From fb6bb4bb70f44a6e70464b9f45d7d1d557cc67a9 Mon Sep 17 00:00:00 2001
From: Ron <45816308+rjaegers@users.noreply.github.com>
Date: Fri, 20 Jun 2025 19:45:27 +0000
Subject: [PATCH 1/3] ci: fix release build job permissions

The release build jobs need 'contents: write' permissions to be able to update the release.
---
 .github/workflows/release-build.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index 75d15d2e..3f627976 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -28,6 +28,8 @@ jobs:
       pull-requests: write
   apply-release-notes-template:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
         with:
@@ -46,7 +48,9 @@ jobs:
       matrix:
         flavor: [cpp, rust]
     runs-on: ubuntu-latest
-    needs: build-push-test
+    permissions:
+      contents: write
+    needs: [build-push-test, apply-release-notes-template]
     env:
       REGISTRY: ghcr.io
     steps:

From daf43f3b1926ff49ea1f24322a58945dab9ed8d3 Mon Sep 17 00:00:00 2001
From: Ron <45816308+rjaegers@users.noreply.github.com>
Date: Fri, 20 Jun 2025 19:55:07 +0000
Subject: [PATCH 2/3] ci: get rid of all 'secrets: inherit'

While convenient it does not follow the rule of minimal privileges
---
 .github/workflows/continuous-integration.yml | 6 +++++-
 .github/workflows/release-build.yml          | 6 +++++-
 .github/workflows/wc-build-push-test.yml     | 8 +++++---
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
index 5f9f7f84..24e4c6d6 100644
--- a/.github/workflows/continuous-integration.yml
+++ b/.github/workflows/continuous-integration.yml
@@ -16,7 +16,11 @@ permissions: {}
 jobs:
   build-push-test:
     uses: ./.github/workflows/wc-build-push-test.yml
-    secrets: inherit
+    secrets:
+      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
+      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
+      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
+      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
     permissions:
       actions: read
       attestations: write
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index 3f627976..1ff06a32 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -17,7 +17,11 @@ permissions: {}
 jobs:
   build-push-test:
     uses: ./.github/workflows/wc-build-push-test.yml
-    secrets: inherit
+    secrets:
+      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
+      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
+      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
+      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
     permissions:
       actions: read
       attestations: write
diff --git a/.github/workflows/wc-build-push-test.yml b/.github/workflows/wc-build-push-test.yml
index b13e56ad..a8aec6fa 100644
--- a/.github/workflows/wc-build-push-test.yml
+++ b/.github/workflows/wc-build-push-test.yml
@@ -13,7 +13,6 @@ jobs:
       matrix:
         flavor: [cpp, rust]
     uses: ./.github/workflows/wc-build-push.yml
-    secrets: inherit
     permissions:
       actions: read
       attestations: write
@@ -50,7 +49,6 @@ jobs:
         runner: ["ubuntu-latest", "ubuntu-24.04-arm"]
     needs: build-push
     uses: ./.github/workflows/wc-integration-test.yml
-    secrets: inherit
     with:
       flavor: ${{ matrix.flavor }}
       runner: ${{ matrix.runner }}
@@ -61,7 +59,11 @@ jobs:
         flavor: [cpp]
     needs: build-push
     uses: ./.github/workflows/wc-acceptance-test.yml
-    secrets: inherit
+    secrets:
+      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
+      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
+      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
+      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
     with:
       flavor: ${{ matrix.flavor }}
 

From 7c10b636bebd4e63c30d8f5cf7a94fbb70eebe28 Mon Sep 17 00:00:00 2001
From: Ron <45816308+rjaegers@users.noreply.github.com>
Date: Fri, 20 Jun 2025 20:04:36 +0000
Subject: [PATCH 3/3] ci: specify secrets in reusable workflows

---
 .github/workflows/wc-acceptance-test.yml | 9 +++++++++
 .github/workflows/wc-build-push-test.yml | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/.github/workflows/wc-acceptance-test.yml b/.github/workflows/wc-acceptance-test.yml
index 4907e221..8c5125f3 100644
--- a/.github/workflows/wc-acceptance-test.yml
+++ b/.github/workflows/wc-acceptance-test.yml
@@ -7,6 +7,15 @@ on:
       flavor:
         required: true
         type: string
+    secrets:
+      TEST_GITHUB_TOKEN:
+        required: true
+      TEST_GITHUB_USER:
+        required: true
+      TEST_GITHUB_PASSWORD:
+        required: true
+      TEST_GITHUB_TOTP_SECRET:
+        required: true
 
 concurrency:
   group: ${{ github.workflow }}
diff --git a/.github/workflows/wc-build-push-test.yml b/.github/workflows/wc-build-push-test.yml
index d715fca0..ea6c9ab5 100644
--- a/.github/workflows/wc-build-push-test.yml
+++ b/.github/workflows/wc-build-push-test.yml
@@ -8,6 +8,15 @@ on:
         required: false
         type: boolean
         default: true
+    secrets:
+      TEST_GITHUB_TOKEN:
+        required: true
+      TEST_GITHUB_USER:
+        required: true
+      TEST_GITHUB_PASSWORD:
+        required: true
+      TEST_GITHUB_TOTP_SECRET:
+        required: true
 
 permissions:
   contents: read