ci: add DH inputs/secrets

Signed-off-by: Patrick Stephens <pat@fluent.do>

Author: patrick-stephens

.github/workflows/build.yaml

@@ -118,9 +118,12 @@ jobs:
       version: ${{ needs.get-meta.outputs.version }}
       ref: ${{ github.ref }}
       image-base: ${{ matrix.image-base }}
-
       # Pick the Dockerfile to use for each image
       definition: ${{ (contains(matrix.image-base, 'debian') && 'Dockerfile.debian') || 'Dockerfile.ubi' }}
+      dockerhub-username: ${{ vars.DOCKERHUB_USERNAME }}
+    secrets:
+      dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
+
 
   # We want to copy the UBI image to ghcr.io/fluentdo/agent:version and
   # the distroless image to ghcr.io/fluentdo/agent:version-slim
@@ -214,6 +217,9 @@ jobs:
       ref: ${{ github.ref }}
       target-matrix: ${{ needs.get-meta.outputs.linux-targets }}
       nightly-build-info: ${{ needs.get-meta.outputs.date }}
+      dockerhub-username: ${{ vars.DOCKERHUB_USERNAME }}
+    secrets:
+      dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
 
   build-windows:
     # Only build Windows packages if we are not a pull request or have a label set

.github/workflows/call-build-containers.yaml

@@ -22,13 +22,21 @@ on:
         required: false
         type: string
         default: "Dockerfile.ubi"
+      dockerhub-username:
+        description: The Dockerhub username to use for authenticated pulls.
+        required: false
+        type: string
+        default: "fluentdo"
     secrets:
       cosign_private_key:
         description: The optional Cosign key to use for signing the images.
         required: false
       cosign_private_key_password:
         description: If the Cosign key requires a password then specify here, otherwise not required.
         required: false
+      dockerhub-token:
+        description: The Dockerhub token to use for authenticated pulls (not pushes).
+        required: true
     outputs:
       tag:
         description: The full image name and tag.
@@ -72,8 +80,8 @@ jobs:
       - name: Log in to docker.io for authorised pulls
         uses: docker/login-action@v3
         with:
-          username: ${{ vars.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          username: ${{ inputs.dockerhub-username }}
+          password: ${{ secrets.dockerhub-token }}
 
       - name: Log in to the Container registry
         uses: docker/login-action@v3

.github/workflows/call-build-linux-packages.yaml

@@ -17,6 +17,22 @@ on:
         required: false
         type: string
         default: ""
+      dockerhub-username:
+        description: The Dockerhub username to use for authenticated pulls.
+        required: false
+        type: string
+        default: "fluentdo"
+
+    secrets:
+      gpg_private_key:
+        description: The optional GPG key to use for signing the packages.
+        required: false
+      gpg_private_key_password:
+        description: If the GPG key requires a password then specify here, otherwise not required.
+        required: false
+      dockerhub-token:
+        description: The Dockerhub token to use for authenticated pulls (not pushes).
+        required: true
 jobs:
   build-packages:
     name: agent - ${{ matrix.distro }} package build and upload
@@ -54,8 +70,8 @@ jobs:
       - name: Log in to docker.io for authorised pulls
         uses: docker/login-action@v3
         with:
-          username: ${{ vars.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          username: ${{ inputs.dockerhub-username }}
+          password: ${{ secrets.dockerhub-token }}
 
       - name: Log in to the GHCR registry
         uses: docker/login-action@v3