fix: resolve composite actions secrets access errors

schamane · schamane · commit a1f5d2279aa4 · 2025-11-11T23:58:27.000+01:00
- Remove direct secrets.GITHUB_TOKEN and secrets.NPM_TOKEN references from composite action defaults
- Pass secrets explicitly as required parameters from workflow level
- Fix docker-build-setup, create-release, and publish-npm actions
- Update ci.yml to pass secrets to all composite action calls
diff --git a/.github/actions/create-release/action.yml b/.github/actions/create-release/action.yml
@@ -15,8 +15,7 @@ inputs:
     default: 'false'
   token:
     description: 'GitHub token'
-    required: false
-    default: ${{ secrets.GITHUB_TOKEN }}
+    required: true
 runs:
   using: 'composite'
   steps:
diff --git a/.github/actions/docker-build-setup/action.yml b/.github/actions/docker-build-setup/action.yml
@@ -47,8 +47,7 @@ inputs:
     default: ${{ github.actor }}
   password:
     description: 'Registry password'
-    required: false
-    default: ${{ secrets.GITHUB_TOKEN }}
+    required: true
   login-enabled:
     description: 'Enable registry login'
     required: false
diff --git a/.github/actions/publish-npm/action.yml b/.github/actions/publish-npm/action.yml
@@ -11,8 +11,7 @@ inputs:
     default: 'https://registry.npmjs.org'
   token:
     description: 'NPM auth token'
-    required: false
-    default: ${{ secrets.NPM_TOKEN }}
+    required: true
   publish-command:
     description: 'Publish command to run'
     required: false
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -35,6 +35,7 @@ jobs:
           cache-to: type=local,dest=/tmp/.buildx-cache,mode=max
           platforms: linux/amd64
           is-pr: ${{ github.event_name == 'pull_request' }}
+          password: ${{ secrets.GITHUB_TOKEN }}
           
       - name: Run containerized tests
         run: |
@@ -156,6 +157,7 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
           login-enabled: false
+          password: ${{ secrets.GITHUB_TOKEN }}
           
       - name: Build native binaries
         uses: ./.github/actions/build-native-binaries
@@ -186,6 +188,7 @@ jobs:
           tags: security-scan:latest
           cache-from: type=gha
           login-enabled: false
+          password: ${{ secrets.GITHUB_TOKEN }}
           
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
@@ -225,13 +228,15 @@ jobs:
           platforms: linux/amd64,linux/arm64
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          password: ${{ secrets.GITHUB_TOKEN }}
           
       - name: Create GitHub Release
         uses: ./.github/actions/create-release
         with:
           generate-notes: true
           draft: false
           prerelease: false
+          token: ${{ secrets.GITHUB_TOKEN }}
 
   # NPM publish job (only on tags)
   publish:
@@ -247,4 +252,6 @@ jobs:
         uses: actions/checkout@v4
         
       - name: Publish to NPM
-        uses: ./.github/actions/publish-npm
+        uses: ./.github/actions/publish-npm
+        with:
+          token: ${{ secrets.NPM_TOKEN }}
