Skip to content

feat: explicitly pass secrets in charm-release.yaml #355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: v0
Choose a base branch
from
Open

feat: explicitly pass secrets in charm-release.yaml #355

wants to merge 1 commit into from

Conversation

Guillaumebeuzeboc
Copy link

@Guillaumebeuzeboc Guillaumebeuzeboc commented Jun 27, 2025
edited
Loading

This PR replaces some automatic inheritance of all secrets in github workflow by explicitly
passing the one secret that's required.

Beside security consideration, secrets: inherit,
does not work when the workflow is called from another organization.
This seriously limits the reusability of the workflow.
Github doc: (link)

Workflows that call reusable workflows in the same organization or enterprise can use the inherit keyword to implicitly pass the secrets.

For instance, in our project: foxglove-k8s-operator, the workflow was evaluating the CHARMCRAFT_TOKEN to an empty string due to this limitation of secrets: inherit in the charm-release.yaml workflow.

This patch has been tested here: https://github.com/ubuntu-robotics/foxglove-k8s-operator/actions/runs/15927819021/job/44929252521

Mind that the patch doesn't break any existing workflow,
but it may require in the future to maintain the list of secrets that are supposed to be passed.

@Guillaumebeuzeboc
Explicitly pass secrets in charm-release.yaml
9cd20de 
`secrets: inherit`, does not work when the workflow is called
from an outside organization.

Signed-off-by: Guillaume Beuzeboc <guillaume.beuzeboc@gmail.com>
@Guillaumebeuzeboc Guillaumebeuzeboc requested a review from a team as a code owner June 27, 2025 13:49
@Guillaumebeuzeboc Guillaumebeuzeboc mentioned this pull request Jun 27, 2025
Merged
@lucabello lucabello changed the title Explicitly pass secrets in charm-release.yaml feat: explicitly pass secrets in charm-release.yaml Jul 3, 2025
@lucabello
Copy link
Contributor

Hey Guillaume, thanks for the PR :) I want to run a few tests with the o11y-tester charm before merging, but this looks good!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Guillaumebeuzeboc @lucabello