From 608aae85cfdd97856025b7b4a0502c1f968d7d72 Mon Sep 17 00:00:00 2001 From: Max Kainov Date: Mon, 18 Nov 2024 14:02:57 +0100 Subject: [PATCH] CI: Remove unsafe secret_envs input from yml workflows --- .github/workflows/merge_queue.yml | 7 +------ .github/workflows/pull_request.yml | 5 +---- .github/workflows/reusable_build.yml | 17 ++++++++++++++--- .github/workflows/reusable_build_stage.yml | 11 ++++++++--- .github/workflows/reusable_simple_job.yml | 17 ++++++++++++++--- .github/workflows/reusable_test.yml | 17 ++++++++++++++--- .github/workflows/reusable_test_stage.yml | 11 ++++++++--- 7 files changed, 60 insertions(+), 25 deletions(-) diff --git a/.github/workflows/merge_queue.yml b/.github/workflows/merge_queue.yml index 45ce81c2caf..70e1997a82e 100644 --- a/.github/workflows/merge_queue.yml +++ b/.github/workflows/merge_queue.yml @@ -58,13 +58,8 @@ jobs: test_name: Style check runner_type: style-checker-aarch64 run_command: | - python3 style_check.py + python3 style_check.py --no-push data: ${{ needs.RunConfig.outputs.data }} - secrets: - secret_envs: | - ROBOT_CLICKHOUSE_SSH_KEY<> "$GITHUB_ENV" << 'EOF' ${{inputs.additional_envs}} - ${{secrets.secret_envs}} DOCKER_TAG<> "$GITHUB_ENV" - name: Apply sparse checkout for contrib # in order to check that it doesn't break build diff --git a/.github/workflows/reusable_build_stage.yml b/.github/workflows/reusable_build_stage.yml index fbb6f8cbae9..77b63ccc283 100644 --- a/.github/workflows/reusable_build_stage.yml +++ b/.github/workflows/reusable_build_stage.yml @@ -18,8 +18,11 @@ name: BuildStageWF type: string required: true secrets: - secret_envs: - description: if given, it's passed to the environments + robot_git_token: + required: false + ci_db_url: + required: false + ci_db_password: required: false jobs: @@ -39,4 +42,6 @@ jobs: checkout_depth: 0 data: ${{ inputs.data }} secrets: - secret_envs: ${{ secrets.secret_envs }} + robot_git_token: ${{ secrets.robot_git_token }} + ci_db_url: ${{ secrets.ci_db_url }} + ci_db_password: ${{ secrets.ci_db_password }} diff --git a/.github/workflows/reusable_simple_job.yml b/.github/workflows/reusable_simple_job.yml index 7df98d96f79..247569c4f52 100644 --- a/.github/workflows/reusable_simple_job.yml +++ b/.github/workflows/reusable_simple_job.yml @@ -45,8 +45,11 @@ name: Simple job type: boolean default: false secrets: - secret_envs: - description: if given, it's passed to the environments + robot_git_token: + required: false + ci_db_url: + required: false + ci_db_password: required: false @@ -77,7 +80,15 @@ jobs: cat >> "$GITHUB_ENV" << 'EOF' CHECK_NAME=${{ inputs.test_name }} ${{inputs.additional_envs}} - ${{secrets.secret_envs}} + ROBOT_CLICKHOUSE_SSH_KEY<> "$GITHUB_ENV" << 'EOF' CHECK_NAME=${{ inputs.test_name }} ${{inputs.additional_envs}} - ${{secrets.secret_envs}} DOCKER_TAG<