jaraco
commented
3 months ago According to this document it may be possible to set secrets at the org level and reference them using the vars context.
Closed jaraco closed 3 months ago
jaraco
commented
3 months ago According to this document it may be possible to set secrets at the org level and reference them using the vars context.
webknjaz
commented
3 months ago But can that be done and still be dependent on the reusable workflow?
Yes.
jaraco
commented
3 months ago 
bswck
commented
3 months ago My idea is to set the secrets on the org level, pass them to the reusable workflow in every front-end workflow (every calling workflow), and inherit the secrets only in the release job (in the reusable workflow, ofc). Someone outside the org could use our reusable workflows and we will just slightly increase the boilerplate in our front-end workflows.
bswck
commented
3 months ago https://github.com/coherent-oss/coherent.build/actions/runs/10550001633/job/29225689404 @jaraco great job! 🚀
jaraco
commented
3 months ago My idea is to set the secrets on the org level, pass them to the reusable workflow in every front-end workflow (every calling workflow), and inherit the secrets only in the release job (in the reusable workflow, ofc). Someone outside the org could use our reusable workflows and we will just slightly increase the boilerplate in our front-end workflows.
Oh, I like that idea. I'd like to store a secret in as few places as possible. On the other hand, it would be nice to have a uniform "recipe" for projects without requiring them to be in the org.
I'm sort-of leaning toward just having a uniform process for now and awaiting support for trusted publishing. Let me know if you feel strongly otherwise.
jaraco
commented
3 months ago I note also that the latest jaraco.develop facilitates the add-github-secrets for coherent projects.
The skeleton project has support for automated releases.
I'd like to implement something similar for coherent projects. Tag a commit with a version number and push it should generate a release to PyPI.
Unfortunately, the technique used by skeleton is not viable because GitHub doesn't support secrets in reusable workflows and it's not even actively worked on.
Better would be to implement something using Trusted Publishing, but unfortunately, that doesn't support reusable workflows either. Thankfully, at least that issue is seeing some traction.
In the meantime, only manual releases are possible, unless...
Could it be possible to copy/paste the release job into each project, so it doesn't require the reusable workflow. But can that be done and still be dependent on the reusable workflow?