From 1900f43203455cae673143e6bd603b301d081274 Mon Sep 17 00:00:00 2001
From: Erik Uggeldahl <erik@rive.app>
Date: Fri, 22 Nov 2024 12:12:27 -0800
Subject: [PATCH] fix: Move secrets to inputs

Composite actions can't access secrets, so we pass them as inputs.
---
 .github/actions/deploy/action.yml       | 36 +++++++++++++++++++------
 .github/actions/prepare/action.yml      | 19 ++++++++++---
 .github/actions/version-bump/action.yml |  9 ++++---
 .github/workflows/re-release.yml        | 12 +++++++++
 4 files changed, 61 insertions(+), 15 deletions(-)

diff --git a/.github/actions/deploy/action.yml b/.github/actions/deploy/action.yml
index 3f79e3c5..1e1fdf95 100644
--- a/.github/actions/deploy/action.yml
+++ b/.github/actions/deploy/action.yml
@@ -3,6 +3,26 @@
 name: Deploy
 description: Deploy the Android library artifacts to Maven Central
 
+inputs:
+  OSSRH-username:
+    description: "The OSS Repository Hosting username"
+    required: true
+  OSSRH-password:
+    description: "The OSS Repository Hosting password"
+    required: true
+  UAT-OSSRH-username:
+    description: "The UAT OSS Repository Hosting username"
+    required: true
+  UAT-OSSRH-password:
+    description: "The UAT OSS Repository Hosting password"
+    required: true
+  signing-secret-key-ring-file:
+    description: "The path to the secret key ring file"
+    required: true
+  Sonatype-staging-profile-id:
+    description: "The Sonatype staging profile ID"
+    required: true
+
 runs:
   using: "composite"
   steps:
@@ -10,13 +30,13 @@ runs:
       shell: bash
       run: ./gradlew publishAllPublicationsToSonatypeRepository --max-workers 1 closeAndReleaseSonatypeStagingRepository
       env:
-        UAT_OSSRH_USERNAME: ${{ secrets.UAT_OSSRH_USERNAME }}
-        UAT_OSSRH_PASSWORD: ${{ secrets.UAT_OSSRH_PASSWORD }}
+        UAT_OSSRH_USERNAME: ${{ inputs.UAT-OSSRH-username }}
+        UAT_OSSRH_PASSWORD: ${{ inputs.UAT-OSSRH-password }}
         # TODO: remove these after UAT is confirmed working
-        OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
-        OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+        OSSRH_USERNAME: ${{ inputs.OSSRH-username }}
+        OSSRH_PASSWORD: ${{ inputs.OSSRH-password }}
         # ====
-        SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }}
-        SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
-        SIGNING_SECRET_KEY_RING_FILE: ${{ secrets.SIGNING_SECRET_KEY_RING_FILE }}
-        SONATYPE_STAGING_PROFILE_ID: ${{ secrets.SONATYPE_STAGING_PROFILE_ID }}
+        SIGNING_KEY_ID: ${{ inputs.SIGNING_KEY_ID }}
+        SIGNING_PASSWORD: ${{ inputs.SIGNING_PASSWORD }}
+        SIGNING_SECRET_KEY_RING_FILE: ${{ inputs.signing-secret-key-ring-file }}
+        SONATYPE_STAGING_PROFILE_ID: ${{ inputs.Sonatype-staging-profile-id }}
diff --git a/.github/actions/prepare/action.yml b/.github/actions/prepare/action.yml
index caacabe2..24f44dd7 100644
--- a/.github/actions/prepare/action.yml
+++ b/.github/actions/prepare/action.yml
@@ -11,6 +11,17 @@
 name: Prepare
 description: Prepare the Android environment for the build
 
+inputs:
+  actions-role:
+    description: "The role to assume for AWS actions"
+    required: true
+  GPG-key-contents:
+    description: "The GPG key contents"
+    required: true
+  signing-secret-key-ring-file:
+    description: "The path to the secret key ring file"
+    required: true
+
 runs:
   using: "composite"
   steps:
@@ -18,9 +29,9 @@ runs:
       uses: aws-actions/configure-aws-credentials@v2
       with:
         aws-region: us-west-2
-        role-to-assume: ${{ secrets.ACTIONS_ROLE }}
+        role-to-assume: ${{ inputs.actions-role }}
 
-    - name: Update Java
+    - name: Install Java
       uses: actions/setup-java@v4
       with:
         distribution: "zulu"
@@ -62,8 +73,8 @@ runs:
     - name: Prepare environment
       shell: bash
       env:
-        GPG_KEY_CONTENTS: ${{ secrets.GPG_KEY_CONTENTS }}
-        SIGNING_SECRET_KEY_RING_FILE: ${{ secrets.SIGNING_SECRET_KEY_RING_FILE }}
+        GPG_KEY_CONTENTS: ${{ inputs.GPG-key-contents }}
+        SIGNING_SECRET_KEY_RING_FILE: ${{ inputs.signing-secret-key-ring-file }}
       run: |
         git fetch --unshallow
         sudo bash -c "echo '$GPG_KEY_CONTENTS' | base64 -d > '$SIGNING_SECRET_KEY_RING_FILE'"
diff --git a/.github/actions/version-bump/action.yml b/.github/actions/version-bump/action.yml
index cab32388..c21546b3 100644
--- a/.github/actions/version-bump/action.yml
+++ b/.github/actions/version-bump/action.yml
@@ -17,6 +17,9 @@ inputs:
     description: "Minor"
     type: boolean
     default: false
+  Rive-repo-PAT:
+    description: "The GitHub Personal Access Token for the Rive repository"
+    required: true
 
 runs:
   using: "composite"
@@ -37,18 +40,18 @@ runs:
       run: npm run release -- major --ci
       working-directory: ./.github/scripts/release
       env:
-        GITHUB_TOKEN: ${{ secrets.RIVE_REPO_PAT }}
+        GITHUB_TOKEN: ${{ inputs.Rive-repo-PAT }}
     - if: ${{inputs.major == false && inputs.minor == true}}
       name: Minor release - Bump version number, update changelog, push and tag
       shell: bash
       run: npm run release -- minor --ci
       working-directory: ./.github/scripts/release
       env:
-        GITHUB_TOKEN: ${{ secrets.RIVE_REPO_PAT }}
+        GITHUB_TOKEN: ${{ inputs.Rive-repo-PAT }}
     - if: ${{inputs.major == false && inputs.minor == false}}
       name: Build release - Bump version number, update changelog, push and tag
       shell: bash
       run: npm run release -- --ci
       working-directory: ./.github/scripts/release
       env:
-        GITHUB_TOKEN: ${{ secrets.RIVE_REPO_PAT }}
+        GITHUB_TOKEN: ${{ inputs.Rive-repo-PAT }}
diff --git a/.github/workflows/re-release.yml b/.github/workflows/re-release.yml
index 5a148c09..2e2ed848 100644
--- a/.github/workflows/re-release.yml
+++ b/.github/workflows/re-release.yml
@@ -4,6 +4,7 @@
 # Note: We may want to consider GitHub Reusable Workflows instead of Composite Actions in the future.
 # See https://docs.github.com/en/actions/sharing-automations/avoiding-duplication for the differences.
 # Notably the logging visibility may improve by switching.
+# Reusable workflows can also view secrets rather than requiring them as inputs.
 
 name: Re-Release
 
@@ -25,7 +26,18 @@ jobs:
           token: ${{ secrets.PAT_GITHUB }}
       - name: Prepare
         uses: ./.github/actions/prepare
+        with:
+          actions-role: ${{ secrets.ACTIONS_ROLE }}
+          GPG-key-contents: ${{ secrets.GPG_KEY_CONTENTS }}
+          signing-secret-key-ring-file: ${{ secrets.SIGNING_SECRET_KEY_RING_FILE }}
       - name: Build
         uses: ./.github/actions/build
       - name: Deploy
         uses: ./.github/actions/deploy
+        with:
+          OSSRH-username: ${{ secrets.OSSRH_USERNAME }}
+          OSSRH-password: ${{ secrets.OSSRH_PASSWORD }}
+          UAT-OSSRH-username: ${{ secrets.UAT_OSSRH_USERNAME }}
+          UAT-OSSRH-password: ${{ secrets.UAT_OSSRH_PASSWORD }}
+          signing-secret-key-ring-file: ${{ secrets.SIGNING_SECRET_KEY_RING_FILE }}
+          Sonatype-staging-profile-id: ${{ secrets.SONATYPE_STAGING_PROFILE_ID }}