ci: Only give build-steps the secrets it needs

lgritz · lgritz · commit 37b9360301bc · 2024-12-27T21:34:05.000-08:00
Signed-off-by: Larry Gritz &lt;lg@larrygritz.com&gt;
diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
@@ -51,8 +51,10 @@ jobs:
     # account credentials.
     if: github.repository == 'AcademySoftwareFoundation/OpenImageIO'
     uses: ./.github/workflows/build-steps.yml
-    # Must let the called steps workflow inherit our secrets
-    secrets: inherit
+    # Must let the called steps workflow inherit necessary secrets
+    secrets:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
     with:
       nametag: ${{ matrix.nametag || 'unnamed!' }}
       runner: ${{ matrix.runner || 'ubuntu-latest' }}
diff --git a/.github/workflows/build-steps.yml b/.github/workflows/build-steps.yml
@@ -64,6 +64,11 @@ on:
         type: string
       nametag:
         type: string
+    secrets:
+        GITHUB_TOKEN:
+          required: true
+        SONAR_TOKEN:
+          required: true
 
 permissions: read-all
 
