fix(pipeline): resolve secret inheritance issues in GA

Signed-off-by: Ramiz Polic <[email protected]>

Author: ramizpolic

.github/workflows/ci.yaml

@@ -116,6 +116,7 @@ jobs:
     with:
       image_repo: ghcr.io/agntcy
       image_tag: ${{ github.sha }}
+    secrets: inherit
 
   test:
     name: Test
@@ -125,6 +126,7 @@ jobs:
     with:
       image_repo: ghcr.io/agntcy
       image_tag: ${{ github.sha }}
+    secrets: inherit
 
   release:
     name: Release
@@ -135,6 +137,7 @@ jobs:
     with:
       image_repo: ghcr.io/agntcy
       release_tag: ${{ github.ref_name }}
+    secrets: inherit
 
   integration:
     name: Run integration tests

.github/workflows/lint-pr-title.yaml

@@ -2,6 +2,10 @@ name: Lint and comment PR Title
 
 on:
   workflow_call:
+    secrets:
+      GITHUB_TOKEN:
+        description: "GitHub token for PR operations"
+        required: true
 
 permissions:
   contents: read

.github/workflows/pr.yaml

@@ -19,6 +19,7 @@ jobs:
   validate_pr_title:
     name: Validate PR Title
     uses: ./.github/workflows/lint-pr-title.yaml
+    secrets: inherit
 
   label:
     name: Label

.github/workflows/reusable-brew-update.yaml

@@ -3,9 +3,8 @@
 
 name: Brew formula update
 
-description: |
-  This workflow automatize the brew formula file update process with replacing the version number to the latest,
-  recalculate all hash for the binaries and create a new PR with the changes.
+# This workflow automatize the brew formula file update process with replacing the version number to the latest,
+# recalculate all hash for the binaries and create a new PR with the changes.
 
 on:
   workflow_call:
@@ -18,6 +17,10 @@ on:
         type: boolean
         default: false
         description: Run even if there are no changes.
+    secrets:
+      GITHUB_TOKEN:
+        description: "GitHub token for repository operations and PR creation"
+        required: true
   workflow_dispatch:
     inputs:
       create-pr:

.github/workflows/reusable-build.yaml

@@ -19,6 +19,10 @@ on:
         type: boolean
         default: false
         description: "Whether to push the image to the registry."
+    secrets:
+      GITHUB_TOKEN:
+        description: "GitHub token for accessing the container registry"
+        required: true
 
 jobs:
   prepare:

.github/workflows/reusable-release-sdk.yaml

@@ -28,6 +28,13 @@ on:
         type: boolean
         description: "Make a python SDK release."
         default: false
+    secrets:
+      PYPI_API_TOKEN:
+        description: "PyPI API token for publishing Python SDK"
+        required: false
+      NPMJS_TOKEN:
+        description: "NPM.js token for publishing JavaScript SDK" 
+        required: false
 
 permissions:
   contents: read
@@ -37,8 +44,6 @@ jobs:
     name: Python
     if: ${{ inputs.python-release == true || inputs.python-release == 'true' }}
     runs-on: ubuntu-latest
-    env:
-      UV_PUBLISH_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
     steps:
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -59,15 +64,15 @@ jobs:
           task sdk:build:python
 
       - name: Publish the Python SDK
+        env:
+          UV_PUBLISH_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
         run: |
           task sdk:release:python
 
   javascript:
     name: JavaScript
     if: ${{ inputs.javascript-release == true || inputs.javascript-release == 'true' }}
     runs-on: ubuntu-latest
-    env:
-      NODE_AUTH_TOKEN: ${{ secrets.NPMJS_TOKEN }}
     steps:
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -96,5 +101,7 @@ jobs:
           task sdk:build:javascript
 
       - name: Publish the Javascript SDK
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPMJS_TOKEN }}
         run: |
           task sdk:release:javascript

.github/workflows/reusable-release.yaml

@@ -14,6 +14,16 @@ on:
         required: true
         type: string
         description: "Release tag for all components."
+    secrets:
+      GITHUB_TOKEN:
+        description: "GitHub token for repository operations and releases"
+        required: true
+      PYPI_API_TOKEN:
+        description: "PyPI API token for publishing Python SDK"
+        required: false
+      NPMJS_TOKEN:
+        description: "NPM.js token for publishing JavaScript SDK"
+        required: false
 
 jobs:
   image:
@@ -23,6 +33,7 @@ jobs:
       image_repo: ${{ inputs.image_repo }}
       image_tag: ${{ inputs.release_tag }}
       push: true
+    secrets: inherit
 
   chart:
     name: Helm chart
@@ -104,6 +115,7 @@ jobs:
     with:
       javascript-release: true
       python-release: true
+    secrets: inherit
 
   release:
     name: Release
@@ -176,3 +188,4 @@ jobs:
     with:
       create-pr: true
       run-without-diff: false
+    secrets: inherit

.github/workflows/reusable-test-e2e.yaml

@@ -14,6 +14,10 @@ on:
         required: true
         type: string
         description: 'Image tag to use.'
+    secrets:
+      GITHUB_TOKEN:
+        description: "GitHub token for accessing the container registry"
+        required: true
 
 jobs:
   e2e:

.github/workflows/reusable-test-sdk.yaml

@@ -14,6 +14,10 @@ on:
         required: true
         type: string
         description: 'Image tag to use.'
+    secrets:
+      GITHUB_TOKEN:
+        description: "GitHub token for accessing the container registry"
+        required: true
 
 permissions:
   id-token: write

.github/workflows/reusable-test-spire.yaml

@@ -14,6 +14,10 @@ on:
         required: true
         type: string
         description: 'Image tag to use.'
+    secrets:
+      GITHUB_TOKEN:
+        description: "GitHub token for accessing the container registry"
+        required: true
 
 permissions:
   id-token: write