Skip to content

ci: replace secrets: inherit with explicit secrets in chatops_retest #9669

New issue
New issue
Open
Task
Open
ci: replace secrets: inherit with explicit secrets in chatops_retest#9669
Task
Labels
area/plumbingIssues or PRs related to the plumbing infrastructure but needing attention in a non-plumbing repo.kind/cleanupCategorizes issue or PR as related to cleaning up code, process, or technical debt.
@vdemeester

Description

@vdemeester
vdemeester
opened on Mar 26, 2026

Problem

zizmor reports secrets-inherit in chatops_retest.yaml. The workflow uses secrets: inherit which passes all parent secrets to the reusable workflow tektoncd/plumbing/.github/workflows/_chatops_retest.yml, when it only needs CHATOPS_TOKEN.

Current

# .github/workflows/chatops_retest.yaml
jobs:
  retest:
    uses: tektoncd/plumbing/.github/workflows/_chatops_retest.yml@48c53b4e...  # main
    secrets: inherit

Proposed fix

jobs:
  retest:
    uses: tektoncd/plumbing/.github/workflows/_chatops_retest.yml@48c53b4e...  # main
    secrets:
      CHATOPS_TOKEN: ${{ secrets.CHATOPS_TOKEN }}

Note: This also requires a change in tektoncd/plumbing to declare secrets: inputs in _chatops_retest.yml:

on:
  workflow_call:
    secrets:
      CHATOPS_TOKEN:
        required: true

Context

Identified by zizmor v1.23.1. Related to #9667.

/kind cleanup

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/plumbingIssues or PRs related to the plumbing infrastructure but needing attention in a non-plumbing repo.kind/cleanupCategorizes issue or PR as related to cleaning up code, process, or technical debt.

    Type

    Task

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions