From da1201609dcaf9994f460cbfcbf6a7ada2fd4359 Mon Sep 17 00:00:00 2001
From: Swopnil Dangol <swopnildangol@gmail.com>
Date: Thu, 21 Aug 2025 10:26:32 +0100
Subject: [PATCH 1/4] Removed the secret inheritance and replaced with the
 needed secrets

---
 .github/workflows/make-release.yml        | 5 ++++-
 .github/workflows/on_doc_merge.yml        | 4 +++-
 .github/workflows/publish_layer.yml       | 7 +++++++
 .github/workflows/rebuild_latest_docs.yml | 4 +++-
 4 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml
index be173d78f1..8d0b3fffc4 100644
--- a/.github/workflows/make-release.yml
+++ b/.github/workflows/make-release.yml
@@ -91,7 +91,10 @@ jobs:
   # publish_layer -> reusable_deploy_layer_stack -> reusable_update_layer_arn_docs
   publish_layer:
     needs: publish-npm
-    secrets: inherit
+    secrets:
+      AWS_LAYERS_BETA_ROLE_ARN: ${{ secrets.AWS_LAYERS_BETA_ROLE_ARN }}
+      AWS_LAYERS_PROD_ROLE_ARN: ${{ secrets.AWS_LAYERS_PROD_ROLE_ARN }}
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     permissions:
       id-token: write
       contents: write
diff --git a/.github/workflows/on_doc_merge.yml b/.github/workflows/on_doc_merge.yml
index c977e64624..0dc75fc226 100644
--- a/.github/workflows/on_doc_merge.yml
+++ b/.github/workflows/on_doc_merge.yml
@@ -16,7 +16,9 @@ jobs:
     permissions:
       id-token: write  # trade JWT token for AWS credentials in AWS Docs account
       contents: read  # read from this repo to publish docs
-    secrets: inherit
+    secrets:
+      AWS_DOCS_ROLE_ARN: ${{ secrets.AWS_DOCS_ROLE_ARN }}
+      AWS_DOCS_BUCKET: ${{ secrets.AWS_DOCS_BUCKET }}
     uses: ./.github/workflows/reusable_publish_docs.yml
     with:
       version: main
diff --git a/.github/workflows/publish_layer.yml b/.github/workflows/publish_layer.yml
index 5187e16f72..45ce402892 100644
--- a/.github/workflows/publish_layer.yml
+++ b/.github/workflows/publish_layer.yml
@@ -13,6 +13,13 @@ on:
         required: true
 
   workflow_call:
+    secrets:
+      AWS_LAYERS_BETA_ROLE_ARN:
+        description: "Role ARN for deploying the Layer to Beta"
+      AWS_LAYERS_PROD_ROLE_ARN:
+        description: "Role ARN for deploying the Layer to Prod"
+      GITHUB_TOKEN:
+        description: "Github Token to interact with Github"
     inputs:
       latest_published_version:
         type: string
diff --git a/.github/workflows/rebuild_latest_docs.yml b/.github/workflows/rebuild_latest_docs.yml
index 717e6b0af2..bb4f8996e2 100644
--- a/.github/workflows/rebuild_latest_docs.yml
+++ b/.github/workflows/rebuild_latest_docs.yml
@@ -30,7 +30,9 @@ jobs:
     permissions:
       id-token: write  # trade JWT token for AWS credentials in AWS Docs account
       contents: read  # read from this repo to publish docs
-    secrets: inherit
+    secrets:
+      AWS_DOCS_ROLE_ARN: ${{ secrets.AWS_DOCS_ROLE_ARN }}
+      AWS_DOCS_BUCKET: ${{ secrets.AWS_DOCS_BUCKET }}
     uses: ./.github/workflows/reusable_publish_docs.yml
     with:
       version: ${{ inputs.latest_published_version }}

From 7fdfedf5d617ad459100c081580f7754616614cc Mon Sep 17 00:00:00 2001
From: Swopnil Dangol <swopnildangol@gmail.com>
Date: Thu, 21 Aug 2025 16:30:07 +0100
Subject: [PATCH 2/4] Removed passing GITHUB_TOKEN as it would be available by
 default in the workflow

---
 .github/workflows/make-release.yml  | 1 -
 .github/workflows/publish_layer.yml | 2 --
 2 files changed, 3 deletions(-)

diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml
index 8d0b3fffc4..322bfec313 100644
--- a/.github/workflows/make-release.yml
+++ b/.github/workflows/make-release.yml
@@ -94,7 +94,6 @@ jobs:
     secrets:
       AWS_LAYERS_BETA_ROLE_ARN: ${{ secrets.AWS_LAYERS_BETA_ROLE_ARN }}
       AWS_LAYERS_PROD_ROLE_ARN: ${{ secrets.AWS_LAYERS_PROD_ROLE_ARN }}
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     permissions:
       id-token: write
       contents: write
diff --git a/.github/workflows/publish_layer.yml b/.github/workflows/publish_layer.yml
index 45ce402892..ad81c7fae2 100644
--- a/.github/workflows/publish_layer.yml
+++ b/.github/workflows/publish_layer.yml
@@ -18,8 +18,6 @@ on:
         description: "Role ARN for deploying the Layer to Beta"
       AWS_LAYERS_PROD_ROLE_ARN:
         description: "Role ARN for deploying the Layer to Prod"
-      GITHUB_TOKEN:
-        description: "Github Token to interact with Github"
     inputs:
       latest_published_version:
         type: string

From 2fb1d5ebd6c7d55ce9f232b5b9599c405cef7301 Mon Sep 17 00:00:00 2001
From: Swopnil Dangol <swopnildangol@gmail.com>
Date: Fri, 22 Aug 2025 09:51:18 +0100
Subject: [PATCH 3/4] Restored the Github token secret but using a different
 secret name

---
 .github/workflows/make-release.yml  | 1 +
 .github/workflows/publish_layer.yml | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml
index 322bfec313..a25a5bd4f8 100644
--- a/.github/workflows/make-release.yml
+++ b/.github/workflows/make-release.yml
@@ -94,6 +94,7 @@ jobs:
     secrets:
       AWS_LAYERS_BETA_ROLE_ARN: ${{ secrets.AWS_LAYERS_BETA_ROLE_ARN }}
       AWS_LAYERS_PROD_ROLE_ARN: ${{ secrets.AWS_LAYERS_PROD_ROLE_ARN }}
+      TOKEN: ${{ secrets.GITHUB_TOKEN }}
     permissions:
       id-token: write
       contents: write
diff --git a/.github/workflows/publish_layer.yml b/.github/workflows/publish_layer.yml
index ad81c7fae2..6ba9124f13 100644
--- a/.github/workflows/publish_layer.yml
+++ b/.github/workflows/publish_layer.yml
@@ -18,6 +18,8 @@ on:
         description: "Role ARN for deploying the Layer to Beta"
       AWS_LAYERS_PROD_ROLE_ARN:
         description: "Role ARN for deploying the Layer to Prod"
+      TOKEN:
+        description: "GitHub Token to interact with GitHub"
     inputs:
       latest_published_version:
         type: string
@@ -122,4 +124,4 @@ jobs:
         with: 
           temp_branch_prefix: 'ci-layer-docs'
           pull_request_title: 'chore(ci): update layer ARN on documentation'
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ secrets.TOKEN }}

From 40342ffa2057ab2ac624ad643e215dd3ce3b5cfd Mon Sep 17 00:00:00 2001
From: Swopnil Dangol <swopnildangol@gmail.com>
Date: Fri, 22 Aug 2025 10:00:05 +0100
Subject: [PATCH 4/4] Renamed the TOKEN secret to TOKEN_GITHUB

---
 .github/workflows/make-release.yml  | 2 +-
 .github/workflows/publish_layer.yml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml
index a25a5bd4f8..eecc6b793f 100644
--- a/.github/workflows/make-release.yml
+++ b/.github/workflows/make-release.yml
@@ -94,7 +94,7 @@ jobs:
     secrets:
       AWS_LAYERS_BETA_ROLE_ARN: ${{ secrets.AWS_LAYERS_BETA_ROLE_ARN }}
       AWS_LAYERS_PROD_ROLE_ARN: ${{ secrets.AWS_LAYERS_PROD_ROLE_ARN }}
-      TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      TOKEN_GITHUB: ${{ secrets.GITHUB_TOKEN }}
     permissions:
       id-token: write
       contents: write
diff --git a/.github/workflows/publish_layer.yml b/.github/workflows/publish_layer.yml
index 6ba9124f13..1f0934809e 100644
--- a/.github/workflows/publish_layer.yml
+++ b/.github/workflows/publish_layer.yml
@@ -18,7 +18,7 @@ on:
         description: "Role ARN for deploying the Layer to Beta"
       AWS_LAYERS_PROD_ROLE_ARN:
         description: "Role ARN for deploying the Layer to Prod"
-      TOKEN:
+      TOKEN_GITHUB:
         description: "GitHub Token to interact with GitHub"
     inputs:
       latest_published_version:
@@ -124,4 +124,4 @@ jobs:
         with: 
           temp_branch_prefix: 'ci-layer-docs'
           pull_request_title: 'chore(ci): update layer ARN on documentation'
-          github_token: ${{ secrets.TOKEN }}
+          github_token: ${{ secrets.TOKEN_GITHUB }}