feat(workflows)!: add required environment input to enforce environment-scoped secrets#60
Draft
kryota-dev wants to merge 6 commits intomainfrom
Draft
feat(workflows)!: add required environment input to enforce environment-scoped secrets#60kryota-dev wants to merge 6 commits intomainfrom
environment input to enforce environment-scoped secrets#60kryota-dev wants to merge 6 commits intomainfrom
Conversation
…ment-scoped secrets
Add `environment` input (required, string) to all Reusable Workflows
that access `secrets.*`, and apply `environment: ${{ inputs.environment }}`
to every secret-using job.
This addresses the zizmor `secrets-outside-env` audit (v1.23.0) by
ensuring secrets are only accessible to jobs with GitHub Environment
protection rules.
Affected workflows:
- deploy-web-hosting.yml (deploy job)
- tagpr-release.yml (tagpr + bump_major_tag jobs)
- undeploy-web-hosting.yml (delete job)
BREAKING CHANGE: Callers must create a GitHub Environment and pass the
`environment` input. Omitting it will cause a workflow call error.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Update internal callers to pass `environment: release` to tagpr-release.yml, matching the new required input. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add `environment` to Usage, Inputs table, Examples, and Prerequisites sections in all affected workflow docs (both English and Japanese). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR introduces a breaking change to the repo’s reusable GitHub Actions workflows to require a GitHub Environment name, aiming to ensure secret access is scoped to GitHub Environments (addressing zizmor’s secrets-outside-env audit).
Changes:
- Add a required
environmentinput to multiple reusable workflows and applyenvironment: ${{ inputs.environment }}to secret-using jobs. - Update internal wrapper workflows to pass
environment: releaseinto the reusable release workflow. - Update EN/JA workflow documentation and the changelog to describe the new required input and prerequisites.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| CHANGELOG.md | Documents the breaking change and caller migration requirement. |
| .github/workflows/deploy-web-hosting.yml | Adds required environment input and sets job environment for secret access. |
| .github/workflows/undeploy-web-hosting.yml | Adds required environment input and sets job environment for secret access. |
| .github/workflows/tagpr-release.yml | Adds required environment input and sets job environment(s) for secret access. |
| .github/workflows/my-release.yml | Passes environment: release into the reusable workflow. |
| .github/workflows/my-update-release-pr.yml | Passes environment: release into the reusable workflow. |
| .github/workflows/docs/deploy-web-hosting.md | Updates docs/examples with the new environment input. |
| .github/workflows/docs/deploy-web-hosting.ja.md | Same as above (JA). |
| .github/workflows/docs/undeploy-web-hosting.md | Updates docs/examples with the new environment input. |
| .github/workflows/docs/undeploy-web-hosting.ja.md | Same as above (JA). |
| .github/workflows/docs/tagpr-release.md | Updates docs/examples with the new environment input and prerequisites. |
| .github/workflows/docs/tagpr-release.ja.md | Same as above (JA). |
…t-direct secret access - Remove workflow_call.secrets sections from all Reusable Workflows - Change secret references from kebab-case to UPPER_SNAKE_CASE - Remove secrets: blocks from callers (secrets accessed via environment) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Replace Secrets section with Environment Secrets section - Remove secrets: blocks from Usage/Examples - Update secret names to UPPER_SNAKE_CASE in Behavior/Prerequisites - Add breaking change entry to CHANGELOG Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
kryota-dev
force-pushed
the
claude/secrets-outside-env-remediation
branch
from
af0ff2f to
a54dc3c
Compare
There was a problem hiding this comment.
Pull request overview
This PR introduces an environment input to several reusable workflows to scope secret access via GitHub Environments, and updates internal callers plus docs to match the new contract.
Changes:
- Add required
environmentinput and setenvironment: ${{ inputs.environment }}on secret-consuming jobs. - Switch secret references to environment-style
UPPER_SNAKE_CASEnames (e.g.,APP_TOKEN,SERVER_HOST). - Update internal wrapper workflows and EN/JA docs/examples to pass the new
environmentinput and document environment secrets.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
CHANGELOG.md |
Documents the breaking change and new environment-scoped secret approach. |
.github/workflows/deploy-web-hosting.yml |
Adds environment input and scopes the deploy job; updates secret names. |
.github/workflows/undeploy-web-hosting.yml |
Adds environment input and scopes the undeploy job; updates secret names. |
.github/workflows/tagpr-release.yml |
Adds environment input and scopes jobs; updates token secret name to APP_TOKEN. |
.github/workflows/my-release.yml |
Updates internal caller to pass environment: release. |
.github/workflows/my-update-release-pr.yml |
Updates internal caller to pass environment: release. |
.github/workflows/docs/deploy-web-hosting.md |
Updates examples and documents environment secrets + prerequisite environment. |
.github/workflows/docs/deploy-web-hosting.ja.md |
Japanese doc updates for the new environment input and env secrets. |
.github/workflows/docs/undeploy-web-hosting.md |
Updates examples and documents environment secrets + prerequisite environment. |
.github/workflows/docs/undeploy-web-hosting.ja.md |
Japanese doc updates for the new environment input and env secrets. |
.github/workflows/docs/tagpr-release.md |
Updates examples and documents environment + APP_TOKEN as an environment secret. |
.github/workflows/docs/tagpr-release.ja.md |
Japanese doc updates for the new environment input and env secrets. |
| @@ -15,5 +15,5 @@ jobs: | |||
| contents: write | |||
| pull-requests: write | |||
| uses: ./.github/workflows/tagpr-release.yml | |||
| secrets: | ||
| app-token: ${{ secrets.APP_TOKEN }} | ||
| with: | ||
| environment: release |
Comment on lines
70
to
+74
| id: check-slack | ||
| env: | ||
| SLACK_CHANNEL_ID: ${{ secrets.slack-channel-id }} | ||
| SLACK_BOT_OAUTH_TOKEN: ${{ secrets.slack-bot-oauth-token }} | ||
| SLACK_WEBHOOK_URL: ${{ secrets.slack-webhook-url }} | ||
| SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} | ||
| SLACK_BOT_OAUTH_TOKEN: ${{ secrets.SLACK_BOT_OAUTH_TOKEN }} | ||
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} |
Comment on lines
60
to
+64
| uses: kryota-dev/actions/.github/actions/undeploy-web-hosting-ftp@568519d2e5e2722d8d2340f594f6af3e1564852e # v0.0.7 | ||
| with: | ||
| ftp-server: ${{ secrets.server-host }} | ||
| ftp-username: ${{ secrets.server-user }} | ||
| ftp-password: ${{ secrets.server-password }} | ||
| target-path: ${{ secrets.server-path }}${{ steps.compute-path.outputs.deploy-path }} | ||
| ftp-server: ${{ secrets.SERVER_HOST }} | ||
| ftp-username: ${{ secrets.SERVER_USER }} | ||
| ftp-password: ${{ secrets.SERVER_PASSWORD }} |
Comment on lines
33
to
36
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | ||
| with: | ||
| token: ${{ secrets.app-token }} | ||
| token: ${{ secrets.APP_TOKEN }} | ||
| persist-credentials: false |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
environmentinput todeploy-web-hosting.yml,tagpr-release.yml, andundeploy-web-hosting.ymlto enforce GitHub Environment-scoped secret accessenvironment: ${{ inputs.environment }}to all jobs that referencesecrets.*my-release.yml,my-update-release-pr.yml) to passenvironment: releaseMotivation
zizmor v1.23.0 introduced the
secrets-outside-envaudit, which flags jobs accessing secrets without a dedicated GitHub Environment. GitHub Environments provide protection rules (reviewer approval, wait timers, branch restrictions) that add a security layer for secret access.Rather than suppressing the audit, this PR addresses the root cause by requiring all secret-accessing jobs to be scoped to a GitHub Environment.
Breaking Changes
All callers of the affected Reusable Workflows must:
production,staging,release)environmentinput towith:block when calling the workflowTest plan
secrets-outside-envaudit resolved after merging with PR chore(deps): update dependency zizmorcore/zizmor to v1.24.1 #57)releaseGitHub Environment in this repository and configureAPP_TOKENsecret at environment levelmy-release.ymlandmy-update-release-pr.ymlwork correctly with the new environmentRelated
Important
This is a breaking change. All downstream callers must update their workflows.
Generated with Claude Code