Improve verify workflow's handling of secrets

wilkinsona · wilkinsona · commit b48cf9b5a81d · 2024-04-18T12:06:31.000+01:00
diff --git a/.github/workflows/build-and-deploy-snapshot.yml b/.github/workflows/build-and-deploy-snapshot.yml
@@ -48,6 +48,10 @@ jobs:
     name: Verify
     needs: build-and-deploy-snapshot
     uses: ./.github/workflows/verify.yml
-    secrets: inherit
+    secrets:
+      google-chat-webhook-url: ${{ secrets.GOOGLE_CHAT_WEBHOOK_URL }}
+      repository-password: ${{ secrets.ARTIFACTORY_PASSWORD }}
+      repository-username: ${{ secrets.ARTIFACTORY_USERNAME }}
+      token: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
     with:
       version: ${{ needs.build-and-deploy-snapshot.outputs.version }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -41,8 +41,10 @@ jobs:
       staging: true
       version: ${{ needs.build-and-stage-release.outputs.version }}
     secrets:
-      repository-username: ${{ secrets.ARTIFACTORY_USERNAME }}
+      google-chat-webhook-url: ${{ secrets.GOOGLE_CHAT_WEBHOOK_URL }}
       repository-password: ${{ secrets.ARTIFACTORY_PASSWORD }}
+      repository-username: ${{ secrets.ARTIFACTORY_USERNAME }}
+      token: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
   sync-to-maven-central:
     name: Sync to Maven Central
     needs:
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
@@ -14,22 +14,26 @@ on:
         required: false
       repository-password:
         required: false
+      google-chat-webhook-url:
+        required: true
+      token:
+        required: true
 jobs:
   verify:
     name: Verify
     runs-on: ubuntu-latest
     steps:
-      - name: Check Out Release Verification Tests
-        uses: actions/checkout@v4
-        with:
-          repository: spring-projects/spring-boot-release-verification
-          ref: 'v0.0.2'
-          token: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
       - name: Check Out Send Notification Action
         uses: actions/checkout@v4
         with:
           path: spring-boot
           sparse-checkout: .github/actions/send-notification
+      - name: Check Out Release Verification Tests
+        uses: actions/checkout@v4
+        with:
+          repository: spring-projects/spring-boot-release-verification
+          ref: 'v0.0.2'
+          token: ${{ secrets.token }}
       - name: Set Up Java
         uses: actions/setup-java@v4
         with:
@@ -64,6 +68,6 @@ jobs:
         uses: ./spring-boot/.github/actions/send-notification
         if: always()
         with:
-          webhook-url: ${{ secrets.GOOGLE_CHAT_WEBHOOK_URL }}
+          webhook-url: ${{ secrets.google-chat-webhook-url }}
           status: ${{ job.status }}
           run-name: ${{ format('{0} | Verification | {1}', github.ref_name, inputs.version) }}
