ci: pass secrets explicitly to reusable workflow

Using `secrets: inherit` forwards all secrets to the workflow and makes it harder to determine which secrets the workflow was actually executed with. See: https://docs.zizmor.sh/audits/#secrets-inherit Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
2026-02-05 06:45:31 +01:00 · 2025-12-01 07:50:53 -05:00
parent 64ddbfea12
commit b9736e8d11
1 changed files with 2 additions and 1 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -389,6 +389,7 @@ jobs:
      contents: write # to push to a branch
      pull-requests: write # to read and create PRs
    if: needs.check.outputs.buildonly == 'false'
-    secrets: inherit
+    secrets:
+      PODMANBOT_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
    with:
      version: ${{ needs.check.outputs.version }}