Skip to content

👷 Explicitly define secrets instead of inheriting them#132

Merged
Friedinger merged 4 commits into
mainfrom
ci/define-secrets
Mar 20, 2026
Merged

👷 Explicitly define secrets instead of inheriting them#132
Friedinger merged 4 commits into
mainfrom
ci/define-secrets

Conversation

@Friedinger

Copy link
Copy Markdown
Member

This pull request updates several GitHub Actions workflow files to improve secret handling, standardize input names, and enhance authentication for reusable workflows. The main changes focus on switching from inherited secrets to explicit inputs and secrets, renaming secret variables for consistency, and adding required authentication tokens for external integrations.

Secret and authentication improvements:

  • Changed secret handling in reusable workflows (action-add-project.yml, action-sync-webhook.yml, action-docs.yml) to require explicit secrets and inputs, rather than inheriting secrets. This makes authentication requirements clearer and more secure. [1] [2] [3]
  • Renamed secret variables from RUBBERDUCKCREW_BOT_APP_PRIVATE_KEY to BOT_APP_PRIVATE_KEY for consistency across workflows and updated references accordingly. [1] [2] [3] [4]

Workflow input and output standardization:

  • Updated workflows to use inputs.bot-app-id instead of vars.RUBBERDUCKCREW_BOT_APP_ID for GitHub App authentication, ensuring that the app ID is provided as an explicit input. [1] [2] [3] [4]
  • Added required secrets for Cloudflare integration (CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID) in documentation workflows to support deployment to Cloudflare Pages. [1] [2]

Trigger and path improvements:

  • Simplified and deduplicated the path triggers for the docs workflow (docs.yml), making it easier to maintain and ensuring consistent triggering for relevant files.

These updates make the workflows more robust, secure, and maintainable by clarifying authentication requirements and standardizing variable usage.

@coderabbitai

coderabbitai Bot commented Mar 19, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e1992ea6-b570-4b17-9668-d0f1b48db6f4

📥 Commits

Reviewing files that changed from the base of the PR and between 0b88cd5 and 8dfb68c.

📒 Files selected for processing (5)
  • .github/workflows/action-close-actions.yml
  • .github/workflows/action-docs.yml
  • .github/workflows/add-project.yml
  • .github/workflows/close-actions.yml
  • .github/workflows/sync-webhook.yml
🚧 Files skipped from review as they are similar to previous changes (5)
  • .github/workflows/add-project.yml
  • .github/workflows/sync-webhook.yml
  • .github/workflows/close-actions.yml
  • .github/workflows/action-close-actions.yml
  • .github/workflows/action-docs.yml

Walkthrough

Reformatted GitHub Actions YAML files to standard two-space indentation and updated several reusable workflows to explicitly accept bot-app-id and BOT_APP_PRIVATE_KEY (and other required secrets), replacing prior reliance on vars/secrets inheritance for authentication.

Changes

Cohort / File(s) Summary
YAML formatting (many workflows)
/.github/workflows/action-actionlint.yml, /.github/workflows/action-conventions.yml, /.github/workflows/action-sync-labels.yml, /.github/workflows/actionlint.yml, /.github/workflows/actionlint.yml, /.github/workflows/action-conventions.yml, /.github/workflows/action-sync-labels.yml, /.github/workflows/actionlint.yml, /.github/workflows/close-actions.yml, /.github/workflows/conventions.yml, /.github/workflows/sync-labels.yml
Normalized indentation/structure to 2-space YAML. No functional logic changes in jobs, triggers, or action inputs.
Reusable workflows — bot app auth / secrets added
/.github/workflows/action-add-project.yml, /.github/workflows/action-sync-webhook.yml, /.github/workflows/action-docs.yml
Added workflow_call input bot-app-id and/or required secrets (BOT_APP_PRIVATE_KEY, CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID) and updated secret names/checks to gate token creation; replaced older vars/secret usage.
Caller workflows — pass new inputs / remap secrets
/.github/workflows/add-project.yml, /.github/workflows/sync-webhook.yml, /.github/workflows/docs.yml
Updated calls to reusable workflows to pass bot-app-id (from vars.RUBBERDUCKCREW_BOT_APP_ID) and remapped secrets.BOT_APP_PRIVATE_KEY (renamed from previous secret). Replaced secrets: inherit with explicit secret mappings where applicable.
Close-actions auth token change
/.github/workflows/action-close-actions.yml, /.github/workflows/close-actions.yml
YAML reformat and switched action auth usages to reference github.token/${{ github.token }} in job steps (indentation changes only otherwise).
Label sync interface unchanged (formatting only)
/.github/workflows/action-sync-labels.yml, /.github/workflows/sync-labels.yml
Indentation normalization; workflow_call inputs and label-sync step unchanged functionally.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Caller as Caller Workflow
participant Reusable as Reusable Workflow
participant TokenAction as Token Creation Step
participant GitHubAPI as GitHub (App API)
participant Action as Consumer Action
Note right of Caller: passes bot-app-id & secrets
Caller->>Reusable: invoke with bot-app-id, BOT_APP_PRIVATE_KEY, other secrets
Reusable->>TokenAction: run create-github-app-token using inputs/secrets
TokenAction->>GitHubAPI: authenticate (JWT) -> request installation token
GitHubAPI-->>TokenAction: return installation token
TokenAction-->>Reusable: provide GITHUB_TOKEN
Reusable->>Action: run step (e.g., add-to-project) with generated token

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

Suggested reviewers

  • IamPekka058

Poem

🐰
I hopped through YAML, spaces aligned,
Secrets declared, no guessing blind,
Bot ID carried, token made true,
Workflows neat with skies of blue,
A rabbit cheers: CI's refined! 🎉

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main purpose of the PR: making secrets explicit rather than inherited across GitHub Actions workflows.
Description check ✅ Passed The description is directly related to the changeset, detailing secret handling improvements, input standardization, and workflow authentication changes reflected in the file modifications.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/define-secrets
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@Friedinger Friedinger added the 👷 CI/CD Changes related to continuous integration/deployment label Mar 19, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (5)
.github/workflows/docs.yml (1)

16-17: Clarify intent: commented-out remote reference vs. local path.

Line 16 shows the remote workflow reference commented out, while line 17 uses a local path. If the local path is temporary for testing, consider removing or updating the comment before merging. If it's intentional documentation, adding a note explaining why the local path is used would improve clarity.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docs.yml around lines 16 - 17, The commented remote
workflow reference ("uses:
RubberDuckCrew/.github/.github/workflows/action-docs.yml@main") and the active
local path ("uses: ./.github/workflows/action-docs.yml") are ambiguous; either
remove the commented remote line if the local path is the intended permanent
source, or keep the remote and revert to it, but if the local path is
intentionally used for testing add a brief explanatory comment above the active
uses line stating that the local workflow is used temporarily for testing and
should be switched back to the remote reference before merge—update the same
lines so the intent is explicit.
.github/workflows/sync-webhook.yml (1)

16-16: Minor: Inconsistent brace spacing.

Same formatting issue as in add-project.yml — missing space before the closing }}.

-      bot-app-id: ${{ vars.RUBBERDUCKCREW_BOT_APP_ID}}
+      bot-app-id: ${{ vars.RUBBERDUCKCREW_BOT_APP_ID }}
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/sync-webhook.yml at line 16, The workflow line for the bot
app id has inconsistent brace spacing: change the value usage in bot-app-id
(currently using ${{ vars.RUBBERDUCKCREW_BOT_APP_ID}}) to include a space before
the closing braces so it reads ${{ vars.RUBBERDUCKCREW_BOT_APP_ID }} to match
the formatting used in add-project.yml and other workflow files.
.github/workflows/close-actions.yml (1)

13-13: Inconsistent with PR objective: Still using secrets: inherit.

This workflow continues to use secrets: inherit while other workflows in this PR (e.g., add-project.yml, sync-webhook.yml) were updated to explicitly pass secrets. Given that the PR objective is to "explicitly define secrets instead of inheriting them," consider updating this workflow to explicitly pass GITHUB_TOKEN for consistency:

-    secrets: inherit
+    secrets:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

This would align with the changes made to the callee (action-close-actions.yml), which now explicitly declares GITHUB_TOKEN as a required secret.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/close-actions.yml at line 13, Replace the generic
"secrets: inherit" in the close-actions workflow with an explicit secret mapping
for GITHUB_TOKEN to match the PR's intent and the callee
action-close-actions.yml; locate the "secrets: inherit" entry in
.github/workflows/close-actions.yml and change it to explicitly pass
GITHUB_TOKEN (i.e., set the secrets map so GITHUB_TOKEN is provided from
secrets.GITHUB_TOKEN) so the workflow and the action-close-actions.yml
declaration are consistent.
.github/workflows/add-project.yml (1)

12-12: Minor: Inconsistent brace spacing.

There's a missing space before the closing }} in the expression. This doesn't affect functionality but is inconsistent with typical GitHub Actions formatting conventions.

-      bot-app-id: ${{ vars.RUBBERDUCKCREW_BOT_APP_ID}}
+      bot-app-id: ${{ vars.RUBBERDUCKCREW_BOT_APP_ID }}
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/add-project.yml at line 12, Fix the inconsistent brace
spacing in the GitHub Actions expression by updating the value for bot-app-id
(the expression currently shown as ${{ vars.RUBBERDUCKCREW_BOT_APP_ID}}) to
include a space before the closing braces so it reads ${{
vars.RUBBERDUCKCREW_BOT_APP_ID }} to match project formatting conventions.
.github/workflows/action-docs.yml (1)

93-93: Use github.token instead of secrets.GITHUB_TOKEN for action authentication inputs.

While secrets.GITHUB_TOKEN is automatically available in reusable workflows, github.token is the recommended context for passing tokens to action inputs for authentication. Update lines 93, 100, and 110 to use github.token.

Suggested diff
-          gitHubToken: ${{ secrets.GITHUB_TOKEN }}
+          gitHubToken: ${{ github.token }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ github.token }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ github.token }}
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/action-docs.yml at line 93, Replace all uses of the
secrets.GITHUB_TOKEN context in action input values with the recommended
github.token context (e.g., change gitHubToken: ${{ secrets.GITHUB_TOKEN }} to
gitHubToken: ${{ github.token }}), updating the three occurrences in the
workflow that currently reference secrets.GITHUB_TOKEN so action inputs use ${{
github.token }} instead.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/action-docs.yml:
- Line 93: Replace all uses of the secrets.GITHUB_TOKEN context in action input
values with the recommended github.token context (e.g., change gitHubToken: ${{
secrets.GITHUB_TOKEN }} to gitHubToken: ${{ github.token }}), updating the three
occurrences in the workflow that currently reference secrets.GITHUB_TOKEN so
action inputs use ${{ github.token }} instead.

In @.github/workflows/add-project.yml:
- Line 12: Fix the inconsistent brace spacing in the GitHub Actions expression
by updating the value for bot-app-id (the expression currently shown as ${{
vars.RUBBERDUCKCREW_BOT_APP_ID}}) to include a space before the closing braces
so it reads ${{ vars.RUBBERDUCKCREW_BOT_APP_ID }} to match project formatting
conventions.

In @.github/workflows/close-actions.yml:
- Line 13: Replace the generic "secrets: inherit" in the close-actions workflow
with an explicit secret mapping for GITHUB_TOKEN to match the PR's intent and
the callee action-close-actions.yml; locate the "secrets: inherit" entry in
.github/workflows/close-actions.yml and change it to explicitly pass
GITHUB_TOKEN (i.e., set the secrets map so GITHUB_TOKEN is provided from
secrets.GITHUB_TOKEN) so the workflow and the action-close-actions.yml
declaration are consistent.

In @.github/workflows/docs.yml:
- Around line 16-17: The commented remote workflow reference ("uses:
RubberDuckCrew/.github/.github/workflows/action-docs.yml@main") and the active
local path ("uses: ./.github/workflows/action-docs.yml") are ambiguous; either
remove the commented remote line if the local path is the intended permanent
source, or keep the remote and revert to it, but if the local path is
intentionally used for testing add a brief explanatory comment above the active
uses line stating that the local workflow is used temporarily for testing and
should be switched back to the remote reference before merge—update the same
lines so the intent is explicit.

In @.github/workflows/sync-webhook.yml:
- Line 16: The workflow line for the bot app id has inconsistent brace spacing:
change the value usage in bot-app-id (currently using ${{
vars.RUBBERDUCKCREW_BOT_APP_ID}}) to include a space before the closing braces
so it reads ${{ vars.RUBBERDUCKCREW_BOT_APP_ID }} to match the formatting used
in add-project.yml and other workflow files.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: df778d30-6611-4c49-9a9f-5b60d90cab77

📥 Commits

Reviewing files that changed from the base of the PR and between 0fc4354 and 0b88cd5.

📒 Files selected for processing (14)
  • .github/workflows/action-actionlint.yml
  • .github/workflows/action-add-project.yml
  • .github/workflows/action-close-actions.yml
  • .github/workflows/action-conventions.yml
  • .github/workflows/action-docs.yml
  • .github/workflows/action-sync-labels.yml
  • .github/workflows/action-sync-webhook.yml
  • .github/workflows/actionlint.yml
  • .github/workflows/add-project.yml
  • .github/workflows/close-actions.yml
  • .github/workflows/conventions.yml
  • .github/workflows/docs.yml
  • .github/workflows/sync-labels.yml
  • .github/workflows/sync-webhook.yml

@IamPekka058 IamPekka058 requested a review from a team March 20, 2026 05:05
@Friedinger Friedinger merged commit c1f657a into main Mar 20, 2026
6 checks passed
@Friedinger Friedinger deleted the ci/define-secrets branch March 20, 2026 09:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

👷 CI/CD Changes related to continuous integration/deployment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants