secrets: inherit should not be used
❌
jobs:
release:
uses: suzuki-shunsuke/go-release-workflow/.github/workflows/[email protected]
secrets: inherit # `inherit` should not be used⭕
jobs:
release:
uses: suzuki-shunsuke/go-release-workflow/.github/workflows/[email protected]
secrets: # Only required secrets should be passed
gh_app_id: ${{ secrets.APP_ID }}
gh_app_private_key: ${{ secrets.APP_PRIVATE_KEY }}Secrets should be exposed to only required jobs.
We don't recommend, but if you want to ignore the violation of this policy, please configure it with the configuration file.
e.g.
ghalint.yaml
excludes:
- policy_name: deny_inherit_secrets
workflow_file_path: .github/workflows/actionlint.yaml
job_name: actionlintpolicy_name, workflow_file_path, and job_name are required.