improv(ci): removed the secret inheritance and replaced with the needed secrets (#4364)

sdangol · web-flow · commit 402f4ce16ef8 · 2025-08-22T13:36:26.000+02:00
diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml
@@ -91,7 +91,10 @@ jobs:
   # publish_layer -> reusable_deploy_layer_stack -> reusable_update_layer_arn_docs
   publish_layer:
     needs: publish-npm
-    secrets: inherit
+    secrets:
+      AWS_LAYERS_BETA_ROLE_ARN: ${{ secrets.AWS_LAYERS_BETA_ROLE_ARN }}
+      AWS_LAYERS_PROD_ROLE_ARN: ${{ secrets.AWS_LAYERS_PROD_ROLE_ARN }}
+      TOKEN_GITHUB: ${{ secrets.GITHUB_TOKEN }}
     permissions:
       id-token: write
       contents: write
diff --git a/.github/workflows/on_doc_merge.yml b/.github/workflows/on_doc_merge.yml
@@ -16,7 +16,9 @@ jobs:
     permissions:
       id-token: write  # trade JWT token for AWS credentials in AWS Docs account
       contents: read  # read from this repo to publish docs
-    secrets: inherit
+    secrets:
+      AWS_DOCS_ROLE_ARN: ${{ secrets.AWS_DOCS_ROLE_ARN }}
+      AWS_DOCS_BUCKET: ${{ secrets.AWS_DOCS_BUCKET }}
     uses: ./.github/workflows/reusable_publish_docs.yml
     with:
       version: main
diff --git a/.github/workflows/publish_layer.yml b/.github/workflows/publish_layer.yml
@@ -13,6 +13,13 @@ on:
         required: true
 
   workflow_call:
+    secrets:
+      AWS_LAYERS_BETA_ROLE_ARN:
+        description: "Role ARN for deploying the Layer to Beta"
+      AWS_LAYERS_PROD_ROLE_ARN:
+        description: "Role ARN for deploying the Layer to Prod"
+      TOKEN_GITHUB:
+        description: "GitHub Token to interact with GitHub"
     inputs:
       latest_published_version:
         type: string
@@ -117,4 +124,4 @@ jobs:
         with: 
           temp_branch_prefix: 'ci-layer-docs'
           pull_request_title: 'chore(ci): update layer ARN on documentation'
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ secrets.TOKEN_GITHUB }}
diff --git a/.github/workflows/rebuild_latest_docs.yml b/.github/workflows/rebuild_latest_docs.yml
@@ -30,7 +30,9 @@ jobs:
     permissions:
       id-token: write  # trade JWT token for AWS credentials in AWS Docs account
       contents: read  # read from this repo to publish docs
-    secrets: inherit
+    secrets:
+      AWS_DOCS_ROLE_ARN: ${{ secrets.AWS_DOCS_ROLE_ARN }}
+      AWS_DOCS_BUCKET: ${{ secrets.AWS_DOCS_BUCKET }}
     uses: ./.github/workflows/reusable_publish_docs.yml
     with:
       version: ${{ inputs.latest_published_version }}
