From 7614329c20c2572fe499c87d3881bcd60d9fcb42 Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Wed, 27 May 2026 11:04:49 -0400 Subject: [PATCH] chore(ci): use explicit secrets where possible --- .github/workflows/build.yaml | 22 +++++++++++-------- .github/workflows/pr.yaml | 4 ---- .github/workflows/test.yaml | 4 ---- .../trigger-breaking-change-alert.yaml | 5 ++--- 4 files changed, 15 insertions(+), 20 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index e1215fb924..54b39135f6 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,5 +1,4 @@ name: build - on: push: branches: @@ -27,13 +26,10 @@ on: description: "build_type: one of [branch, nightly, pull-request]" type: string default: nightly - concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }} cancel-in-progress: true - permissions: {} - jobs: cpp-build: permissions: @@ -77,7 +73,9 @@ jobs: id-token: write packages: read pull-requests: read - secrets: inherit # zizmor: ignore[secrets-inherit] + secrets: + CONDA_RAPIDSAI_NIGHTLY_TOKEN: ${{ secrets.CONDA_RAPIDSAI_NIGHTLY_TOKEN }} + CONDA_RAPIDSAI_TOKEN: ${{ secrets.CONDA_RAPIDSAI_TOKEN }} uses: rapidsai/shared-workflows/.github/workflows/conda-upload-packages.yaml@main with: build_type: ${{ inputs.build_type || 'branch' }} @@ -132,7 +130,9 @@ jobs: id-token: write packages: read pull-requests: read - secrets: inherit # zizmor: ignore[secrets-inherit] + secrets: + CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN: ${{ secrets.CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN }} + RAPIDSAI_PYPI_TOKEN: ${{ secrets.RAPIDSAI_PYPI_TOKEN }} uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main with: build_type: ${{ inputs.build_type || 'branch' }} @@ -170,7 +170,9 @@ jobs: id-token: write packages: read pull-requests: read - secrets: inherit # zizmor: ignore[secrets-inherit] + secrets: + CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN: ${{ secrets.CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN }} + RAPIDSAI_PYPI_TOKEN: ${{ secrets.RAPIDSAI_PYPI_TOKEN }} uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main with: build_type: ${{ inputs.build_type || 'branch' }} @@ -209,7 +211,9 @@ jobs: id-token: write packages: read pull-requests: read - secrets: inherit # zizmor: ignore[secrets-inherit] + secrets: + CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN: ${{ secrets.CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN }} + RAPIDSAI_PYPI_TOKEN: ${{ secrets.RAPIDSAI_PYPI_TOKEN }} uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main with: build_type: ${{ inputs.build_type || 'branch' }} @@ -221,7 +225,7 @@ jobs: publish-wheel-search-key: raft_dask_wheel_python_abi3 devcontainers: name: Build devcontainers - secrets: inherit # zizmor: ignore[secrets-inherit] + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/build-devcontainers.yaml@main permissions: packages: write diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 816f110823..e61e244315 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -32,7 +32,6 @@ jobs: id-token: write packages: read pull-requests: read - secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/pr-builder.yaml@main if: always() with: @@ -76,7 +75,6 @@ jobs: id-token: write packages: read pull-requests: read - secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/changed-files.yaml@main with: files_yaml: | @@ -189,7 +187,6 @@ jobs: id-token: write packages: read pull-requests: read - secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/checks.yaml@main with: enable_check_generated_files: false @@ -230,7 +227,6 @@ jobs: id-token: write packages: read pull-requests: read - secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/conda-cpp-post-build-checks.yaml@main with: build_type: pull-request diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 11be568379..145610ad85 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -1,5 +1,4 @@ name: test - on: workflow_dispatch: inputs: @@ -21,9 +20,7 @@ on: description: "build_type: one of [branch, nightly, pull-request]" type: string default: nightly - permissions: {} - jobs: conda-cpp-checks: permissions: @@ -32,7 +29,6 @@ jobs: id-token: write packages: read pull-requests: read - secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/conda-cpp-post-build-checks.yaml@main with: build_type: ${{ inputs.build_type }} diff --git a/.github/workflows/trigger-breaking-change-alert.yaml b/.github/workflows/trigger-breaking-change-alert.yaml index 8e5564816e..cf1b352f91 100644 --- a/.github/workflows/trigger-breaking-change-alert.yaml +++ b/.github/workflows/trigger-breaking-change-alert.yaml @@ -1,5 +1,4 @@ name: Trigger Breaking Change Notifications - # `zizmor` always flags these triggers because they are easy to use # incorrectly. These usages are ok and don't execute any PR-specific # code (and so aren't susceptible to exploits from forked PRs) @@ -10,7 +9,6 @@ on: # zizmor: ignore[dangerous-triggers] - reopened - labeled - unlabeled - jobs: trigger-notifier: if: contains(github.event.pull_request.labels.*.name, 'breaking') @@ -20,7 +18,8 @@ jobs: id-token: write packages: read pull-requests: read - secrets: inherit # zizmor: ignore[secrets-inherit] + secrets: + NV_SLACK_BREAKING_CHANGE_ALERT: ${{ secrets.NV_SLACK_BREAKING_CHANGE_ALERT }} uses: rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml@main with: sender_login: ${{ github.event.sender.login }}