fix: Update GitHub Actions workflows to use read-only credentials for package access

Author: AmanRiat1

.github/workflows/release.yml

@@ -53,8 +53,8 @@ jobs:
           jwtGithubAudience: https://github.com/${{ github.repository_owner }}
           exportToken: true
           secrets:
-            secret/data/tools/githubactions RE_BOT_PACKAGES_READ_WRITE_CLASSIC_USER | GITHUB_USER ;
-            secret/data/tools/githubactions RE_BOT_PACKAGES_READ_WRITE_CLASSIC_TOKEN | GITHUB_TOKEN ;
+            secret/data/tools/githubactions RE_BOT_PACKAGES_READ_ONLY_CLASSIC_USER | PACKAGES_READ_USER ;
+            secret/data/tools/githubactions RE_BOT_PACKAGES_READ_ONLY_CLASSIC_TOKEN | PACKAGES_READ_TOKEN ;
             secret/data/tools/githubactions MAVEN_GPG_KEY_PASSPHRASE | MAVEN_GPG_KEY_PASSPHRASE ;
             secret/data/tools/githubactions MAVEN_GPG_KEY | MAVEN_GPG_KEY ;
             secret/data/tools/githubactions MAVEN_USERNAME | MAVEN_USERNAME ;
@@ -91,7 +91,7 @@ jobs:
 
       - name: Pre-Release Check - Version
         env:
-          GITHUB_TOKEN: ${{ steps.secrets.outputs.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           gh api --method GET /repos/${{github.repository}}/releases -f sort=updated -f direction=asc > releases.json
           release_version_exists=$(jq -r --arg RELEASE_VERSION ${{ inputs.release_version }} '.[].name|select(.|test($RELEASE_VERSION))'  releases.json)
@@ -128,13 +128,17 @@ jobs:
 
       - name: Deploy Artifacts (GH Packages)
         env:
-          GITHUB_TOKEN: ${{ steps.secrets.outputs.GITHUB_TOKEN }}
+          PACKAGES_READ_USER: ${{ steps.secrets.outputs.PACKAGES_READ_USER }}
+          PACKAGES_READ_TOKEN: ${{ steps.secrets.outputs.PACKAGES_READ_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: >-
           mvn deploy -B -DreleaseTarget=github  -s maven/settings.xml $SKIP_FLAGS_ALL_TESTS
 
       - name: Deploy Artifacts (Maven Central)
         env:
-          GITHUB_TOKEN: ${{ steps.secrets.outputs.GITHUB_TOKEN }}
+          PACKAGES_READ_USER: ${{ steps.secrets.outputs.PACKAGES_READ_USER }}
+          PACKAGES_READ_TOKEN: ${{ steps.secrets.outputs.PACKAGES_READ_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: >-
           mvn deploy -B -DreleaseTarget=central -s maven/settings.xml $SKIP_FLAGS_ALL_TESTS
 

.github/workflows/test-release-auth.yml

@@ -26,8 +26,8 @@ jobs:
           jwtGithubAudience: https://github.com/${{ github.repository_owner }}
           exportToken: true
           secrets: |
-            secret/data/tools/githubactions RE_BOT_PACKAGES_READ_WRITE_CLASSIC_USER | GITHUB_USER ;
-            secret/data/tools/githubactions RE_BOT_PACKAGES_READ_WRITE_CLASSIC_TOKEN | GITHUB_TOKEN
+            secret/data/tools/githubactions RE_BOT_PACKAGES_READ_ONLY_CLASSIC_USER | PACKAGES_READ_USER ;
+            secret/data/tools/githubactions RE_BOT_PACKAGES_READ_ONLY_CLASSIC_TOKEN | PACKAGES_READ_TOKEN
 
       - name: Warn of Vault Login Failure
         if: steps.secrets.outcome != 'success'
@@ -42,13 +42,15 @@ jobs:
 
       - name: Test Dependency Resolution
         env:
-          GITHUB_TOKEN: ${{ steps.secrets.outputs.GITHUB_TOKEN }}
+          PACKAGES_READ_USER: ${{ steps.secrets.outputs.PACKAGES_READ_USER }}
+          PACKAGES_READ_TOKEN: ${{ steps.secrets.outputs.PACKAGES_READ_TOKEN }}
         run: |
-          echo "Testing if we can download dependencies from SolaceDev..."
+          echo "Testing if we can download dependencies from SolaceDev using read-only token..."
           mvn dependency:resolve -B -s maven/settings.xml
 
       - name: Test Build (Verify - No Deploy)
         env:
-          GITHUB_TOKEN: ${{ steps.secrets.outputs.GITHUB_TOKEN }}
+          PACKAGES_READ_USER: ${{ steps.secrets.outputs.PACKAGES_READ_USER }}
+          PACKAGES_READ_TOKEN: ${{ steps.secrets.outputs.PACKAGES_READ_TOKEN }}
         run: >-
           mvn verify -B -s maven/settings.xml -Dcheckstyle.skip -Dpmd.skip -Dcpd.skip -Dfindbugs.skip -Dspotbugs.skip -DskipTests=true

maven/settings.xml

@@ -36,8 +36,8 @@
 	<servers>
 		<server>
 			<id>github-solacedev</id>
-			<username>${env.GITHUB_USER}</username>
-			<password>${env.GITHUB_TOKEN}</password>
+			<username>${env.PACKAGES_READ_USER}</username>
+			<password>${env.PACKAGES_READ_TOKEN}</password>
 		</server>
 		<server>
 			<id>github</id>