You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
refactor: remove secrets contract from called workflows, add validation step
Called workflows now access secrets via their environment declaration
instead of requiring the caller to pass them. Each called workflow
includes a 'Validate Required Secrets' step that fails fast with a
clear error if any secret is missing from the environment.
This eliminates the need for repo-level secret duplication.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copy file name to clipboardExpand all lines: .github/skills/integration-test-prerequisites/SKILL.md
+4-22Lines changed: 4 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,7 +21,7 @@ These workflows expect:
21
21
- GitHub environment `integration-test` (shared by all integration workflows)
22
22
- Azure identity with enough permissions to deploy resources and create role assignments in test resource groups
23
23
24
-
The `release-tests.yml` orchestrator calls `ci.yml` (no Azure prereqs), then `integration-test.yml` and `integration-redact-secrets.yml` (both use the `integration-test` environment). Secrets are passed through from the orchestrator's repo-level secrets to the called workflows' environment.
24
+
The `release-tests.yml` orchestrator calls `ci.yml` (no Azure prereqs), then `integration-test.yml` and `integration-redact-secrets.yml`. The called workflows access secrets directly from the `integration-test` environment — no secret pass-through from the orchestrator is needed.
@@ -146,29 +146,11 @@ gh secret set APIM_PUBLISHER_EMAIL \
146
146
--body "${APIM_PUBLISHER_EMAIL}"
147
147
```
148
148
149
-
### 6) Set Repo-Level Secrets (for release-tests orchestrator)
149
+
### 6) Verify Called Workflows Can Access Environment Secrets
150
150
151
-
The `release-tests.yml` orchestrator passes secrets to called workflows via explicit `secrets:` mapping. Since the orchestrator itself does not declare an `environment:`, it reads from **repo-level** secrets. Set the same values at the repo level:
151
+
The `release-tests.yml` orchestrator does **not** pass secrets to called workflows. Instead, the called workflows (`integration-test.yml`, `integration-redact-secrets.yml`) access secrets directly via their `environment: integration-test` declaration. Each called workflow includes a "Validate Required Secrets" step that fails fast with a clear error if any secret is missing.
152
152
153
-
```bash
154
-
gh secret set AZURE_CLIENT_ID \
155
-
--repo "${GITHUB_OWNER}/${GITHUB_REPO}" \
156
-
--body "${IDENTITY_CLIENT_ID}"
157
-
158
-
gh secret set AZURE_TENANT_ID \
159
-
--repo "${GITHUB_OWNER}/${GITHUB_REPO}" \
160
-
--body "${TENANT_ID}"
161
-
162
-
gh secret set AZURE_SUBSCRIPTION_ID \
163
-
--repo "${GITHUB_OWNER}/${GITHUB_REPO}" \
164
-
--body "${SUBSCRIPTION_ID}"
165
-
166
-
gh secret set APIM_PUBLISHER_EMAIL \
167
-
--repo "${GITHUB_OWNER}/${GITHUB_REPO}" \
168
-
--body "${APIM_PUBLISHER_EMAIL}"
169
-
```
170
-
171
-
> **Note:** If you only have environment-level secrets without matching repo-level secrets, the `release-tests.yml` workflow will fail because `${{ secrets.* }}` in the orchestrator resolves from repo scope. The called workflows still use the `integration-test` environment for OIDC token issuance.
153
+
No repo-level secrets are required — all secrets are scoped to the `integration-test` environment.
0 commit comments