pathogen-repo-build: remove hard-coded secrets

Allow callers to just pass secrets via `secrets: inherit` so that we don't have to maintain a list of allowed secrets. The only required/predefined secrets for setting up the aws-batch runtime are added to the input description. All other secrets for builds can have arbitrary names and can be passed to the build runtime via the `--env` option.
nextstrain · Jul 12, 2023 · b79ec64 · b79ec64
1 parent 0654078
commit b79ec64
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 23 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -59,11 +59,7 @@ jobs:
       artifact-name: build-output-${{ matrix.runtime }}
       env: |
         BOGUS_ENVVAR: BOGUS_ENVVAR
-    secrets:
-      AWS_ACCESS_KEY_ID: BOGUS_ACCESS_KEY_ID
-      AWS_SECRET_ACCESS_KEY: BOGUS_SECRET_ACCESS_KEY
-      GITHUB_PAT: BOGUS_GITHUB_TOKEN
-      SLACK_TOKEN: BOGUS_SLACK_TOKEN
+    secrets: inherit
 
   lint:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/pathogen-repo-build.yaml b/.github/workflows/pathogen-repo-build.yaml
@@ -28,6 +28,14 @@ on:
           Nextstrain runtime under which to run the build.
           Currently only supports docker, conda, and aws-batch.
           Defaults to "docker".
+
+          The aws-batch runtime requires the secrets:
+
+          - AWS_ACCESS_KEY_ID
+          - AWS_SECRET_ACCESS_KEY
+
+          They must be defined in the repo's Actions secrets and passed to this
+          workflow with `secrets: inherit`.
         type: string
         default: docker
         required: false
@@ -48,7 +56,8 @@ on:
           consider using the `--detach` flag for the aws-batch runtime.
 
           All environment variables provided via the env input and all secrets
-          provided can be passed to the build runtime via the `--env` option.
+          provided via `secrets: inherit` can be passed to the build runtime
+          via the `--env` option.
         type: string
         default: nextstrain build .
         required: false
@@ -128,23 +137,6 @@ on:
         type: string
         required: false
 
-    secrets:
-      AWS_ACCESS_KEY_ID:
-        description: AWS access key ID, required for aws-batch runtime only
-        required: false
-
-      AWS_SECRET_ACCESS_KEY:
-        description: AWS secret access key, required for aws-batch runtime only
-        required: false
-
-      GITHUB_PAT:
-        description: GitHub personal access token, required for additional permissions such as dispatching cross repo workflows
-        required: false
-
-      SLACK_TOKEN:
-        description: Slack Bot User OAuth Token, required for Slack notifications only
-        required: false
-
 env:
   NEXTSTRAIN_GITHUB_DIR: .git/nextstrain/.github
   ENV_DIR: env.d