Skip to content

Feat/allow other orgs #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fredbi merged 1 commit into from
Dec 12, 2025
Merged

Feat/allow other orgs #43

fredbi merged 1 commit into from
Dec 12, 2025

Conversation

@fredbi
Copy link
Member

@fredbi fredbi commented Dec 11, 2025
edited
Loading

Change type

Please select: 🆕 New feature or enhancement|🔧 Bug fix'|📃 Documentation update

Short description

Fixes

Full description

Checklist

  • I have signed all my commits with my name and email (see DCO. This does not require a PGP-signed commit
  • I have rebased and squashed my work, so only one commit remains
  • I have added tests to cover my changes.
  • I have properly enriched go doc comments in code.
  • I have properly documented any breaking change.

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 11, 2025
View reviewed changes
@codecov
Copy link

codecov bot commented Dec 11, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (5be3035) to head (43e4515).
⚠️ Report is 3 commits behind head on master.
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@            Coverage Diff            @@
##            master       #43   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            2         2           
  Lines            8         8           
=========================================
  Hits             8         8

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@fredbi fredbi marked this pull request as draft December 11, 2025 20:08
@fredbi
Copy link
Member Author

fredbi commented Dec 11, 2025

this remains in draft status because we see obvious security recommendations not to use secrets this way

@fredbi fredbi requested a review from Copilot December 11, 2025 21:40
Copilot AI reviewed Dec 11, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances the reusability of GitHub Actions workflows by allowing other organizations to use them without hardcoding secret names. The changes make the workflows configurable through inputs, with sensible defaults for the current organization.

  • Adds configurable input parameters for secret names (app ID, private keys, GPG keys, passphrases, fingerprints)
  • Introduces feature flags to enable/disable commit signing, tag signing, and organization bot auto-merge
  • Replaces hardcoded secret references with dynamic lookups using the new input parameters

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 7 comments.

File Description
.github/workflows/contributors.yml Adds inputs for configurable secret names and commit signing flag; updates secret references to use dynamic lookups
.github/workflows/bump-release.yml Adds inputs for tag signing configuration and GPG-related secret names; updates secret references and adds conditional tag signing logic
.github/workflows/auto-merge.yml Adds inputs to configure organization bot name and enable/disable auto-merge functionality

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@fredbi fredbi force-pushed the feat/allow-other-orgs branch from 3cff92d to 5d8b74f Compare December 12, 2025 10:03
@fredbi
feat: allow reuse of workflows by other organizations
43e4515 
Problem statement
=================
When using workflows such as:
  * contributors
  * bump-release
  * auto-merge

the retrieval of secrets for commit or tag PGP-signature and
token switch with a github app is currently specific to go-openapi.

Proposed solution
=================
The names of the secrets (not the secrets themselves) can be injected
via optional input parameters into these shared workflows.

To avoid excessive secret exposure in workflows, usage of the injected secrets
is handed over to a dedicated action, that configures GPG (for signing
secrets) or switches token (for github app token exchange).

Signed-off-by: Frederic BIDON <fredbi@yahoo.com>
@fredbi fredbi force-pushed the feat/allow-other-orgs branch from 5d8b74f to 43e4515 Compare December 12, 2025 16:37
@fredbi fredbi marked this pull request as ready for review December 12, 2025 16:45
@fredbi fredbi merged commit caaed65 into go-openapi:master Dec 12, 2025
19 checks passed
@fredbi fredbi deleted the feat/allow-other-orgs branch December 12, 2025 16:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fredbi