CI: Remove unsafe secret_envs input from yml workflows

.github/workflows/merge_queue.yml

@@ -58,13 +58,8 @@ jobs:
       test_name: Style check
       runner_type: style-checker-aarch64
       run_command: |
-          python3 style_check.py
+          python3 style_check.py --no-push
       data: ${{ needs.RunConfig.outputs.data }}
-    secrets:
-      secret_envs: |
-        ROBOT_CLICKHOUSE_SSH_KEY<<RCSK
-        ${{secrets.ROBOT_CLICKHOUSE_SSH_KEY}}
-        RCSK
   FastTest:
     needs: [RunConfig, BuildDockers]
     if: ${{ !failure() && !cancelled() && contains(fromJson(needs.RunConfig.outputs.data).jobs_data.jobs_to_do, 'Fast test') }}

.github/workflows/pull_request.yml

@@ -79,10 +79,7 @@ jobs:
           python3 style_check.py
       data: ${{ needs.RunConfig.outputs.data }}
     secrets:
-      secret_envs: |
-        ROBOT_CLICKHOUSE_SSH_KEY<<RCSK
-        ${{secrets.ROBOT_CLICKHOUSE_SSH_KEY}}
-        RCSK
+      robot_git_token: ${{secrets.ROBOT_CLICKHOUSE_SSH_KEY}}
   FastTest:
     needs: [RunConfig, BuildDockers, StyleCheck]
     if: ${{ !failure() && !cancelled() && contains(fromJson(needs.RunConfig.outputs.data).jobs_data.jobs_to_do, 'Fast test') }}

.github/workflows/reusable_build.yml

@@ -34,8 +34,11 @@ name: Build ClickHouse
         description: additional ENV variables to setup the job
         type: string
     secrets:
-      secret_envs:
-        description: if given, it's passed to the environments
+      robot_git_token:
+        required: false
+      ci_db_url:
+        required: false
+      ci_db_password:
         required: false
 
 jobs:
@@ -58,10 +61,18 @@ jobs:
         run: |
           cat >> "$GITHUB_ENV" << 'EOF'
           ${{inputs.additional_envs}}
-          ${{secrets.secret_envs}}
           DOCKER_TAG<<DOCKER_JSON
           ${{ toJson(fromJson(inputs.data).docker_data.images) }}
           DOCKER_JSON
+          ROBOT_CLICKHOUSE_SSH_KEY<<RCSK
+          ${{secrets.robot_git_token}}
+          RCSK
+          CI_DB_URL<<CIDBU
+          ${{ secrets.ci_db_url }}
+          CIDBU
+          CI_DB_PASSWORD<<CIDBP
+          ${{ secrets.ci_db_password }}
+          CIDBP
           EOF
           python3 "$GITHUB_WORKSPACE"/tests/ci/ci_config.py --build-name "${{inputs.build_name}}" >> "$GITHUB_ENV"
       - name: Apply sparse checkout for contrib # in order to check that it doesn't break build

.github/workflows/reusable_build_stage.yml

@@ -18,8 +18,11 @@ name: BuildStageWF
         type: string
         required: true
     secrets:
-      secret_envs:
-        description: if given, it's passed to the environments
+      robot_git_token:
+        required: false
+      ci_db_url:
+        required: false
+      ci_db_password:
         required: false
 
 jobs:
@@ -39,4 +42,6 @@ jobs:
       checkout_depth: 0
       data: ${{ inputs.data }}
     secrets:
-      secret_envs: ${{ secrets.secret_envs }}
+      robot_git_token: ${{ secrets.robot_git_token }}
+      ci_db_url: ${{ secrets.ci_db_url }}
+      ci_db_password: ${{ secrets.ci_db_password }}

.github/workflows/reusable_simple_job.yml

@@ -45,8 +45,11 @@ name: Simple job
         type: boolean
         default: false
     secrets:
-      secret_envs:
-        description: if given, it's passed to the environments
+      robot_git_token:
+        required: false
+      ci_db_url:
+        required: false
+      ci_db_password:
         required: false
 
 
@@ -77,7 +80,15 @@ jobs:
           cat >> "$GITHUB_ENV" << 'EOF'
           CHECK_NAME=${{ inputs.test_name }}
           ${{inputs.additional_envs}}
-          ${{secrets.secret_envs}}
+          ROBOT_CLICKHOUSE_SSH_KEY<<RCSK
+          ${{secrets.robot_git_token}}
+          RCSK
+          CI_DB_URL<<CIDBU
+          ${{ secrets.ci_db_url }}
+          CIDBU
+          CI_DB_PASSWORD<<CIDBP
+          ${{ secrets.ci_db_password }}
+          CIDBP
           EOF
       - name: Common setup
         uses: ./.github/actions/common_setup

.github/workflows/reusable_test.yml

@@ -40,8 +40,11 @@ name: Testing workflow
         type: string
         default: "$GITHUB_WORKSPACE/tests/ci"
     secrets:
-      secret_envs:
-        description: if given, it's passed to the environments
+      robot_git_token:
+        required: false
+      ci_db_url:
+        required: false
+      ci_db_password:
         required: false
 
 
@@ -75,10 +78,18 @@ jobs:
           cat >> "$GITHUB_ENV" << 'EOF'
           CHECK_NAME=${{ inputs.test_name }}
           ${{inputs.additional_envs}}
-          ${{secrets.secret_envs}}
           DOCKER_TAG<<DOCKER_JSON
           ${{ toJson(fromJson(inputs.data).docker_data.images) }}
           DOCKER_JSON
+          ROBOT_CLICKHOUSE_SSH_KEY<<RCSK
+          ${{secrets.robot_git_token}}
+          RCSK
+          CI_DB_URL<<CIDBU
+          ${{ secrets.ci_db_url }}
+          CIDBU
+          CI_DB_PASSWORD<<CIDBP
+          ${{ secrets.ci_db_password }}
+          CIDBP
           EOF
       - name: Common setup
         uses: ./.github/actions/common_setup

.github/workflows/reusable_test_stage.yml

@@ -15,8 +15,11 @@ name: StageWF
         type: string
         required: true
     secrets:
-      secret_envs:
-        description: if given, it's passed to the environments
+      robot_git_token:
+        required: false
+      ci_db_url:
+        required: false
+      ci_db_password:
         required: false
 
 jobs:
@@ -32,4 +35,6 @@ jobs:
       runner_type: ${{ matrix.job_name_and_runner_type.runner_type }}
       data: ${{ inputs.data }}
     secrets:
-      secret_envs: ${{ secrets.secret_envs }}
+      robot_git_token: ${{ secrets.robot_git_token }}
+      ci_db_url: ${{ secrets.ci_db_url }}
+      ci_db_password: ${{ secrets.ci_db_password }}