ci: different strategy to use environment secrets

Author: rjaegers

.github/workflows/continuous-integration.yml

@@ -32,10 +32,16 @@ jobs:
   build-push-flavors:
     name: Build → Push → Test (🍨 ${{ matrix.flavor }})
     needs: build-push-base
+    environment: acceptance-testing
     strategy:
       matrix:
         flavor: [cpp, rust]
     uses: ./.github/workflows/wc-build-push-test.yml
+    secrets:
+      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
+      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
+      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
+      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
     permissions:
       actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets
       attestations: write # is needed by actions/attest-build-provenance to push attestations

.github/workflows/release-build.yml

@@ -31,6 +31,7 @@ jobs:
   build-push-flavors:
     name: Build → Push → Test (🍨 ${{ matrix.flavor }})
     needs: build-push-base
+    environment: acceptance-testing
     strategy:
       matrix:
         flavor: [cpp, rust]

.github/workflows/wc-acceptance-test.yml

@@ -13,6 +13,15 @@ on:
       acceptance-test-path:
         required: true
         type: string
+    secrets:
+      TEST_GITHUB_TOKEN:
+        required: true
+      TEST_GITHUB_USER:
+        required: true
+      TEST_GITHUB_PASSWORD:
+        required: true
+      TEST_GITHUB_TOTP_SECRET:
+        required: true
 
 concurrency:
   group: ${{ github.workflow }}
@@ -25,7 +34,6 @@ jobs:
   test:
     name: Acceptance Test
     runs-on: ubuntu-latest
-    environment: acceptance-testing
     steps:
       - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:

.github/workflows/wc-build-push-test.yml

@@ -93,6 +93,14 @@ on:
       DOCKER_REGISTRY_USERNAME:
         description: User name for Docker login, if not provided the GitHub actor will be used
         required: false
+      TEST_GITHUB_PASSWORD:
+        required: false
+      TEST_GITHUB_TOKEN:
+        required: false
+      TEST_GITHUB_TOTP_SECRET:
+        required: false
+      TEST_GITHUB_USER:
+        required: false
 
 permissions: {}
 
@@ -145,6 +153,11 @@ jobs:
     uses: ./.github/workflows/wc-acceptance-test.yml
     permissions:
       contents: read
+    secrets:
+      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
+      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
+      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
+      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
     with:
       image-basename: ${{ needs.build-push.outputs.image-basename }}
       devcontainer-file: ${{ inputs.test-devcontainer-file }}