Pass encryption key as input to composite actions

Because composite actions can't access secrets directly
junit-team · Nov 6, 2024 · 6ba1f2b · 6ba1f2b
1 parent 216377b
commit 6ba1f2b
Show file tree

Hide file tree

Showing 6 changed files with 21 additions and 2 deletions.
diff --git a/.github/actions/main-build/action.yml b/.github/actions/main-build/action.yml
@@ -5,10 +5,14 @@ inputs:
     required: true
     description: Gradle arguments
     default: :platform-tooling-support-tests:test build --configuration-cache
+  encryptionKey:
+    required: true
+    description: Gradle cache encryption key
 runs:
   using: "composite"
   steps:
     - uses: ./.github/actions/setup-test-jdk
     - uses: ./.github/actions/run-gradle
       with:
         arguments: ${{ inputs.arguments }}
+        encryptionKey: ${{ inputs.encryptionKey }}
diff --git a/.github/actions/run-gradle/action.yml b/.github/actions/run-gradle/action.yml
@@ -5,6 +5,9 @@ inputs:
     required: true
     description: Gradle arguments
     default: build
+  encryptionKey:
+    required: true
+    description: Gradle cache encryption key
 runs:
   using: "composite"
   steps:
@@ -16,7 +19,7 @@ runs:
         check-latest: true
     - uses: gradle/actions/setup-gradle@d156388eb19639ec20ade50009f3d199ce1e2808 # v4
       with:
-        cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
+        cache-encryption-key: ${{ inputs.encryptionKey }}
     - shell: bash
       env:
         JAVA_HOME: ${{ steps.setup-gradle-jdk.outputs.path }}

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -41,6 +41,7 @@ jobs:
     - name: Build
       uses: ./.github/actions/run-gradle
       with:
+        encryptionKey: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
         arguments: |
           --no-build-cache \
           -Dscan.tag.CodeQL \

diff --git a/.github/workflows/cross-version.yml b/.github/workflows/cross-version.yml
@@ -60,6 +60,7 @@ jobs:
       - name: Build
         uses: ./.github/actions/run-gradle
         with:
+          encryptionKey: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
           arguments: |
             -PjavaToolchain.version=${{ matrix.jdk.version }} \
             -Dscan.tag.JDK_${{ matrix.jdk.version }} \
@@ -93,6 +94,7 @@ jobs:
       - name: Build
         uses: ./.github/actions/run-gradle
         with:
+          encryptionKey: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
           arguments: |
             -PjavaToolchain.version=${{ matrix.jdk }} \
             -PjavaToolchain.implementation=j9 \

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -32,6 +32,7 @@ jobs:
     - name: Build
       uses: ./.github/actions/main-build
       with:
+        encryptionKey: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
         arguments: |
           -Ptesting.enableJaCoCo \
           :platform-tooling-support-tests:test \
@@ -52,6 +53,8 @@ jobs:
         fetch-depth: 1
     - name: Build
       uses: ./.github/actions/main-build
+      with:
+        encryptionKey: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
 
   macOS:
     runs-on: macos-latest
@@ -62,10 +65,12 @@ jobs:
         fetch-depth: 1
     - name: Build
       uses: ./.github/actions/main-build
+      with:
+        encryptionKey: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
 
   publish_artifacts:
     name: Publish Snapshot Artifacts
-    needs: linux
+    needs: Linux
     runs-on: ubuntu-latest
     permissions:
       attestations: write # required for build provenance attestation
@@ -82,6 +87,7 @@ jobs:
         ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.SONATYPE_USERNAME }}
         ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.SONATYPE_PASSWORD }}
       with:
+        encryptionKey: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
         arguments: |
           publish -x check \
           prepareGitHubAttestation
@@ -109,6 +115,7 @@ jobs:
     - name: Build Documentation
       uses: ./.github/actions/run-gradle
       with:
+        encryptionKey: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
         arguments: |
           prepareDocsForUploadToGhPages \
           -Dscan.tag.Documentation
@@ -118,6 +125,7 @@ jobs:
       permissions:
         contents: write
       with:
+        encryptionKey: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
         arguments: |
           gitPublishPush \
           -Dscan.tag.Documentation

diff --git a/.github/workflows/reproducible-build.yml b/.github/workflows/reproducible-build.yml
@@ -26,6 +26,7 @@ jobs:
     - name: Restore Gradle cache and display toolchains
       uses: ./.github/actions/run-gradle
       with:
+        encryptionKey: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
         arguments: |
           --quiet \
           --configuration-cache