push
@@ -87,6 +93,6 @@ jobs:
         continue-on-error: true
         run: |
           VERSION="$(make vald/client/python/version/print)"
-          git remote set-url origin "https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
+          git remote set-url origin "https://${CI_USER}:${CI_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
           git tag ${VERSION}
           git push origin ${VERSION}
diff --git a/.github/workflows/_prepare-release.yaml b/.github/workflows/_prepare-release.yaml
@@ -37,7 +37,7 @@ on:
         type: string
         required: true
     secrets:
-      GITHUB_TOKEN:
+      CI_TOKEN:
         required: true
     outputs:
       RESULT:
@@ -53,7 +53,7 @@ jobs:
         with:
           fetch-depth: 0
           ref: ${{ inputs.client_checkout_ref }}
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.CI_TOKEN }}
       - name: Set Git config
         run: |
           git config --global --add safe.directory ${GITHUB_WORKSPACE}

diff --git a/.github/workflows/_semver-auto.yaml b/.github/workflows/_semver-auto.yaml
@@ -33,7 +33,7 @@ on:
         description: "Release branch name"
         value: ${{ jobs.semver-auto.outputs.RELEASE_BRANCH_NAME }}
     secrets:
-      GITHUB_TOKEN:
+      CI_TOKEN:
         required: true
 env:
   VALD_TAG_LIST_API_URL: https://api.github.com/repos/vdaas/vald/tags
@@ -50,7 +50,7 @@ jobs:
         with:
           fetch-depth: 0
           ref: ${{ inputs.client_checkout_ref }} ## NOTE:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.CI_TOKEN }}
       - name: Set Git config
         run: |
           git config --global --add safe.directory ${GITHUB_WORKSPACE}

diff --git a/.github/workflows/sync.yaml b/.github/workflows/sync.yaml
@@ -22,18 +22,21 @@ on:
 jobs:
   sync-main:
     uses: ./.github/workflows/_build.yaml
-    secrets: inherit
     with:
       vald_checkout_ref: main    # sync based on vald main branch.
       client_checkout_ref: main
       enable_tag_push: false
+    secrets:
+      CI_USER: ${{ secrets.DISPATCH_USER }}
+      CI_TOKEN: ${{ secrets.DISPATCH_TOKEN }}
+      GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
 
   semver-auto:
     needs:
       - sync-main
     uses:  vdaas/vald-ci-labs/.github/workflows/_semver-auto.yaml@main
     secrets:
-      GITHUB_TOKEN: ${{ secrets.DISPATCH_TOKEN }}
+      CI_TOKEN: ${{ secrets.DISPATCH_TOKEN }}
 
   prepare-release:
     if: ${{ needs.semver-auto.outputs.RELEASE == 'true' }}
@@ -44,16 +47,19 @@ jobs:
       image_tag: ${{ needs.semver-auto.outputs.VERSION }}
       release_branch_name: ${{ needs.semver-auto.outputs.RELEASE_BRANCH_NAME }}
     secrets:
-      GITHUB_TOKEN: ${{ secrets.DISPATCH_TOKEN }}
+      CI_TOKEN: ${{ secrets.DISPATCH_TOKEN }}
 
   sync-release:
     if: ${{ needs.prepare-release.outputs.RESULT == 'true' }}
     needs:
       - semver-auto
       - prepare-release
     uses: ./.github/workflows/_build.yaml
-    secrets: inherit
     with:
       vald_checkout_ref: ${{ needs.semver-auto.outputs.VERSION }}                 # sync based on vald released version.
       client_checkout_ref: ${{ needs.semver-auto.outputs.RELEASE_BRANCH_NAME }}
       enable_tag_push: true
+    secrets:
+      CI_USER: ${{ secrets.DISPATCH_USER }}
+      CI_TOKEN: ${{ secrets.DISPATCH_TOKEN }}
+      GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}