From 59ab2e4103bbaaaeaf61434c709345442cf4611d Mon Sep 17 00:00:00 2001 From: Mrugesh Mohapatra <1884376+raisedadead@users.noreply.github.com> Date: Sun, 1 Mar 2026 09:47:18 +0530 Subject: [PATCH] fix(GHA): harden deploy workflows with env vars and explicit secrets (#66138) --- .github/workflows/deploy-api.yml | 15 ++++++++++----- .github/workflows/deploy-client.yml | 6 ++++-- .github/workflows/docker-docr.yml | 7 +++++++ 3 files changed, 21 insertions(+), 7 deletions(-) diff --git a/.github/workflows/deploy-api.yml b/.github/workflows/deploy-api.yml index 7e6c2926e52..93831f570fa 100644 --- a/.github/workflows/deploy-api.yml +++ b/.github/workflows/deploy-api.yml @@ -33,12 +33,15 @@ jobs: steps: - name: Setup id: setup + env: + BRANCH: ${{ github.ref_name }} + SHOW_UPCOMING_CHANGES: ${{ inputs.show_upcoming_changes }} + API_LOG_LVL: ${{ inputs.api_log_lvl || 'info' }} run: | - BRANCH="${{ github.ref_name }}" echo "Current branch: $BRANCH" # Convert boolean input to string 'true' or 'false' - if [[ "${{ inputs.show_upcoming_changes }}" == "true" ]]; then + if [[ "$SHOW_UPCOMING_CHANGES" == "true" ]]; then echo "show_upcoming_changes=true" >> $GITHUB_OUTPUT else echo "show_upcoming_changes=false" >> $GITHUB_OUTPUT @@ -49,13 +52,13 @@ jobs: echo "site_tld=org" >> $GITHUB_OUTPUT echo "tgt_env_short=prd" >> $GITHUB_OUTPUT echo "tgt_env_long=production" >> $GITHUB_OUTPUT - echo "api_log_lvl=${{ inputs.api_log_lvl || 'info' }}" >> $GITHUB_OUTPUT + echo "api_log_lvl=$API_LOG_LVL" >> $GITHUB_OUTPUT ;; *) echo "site_tld=dev" >> $GITHUB_OUTPUT echo "tgt_env_short=stg" >> $GITHUB_OUTPUT echo "tgt_env_long=staging" >> $GITHUB_OUTPUT - echo "api_log_lvl=${{ inputs.api_log_lvl || 'info' }}" >> $GITHUB_OUTPUT + echo "api_log_lvl=$API_LOG_LVL" >> $GITHUB_OUTPUT ;; esac @@ -67,7 +70,9 @@ jobs: site_tld: ${{ needs.setup-jobs.outputs.site_tld }} app: api show_upcoming_changes: ${{ needs.setup-jobs.outputs.show_upcoming_changes }} - secrets: inherit + secrets: + DIGITALOCEAN_ACCESS_TOKEN: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }} + DOCR_NAME: ${{ secrets.DOCR_NAME }} deploy: name: Deploy to Docker Swarm -- ${{ needs.setup-jobs.outputs.tgt_env_short }} diff --git a/.github/workflows/deploy-client.yml b/.github/workflows/deploy-client.yml index f5f927e454f..b617186e313 100644 --- a/.github/workflows/deploy-client.yml +++ b/.github/workflows/deploy-client.yml @@ -41,12 +41,14 @@ jobs: steps: - name: Setup id: setup + env: + BRANCH: ${{ github.ref_name }} + SHOW_UPCOMING_CHANGES: ${{ inputs.show_upcoming_changes }} run: | - BRANCH="${{ github.ref_name }}" echo "Current branch: $BRANCH" # Convert boolean input to string 'true' or 'false' - if [[ "${{ inputs.show_upcoming_changes }}" == "true" ]]; then + if [[ "$SHOW_UPCOMING_CHANGES" == "true" ]]; then echo "show_upcoming_changes=true" >> $GITHUB_OUTPUT else echo "show_upcoming_changes=false" >> $GITHUB_OUTPUT diff --git a/.github/workflows/docker-docr.yml b/.github/workflows/docker-docr.yml index a305ed09689..c655fe983f4 100644 --- a/.github/workflows/docker-docr.yml +++ b/.github/workflows/docker-docr.yml @@ -36,6 +36,13 @@ on: type: string description: 'Input: Show upcoming changes flag (true/false)' default: 'false' + secrets: + DIGITALOCEAN_ACCESS_TOKEN: + required: true + description: 'DigitalOcean API token for registry authentication' + DOCR_NAME: + required: true + description: 'DigitalOcean Container Registry name' outputs: tagname: description: 'Output: The tagname for the image built'