From 622f681377a4774a040e34bffed890478f5833a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=85=8E=E9=A5=BC=E6=9E=9C=E5=AD=90=E5=8D=B7=E9=B2=A8?=
 =?UTF-8?q?=E9=B1=BC=E8=BE=A3=E6=A4=92?= <yuaotian1998@163.com>
Date: Mon, 30 Dec 2024 18:31:37 +0800
Subject: [PATCH] chore: update GitHub Actions workflows to enforce required
 secrets for release process

- Explicitly defined RELEASE_TOKEN, GPG_PRIVATE_KEY, and PASSPHRASE as required secrets in both auto-tag.yml and release.yml to enhance security.
- Updated the release.yml to require a tag input for the release process, ensuring clarity in workflow execution.
- Adjusted the GPG key import step to utilize the defined secrets, improving the reliability of the signing process.
---
 .github/workflows/auto-tag.yml |  7 +++++--
 .github/workflows/release.yml  | 13 ++++++-------
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml
index 07a1d01..ba33cf2 100644
--- a/.github/workflows/auto-tag.yml
+++ b/.github/workflows/auto-tag.yml
@@ -51,6 +51,9 @@ jobs:
     needs: auto-tag
     if: success()
     uses: ./.github/workflows/release.yml
-    secrets: inherit
     with:
-      gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+      tag: ${{ needs.auto-tag.outputs.new_tag }}
+    secrets:
+      RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+      GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+      PASSPHRASE: ${{ secrets.PASSPHRASE }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1d916b7..af5d89c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,17 +3,17 @@ name: Release
 on:
   workflow_call:
     inputs:
-      gpg_private_key:
-        description: "GPG private key to sign releases"
-        required: false
+      tag:
+        description: "The tag to release"
+        required: true
         type: string
     secrets:
       RELEASE_TOKEN:
         required: true
       GPG_PRIVATE_KEY:
-        required: false
+        required: true
       PASSPHRASE:
-        required: false
+        required: true
   push:
     tags:
       - "v*"
@@ -40,9 +40,8 @@ jobs:
       - name: Import GPG key
         id: import_gpg
         uses: crazy-max/ghaction-import-gpg@v5
-        if: inputs.gpg_private_key != ''
         with:
-          gpg_private_key: ${{ inputs.gpg_private_key }}
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.PASSPHRASE }}
 
       - name: Run GoReleaser