chore: update GitHub Actions workflows to enforce required secrets for release process

- Explicitly defined RELEASE_TOKEN, GPG_PRIVATE_KEY, and PASSPHRASE as required secrets in both auto-tag.yml and release.yml to enhance security. - Updated the release.yml to require a tag input for the release process, ensuring clarity in workflow execution. - Adjusted the GPG key import step to utilize the defined secrets, improving the reliability of the signing process.
5 months ago · 622f681377
2 changed files with 11 additions and 9 deletions
--- a/.github/workflows/auto-tag.yml
+++ b/.github/workflows/auto-tag.yml
@ -51,6 +51,9 @@ jobs:
    needs: auto-tag
    if: success()
    uses: ./.github/workflows/release.yml
-    secrets: inherit
    with:
-      gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+      tag: ${{ needs.auto-tag.outputs.new_tag }}
+    secrets:
+      RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+      GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+      PASSPHRASE: ${{ secrets.PASSPHRASE }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -3,17 +3,17 @@ name: Release
 on:
  workflow_call:
    inputs:
-      gpg_private_key:
-        description: "GPG private key to sign releases"
-        required: false
+      tag:
+        description: "The tag to release"
+        required: true
        type: string
    secrets:
      RELEASE_TOKEN:
        required: true
      GPG_PRIVATE_KEY:
-        required: false
+        required: true
      PASSPHRASE:
-        required: false
+        required: true
  push:
    tags:
      - "v*"
@ -40,9 +40,8 @@ jobs:
      - name: Import GPG key
        id: import_gpg
        uses: crazy-max/ghaction-import-gpg@v5
-        if: inputs.gpg_private_key != ''
        with:
-          gpg_private_key: ${{ inputs.gpg_private_key }}
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.PASSPHRASE }}

      - name: Run GoReleaser