From 9dea92d1a1aaad63890f64a1c1c63af0c74629ac Mon Sep 17 00:00:00 2001 From: kryota-dev <50436249+kryota-dev@users.noreply.github.com> Date: Fri, 13 Mar 2026 09:17:54 +0900 Subject: [PATCH 1/6] feat(workflows)!: add required `environment` input to enforce environment-scoped secrets Add `environment` input (required, string) to all Reusable Workflows that access `secrets.*`, and apply `environment: ${{ inputs.environment }}` to every secret-using job. This addresses the zizmor `secrets-outside-env` audit (v1.23.0) by ensuring secrets are only accessible to jobs with GitHub Environment protection rules. Affected workflows: - deploy-web-hosting.yml (deploy job) - tagpr-release.yml (tagpr + bump_major_tag jobs) - undeploy-web-hosting.yml (delete job) BREAKING CHANGE: Callers must create a GitHub Environment and pass the `environment` input. Omitting it will cause a workflow call error. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/deploy-web-hosting.yml | 5 +++++ .github/workflows/tagpr-release.yml | 7 +++++++ .github/workflows/undeploy-web-hosting.yml | 5 +++++ 3 files changed, 17 insertions(+) diff --git a/.github/workflows/deploy-web-hosting.yml b/.github/workflows/deploy-web-hosting.yml index 95d7b33..3b7390d 100644 --- a/.github/workflows/deploy-web-hosting.yml +++ b/.github/workflows/deploy-web-hosting.yml @@ -4,6 +4,10 @@ name: Deploy to Web Hosting on: workflow_call: inputs: + environment: + description: "GitHub Environment name for secret access" + type: string + required: true deploy-type: description: "Deploy method ('ftp' or 'rsync')" type: string @@ -68,6 +72,7 @@ jobs: name: Deploy to Web Hosting runs-on: ubuntu-24.04 timeout-minutes: 15 + environment: ${{ inputs.environment }} permissions: pull-requests: write diff --git a/.github/workflows/tagpr-release.yml b/.github/workflows/tagpr-release.yml index 0d38633..a7d0f8c 100644 --- a/.github/workflows/tagpr-release.yml +++ b/.github/workflows/tagpr-release.yml @@ -3,6 +3,11 @@ name: tagpr Release on: workflow_call: + inputs: + environment: + description: "GitHub Environment name for secret access" + type: string + required: true secrets: app-token: description: "Personal Access Token for tagpr (requires 'repo' and 'workflow' scopes)" @@ -22,6 +27,7 @@ jobs: tagpr: runs-on: ubuntu-latest timeout-minutes: 10 + environment: ${{ inputs.environment }} permissions: contents: write pull-requests: write @@ -43,6 +49,7 @@ jobs: if: needs.tagpr.outputs.tag != '' runs-on: ubuntu-latest timeout-minutes: 5 + environment: ${{ inputs.environment }} permissions: contents: write steps: diff --git a/.github/workflows/undeploy-web-hosting.yml b/.github/workflows/undeploy-web-hosting.yml index ad6bdc4..895476a 100644 --- a/.github/workflows/undeploy-web-hosting.yml +++ b/.github/workflows/undeploy-web-hosting.yml @@ -4,6 +4,10 @@ name: Undeploy from Web Hosting on: workflow_call: inputs: + environment: + description: "GitHub Environment name for secret access" + type: string + required: true deploy-type: description: "Deploy method ('ftp' or 'rsync')" type: string @@ -47,6 +51,7 @@ jobs: name: Undeploy from Web Hosting runs-on: ubuntu-24.04 timeout-minutes: 10 + environment: ${{ inputs.environment }} permissions: contents: read pull-requests: write From 665e929420b7bd5e8d88b977d77cd8eefb666ba6 Mon Sep 17 00:00:00 2001 From: kryota-dev <50436249+kryota-dev@users.noreply.github.com> Date: Fri, 13 Mar 2026 09:18:00 +0900 Subject: [PATCH 2/6] fix(ci): pass `environment` input to tagpr-release workflow calls Update internal callers to pass `environment: release` to tagpr-release.yml, matching the new required input. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/my-release.yml | 2 ++ .github/workflows/my-update-release-pr.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/my-release.yml b/.github/workflows/my-release.yml index bb1a0d5..6cac68a 100644 --- a/.github/workflows/my-release.yml +++ b/.github/workflows/my-release.yml @@ -15,5 +15,7 @@ jobs: contents: write pull-requests: write uses: ./.github/workflows/tagpr-release.yml + with: + environment: release secrets: app-token: ${{ secrets.APP_TOKEN }} diff --git a/.github/workflows/my-update-release-pr.yml b/.github/workflows/my-update-release-pr.yml index 9a32fe9..ca505b8 100644 --- a/.github/workflows/my-update-release-pr.yml +++ b/.github/workflows/my-update-release-pr.yml @@ -18,5 +18,7 @@ jobs: contents: write pull-requests: write uses: ./.github/workflows/tagpr-release.yml + with: + environment: release secrets: app-token: ${{ secrets.APP_TOKEN }} From 0f0d2513ca4934b504435026a6f00248f1790be8 Mon Sep 17 00:00:00 2001 From: kryota-dev <50436249+kryota-dev@users.noreply.github.com> Date: Fri, 13 Mar 2026 09:18:05 +0900 Subject: [PATCH 3/6] docs: update workflow documentation for `environment` input (EN/JA) Add `environment` to Usage, Inputs table, Examples, and Prerequisites sections in all affected workflow docs (both English and Japanese). Co-Authored-By: Claude Opus 4.6 --- .github/workflows/docs/deploy-web-hosting.ja.md | 9 +++++++++ .github/workflows/docs/deploy-web-hosting.md | 9 +++++++++ .github/workflows/docs/tagpr-release.ja.md | 13 ++++++++++++- .github/workflows/docs/tagpr-release.md | 13 ++++++++++++- .github/workflows/docs/undeploy-web-hosting.ja.md | 9 +++++++++ .github/workflows/docs/undeploy-web-hosting.md | 9 +++++++++ 6 files changed, 60 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docs/deploy-web-hosting.ja.md b/.github/workflows/docs/deploy-web-hosting.ja.md index d0da7e1..3b0320e 100644 --- a/.github/workflows/docs/deploy-web-hosting.ja.md +++ b/.github/workflows/docs/deploy-web-hosting.ja.md @@ -15,6 +15,10 @@ jobs: pull-requests: write uses: kryota-dev/actions/.github/workflows/deploy-web-hosting.yml@v0 with: + # environment - シークレットアクセス用の GitHub Environment 名 + # Required + environment: 'production' + # deploy-type - デプロイ方法('ftp' または 'rsync') # Required deploy-type: 'ftp' @@ -88,6 +92,7 @@ jobs: | Name | Description | Required | Default | |------|-------------|----------|---------| +| `environment` | シークレットアクセス用の GitHub Environment 名 | Yes | - | | `deploy-type` | デプロイ方法(`'ftp'` または `'rsync'`) | Yes | - | | `artifact-name` | ダウンロードするビルドアーティファクトの名前 | Yes | - | | `output-dir` | ビルド出力ディレクトリ名 | Yes | - | @@ -128,6 +133,7 @@ jobs: pull-requests: write uses: kryota-dev/actions/.github/workflows/deploy-web-hosting.yml@v0 with: + environment: 'production' deploy-type: 'ftp' artifact-name: 'build-output' output-dir: 'dist' @@ -147,6 +153,7 @@ jobs: pull-requests: write uses: kryota-dev/actions/.github/workflows/deploy-web-hosting.yml@v0 with: + environment: 'production' deploy-type: 'rsync' artifact-name: 'build-output' output-dir: 'dist' @@ -172,6 +179,7 @@ jobs: pull-requests: write uses: kryota-dev/actions/.github/workflows/deploy-web-hosting.yml@v0 with: + environment: 'staging' deploy-type: 'rsync' artifact-name: 'build-output' output-dir: 'dist' @@ -199,6 +207,7 @@ jobs: ## Prerequisites +- 呼び出し元リポジトリに `environment` input に対応する GitHub Environment が存在し、必要なシークレットが Environment レベルで設定されていること - 呼び出し元ワークフローで `actions/upload-artifact` によるビルド成果物のアップロードが完了していること - `deploy-type` が `'ftp'` の場合: `server-password` が必要 - `deploy-type` が `'rsync'` の場合: `ssh-private-key` が必要 diff --git a/.github/workflows/docs/deploy-web-hosting.md b/.github/workflows/docs/deploy-web-hosting.md index 39103de..3fc6f5c 100644 --- a/.github/workflows/docs/deploy-web-hosting.md +++ b/.github/workflows/docs/deploy-web-hosting.md @@ -15,6 +15,10 @@ jobs: pull-requests: write uses: kryota-dev/actions/.github/workflows/deploy-web-hosting.yml@v0 with: + # environment - GitHub Environment name for secret access + # Required + environment: 'production' + # deploy-type - Deployment method ('ftp' or 'rsync') # Required deploy-type: 'ftp' @@ -88,6 +92,7 @@ jobs: | Name | Description | Required | Default | |------|-------------|----------|---------| +| `environment` | GitHub Environment name for secret access | Yes | - | | `deploy-type` | Deployment method (`'ftp'` or `'rsync'`) | Yes | - | | `artifact-name` | Name of the build artifact to download | Yes | - | | `output-dir` | Build output directory name | Yes | - | @@ -128,6 +133,7 @@ jobs: pull-requests: write uses: kryota-dev/actions/.github/workflows/deploy-web-hosting.yml@v0 with: + environment: 'production' deploy-type: 'ftp' artifact-name: 'build-output' output-dir: 'dist' @@ -147,6 +153,7 @@ jobs: pull-requests: write uses: kryota-dev/actions/.github/workflows/deploy-web-hosting.yml@v0 with: + environment: 'production' deploy-type: 'rsync' artifact-name: 'build-output' output-dir: 'dist' @@ -172,6 +179,7 @@ jobs: pull-requests: write uses: kryota-dev/actions/.github/workflows/deploy-web-hosting.yml@v0 with: + environment: 'staging' deploy-type: 'rsync' artifact-name: 'build-output' output-dir: 'dist' @@ -199,6 +207,7 @@ This workflow consists of a `deploy` job and executes in the following order: ## Prerequisites +- A GitHub Environment matching the `environment` input must exist in the caller's repository, with the required secrets configured at the environment level - Build artifacts must have been uploaded via `actions/upload-artifact` in the calling workflow - For `deploy-type` `'ftp'`: `server-password` is required - For `deploy-type` `'rsync'`: `ssh-private-key` is required diff --git a/.github/workflows/docs/tagpr-release.ja.md b/.github/workflows/docs/tagpr-release.ja.md index 8b76d89..a5d01db 100644 --- a/.github/workflows/docs/tagpr-release.ja.md +++ b/.github/workflows/docs/tagpr-release.ja.md @@ -15,6 +15,10 @@ jobs: contents: write pull-requests: write uses: kryota-dev/actions/.github/workflows/tagpr-release.yml@v0 + with: + # environment - シークレットアクセス用の GitHub Environment 名 + # Required + environment: 'release' secrets: # app-token - tagpr 用の Personal Access Token('repo' と 'workflow' スコープが必要) # Required @@ -23,7 +27,9 @@ jobs: ## Inputs -None +| Name | Description | Required | Default | +|------|-------------|----------|---------| +| `environment` | シークレットアクセス用の GitHub Environment 名 | Yes | - | ## Secrets @@ -55,6 +61,8 @@ jobs: contents: write pull-requests: write uses: kryota-dev/actions/.github/workflows/tagpr-release.yml@v0 + with: + environment: 'release' secrets: app-token: ${{ secrets.APP_TOKEN }} ``` @@ -68,6 +76,8 @@ jobs: contents: write pull-requests: write uses: kryota-dev/actions/.github/workflows/tagpr-release.yml@v0 + with: + environment: 'release' secrets: app-token: ${{ secrets.APP_TOKEN }} @@ -101,5 +111,6 @@ jobs: ## Prerequisites +- 呼び出し元リポジトリに `environment` input に対応する GitHub Environment が存在し、`app-token` シークレットが Environment レベルで設定されていること - GitHub App Token または Personal Access Token(`repo` + `workflow` スコープ)が必要 - `.tagpr` 設定ファイルがリポジトリに存在すること diff --git a/.github/workflows/docs/tagpr-release.md b/.github/workflows/docs/tagpr-release.md index 377fcac..f441883 100644 --- a/.github/workflows/docs/tagpr-release.md +++ b/.github/workflows/docs/tagpr-release.md @@ -15,6 +15,10 @@ jobs: contents: write pull-requests: write uses: kryota-dev/actions/.github/workflows/tagpr-release.yml@v0 + with: + # environment - GitHub Environment name for secret access + # Required + environment: 'release' secrets: # app-token - Personal Access Token for tagpr (requires 'repo' and 'workflow' scopes) # Required @@ -23,7 +27,9 @@ jobs: ## Inputs -None +| Name | Description | Required | Default | +|------|-------------|----------|---------| +| `environment` | GitHub Environment name for secret access | Yes | - | ## Secrets @@ -55,6 +61,8 @@ jobs: contents: write pull-requests: write uses: kryota-dev/actions/.github/workflows/tagpr-release.yml@v0 + with: + environment: 'release' secrets: app-token: ${{ secrets.APP_TOKEN }} ``` @@ -68,6 +76,8 @@ jobs: contents: write pull-requests: write uses: kryota-dev/actions/.github/workflows/tagpr-release.yml@v0 + with: + environment: 'release' secrets: app-token: ${{ secrets.APP_TOKEN }} @@ -101,5 +111,6 @@ Runs only after the `tagpr` job completes and a tag was created (`tag != ''`). ## Prerequisites +- A GitHub Environment matching the `environment` input must exist in the caller's repository, with the `app-token` secret configured at the environment level - GitHub App Token or Personal Access Token (requires `repo` + `workflow` scopes) - `.tagpr` configuration file must exist in the repository diff --git a/.github/workflows/docs/undeploy-web-hosting.ja.md b/.github/workflows/docs/undeploy-web-hosting.ja.md index 7893c5f..9d454d7 100644 --- a/.github/workflows/docs/undeploy-web-hosting.ja.md +++ b/.github/workflows/docs/undeploy-web-hosting.ja.md @@ -16,6 +16,10 @@ jobs: pull-requests: write uses: kryota-dev/actions/.github/workflows/undeploy-web-hosting.yml@v0 with: + # environment - シークレットアクセス用の GitHub Environment 名 + # Required + environment: 'production' + # deploy-type - デプロイ方法('ftp' または 'rsync') # Required deploy-type: 'ftp' @@ -61,6 +65,7 @@ jobs: | Name | Description | Required | Default | |------|-------------|----------|---------| +| `environment` | シークレットアクセス用の GitHub Environment 名 | Yes | - | | `deploy-type` | デプロイ方法(`'ftp'` または `'rsync'`) | Yes | - | | `base-path-prefix` | プロジェクト固有のパスプレフィックス(例: `'/'`) | No | `''` | | `production-branch` | 本番ブランチ名 | No | `'main'` | @@ -96,6 +101,7 @@ jobs: pull-requests: write uses: kryota-dev/actions/.github/workflows/undeploy-web-hosting.yml@v0 with: + environment: 'production' deploy-type: 'ftp' secrets: server-host: ${{ secrets.SERVER_HOST }} @@ -114,6 +120,7 @@ jobs: pull-requests: write uses: kryota-dev/actions/.github/workflows/undeploy-web-hosting.yml@v0 with: + environment: 'production' deploy-type: 'rsync' base-path-prefix: '/my-project' secrets: @@ -133,6 +140,7 @@ jobs: pull-requests: write uses: kryota-dev/actions/.github/workflows/undeploy-web-hosting.yml@v0 with: + environment: 'staging' deploy-type: 'rsync' dry-run: 'true' secrets: @@ -155,5 +163,6 @@ jobs: ## Prerequisites +- 呼び出し元リポジトリに `environment` input に対応する GitHub Environment が存在し、必要なシークレットが Environment レベルで設定されていること - `deploy-type` が `'ftp'` の場合: `server-password` が必要 - `deploy-type` が `'rsync'` の場合: `ssh-private-key` が必要 diff --git a/.github/workflows/docs/undeploy-web-hosting.md b/.github/workflows/docs/undeploy-web-hosting.md index 23a071e..e7298eb 100644 --- a/.github/workflows/docs/undeploy-web-hosting.md +++ b/.github/workflows/docs/undeploy-web-hosting.md @@ -16,6 +16,10 @@ jobs: pull-requests: write uses: kryota-dev/actions/.github/workflows/undeploy-web-hosting.yml@v0 with: + # environment - GitHub Environment name for secret access + # Required + environment: 'production' + # deploy-type - Deployment method ('ftp' or 'rsync') # Required deploy-type: 'ftp' @@ -61,6 +65,7 @@ jobs: | Name | Description | Required | Default | |------|-------------|----------|---------| +| `environment` | GitHub Environment name for secret access | Yes | - | | `deploy-type` | Deployment method (`'ftp'` or `'rsync'`) | Yes | - | | `base-path-prefix` | Project-specific path prefix (e.g., `'/'`) | No | `''` | | `production-branch` | Production branch name | No | `'main'` | @@ -96,6 +101,7 @@ jobs: pull-requests: write uses: kryota-dev/actions/.github/workflows/undeploy-web-hosting.yml@v0 with: + environment: 'production' deploy-type: 'ftp' secrets: server-host: ${{ secrets.SERVER_HOST }} @@ -114,6 +120,7 @@ jobs: pull-requests: write uses: kryota-dev/actions/.github/workflows/undeploy-web-hosting.yml@v0 with: + environment: 'production' deploy-type: 'rsync' base-path-prefix: '/my-project' secrets: @@ -133,6 +140,7 @@ jobs: pull-requests: write uses: kryota-dev/actions/.github/workflows/undeploy-web-hosting.yml@v0 with: + environment: 'staging' deploy-type: 'rsync' dry-run: 'true' secrets: @@ -155,5 +163,6 @@ This workflow consists of a `delete` job and executes in the following order: ## Prerequisites +- A GitHub Environment matching the `environment` input must exist in the caller's repository, with the required secrets configured at the environment level - For `deploy-type` `'ftp'`: `server-password` is required - For `deploy-type` `'rsync'`: `ssh-private-key` is required From 094da060d1a009d977234c413992ded1afe82e0e Mon Sep 17 00:00:00 2001 From: kryota-dev <50436249+kryota-dev@users.noreply.github.com> Date: Fri, 13 Mar 2026 09:18:10 +0900 Subject: [PATCH 4/6] docs: add breaking change entry to CHANGELOG Co-Authored-By: Claude Opus 4.6 --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 56259ce..0e0157c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## [Unreleased] +### Breaking Changes +- Add required `environment` input to `deploy-web-hosting.yml`, `tagpr-release.yml`, and `undeploy-web-hosting.yml` to enforce GitHub Environment-scoped secret access (zizmor `secrets-outside-env` audit). Existing callers must create a GitHub Environment and pass the `environment` input. + ## [v0.1.0](https://github.com/kryota-dev/actions/compare/v0.0.9...v0.1.0) - 2026-03-06 ### Other Changes - docs(copilot): add custom instructions for Copilot agents by @kryota-dev in https://github.com/kryota-dev/actions/pull/46 From ff1e78da6779556a4627800557f80b0b7eabf310 Mon Sep 17 00:00:00 2001 From: kryota-dev <50436249+kryota-dev@users.noreply.github.com> Date: Fri, 13 Mar 2026 10:24:11 +0900 Subject: [PATCH 5/6] feat(workflows)!: remove workflow_call.secrets in favor of environment-direct secret access - Remove workflow_call.secrets sections from all Reusable Workflows - Change secret references from kebab-case to UPPER_SNAKE_CASE - Remove secrets: blocks from callers (secrets accessed via environment) Co-Authored-By: Claude Opus 4.6 --- .github/workflows/deploy-web-hosting.yml | 49 +++++++--------------- .github/workflows/my-release.yml | 2 - .github/workflows/my-update-release-pr.yml | 2 - .github/workflows/tagpr-release.yml | 12 ++---- .github/workflows/undeploy-web-hosting.yml | 27 ++++-------- 5 files changed, 27 insertions(+), 65 deletions(-) diff --git a/.github/workflows/deploy-web-hosting.yml b/.github/workflows/deploy-web-hosting.yml index 3b7390d..924057a 100644 --- a/.github/workflows/deploy-web-hosting.yml +++ b/.github/workflows/deploy-web-hosting.yml @@ -45,25 +45,6 @@ on: type: string required: false default: '' - secrets: - server-host: - required: true - server-user: - required: true - server-path: - required: true - server-password: - required: false - ssh-private-key: - required: false - slack-channel-id: - required: false - slack-bot-oauth-token: - required: false - slack-webhook-url: - required: false - slack-mention-user: - required: false permissions: {} @@ -88,9 +69,9 @@ jobs: - name: Check Slack configuration id: check-slack env: - SLACK_CHANNEL_ID: ${{ secrets.slack-channel-id }} - SLACK_BOT_OAUTH_TOKEN: ${{ secrets.slack-bot-oauth-token }} - SLACK_WEBHOOK_URL: ${{ secrets.slack-webhook-url }} + SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} + SLACK_BOT_OAUTH_TOKEN: ${{ secrets.SLACK_BOT_OAUTH_TOKEN }} + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} run: | if [ -n "$SLACK_CHANNEL_ID" ] && [ -n "$SLACK_BOT_OAUTH_TOKEN" ]; then echo "success-enabled=true" >> "$GITHUB_OUTPUT" @@ -112,10 +93,10 @@ jobs: with: base-path: ${{ steps.compute-path.outputs.deploy-path }} output-dir: ${{ inputs.output-dir }} - ftp-server: ${{ secrets.server-host }} - ftp-username: ${{ secrets.server-user }} - ftp-password: ${{ secrets.server-password }} - ftp-path: ${{ secrets.server-path }}${{ steps.compute-path.outputs.deploy-path }} + ftp-server: ${{ secrets.SERVER_HOST }} + ftp-username: ${{ secrets.SERVER_USER }} + ftp-password: ${{ secrets.SERVER_PASSWORD }} + ftp-path: ${{ secrets.SERVER_PATH }}${{ steps.compute-path.outputs.deploy-path }} dry-run: ${{ inputs.dry-run }} is-production: ${{ steps.compute-path.outputs.is-production }} @@ -126,10 +107,10 @@ jobs: with: base-path: ${{ steps.compute-path.outputs.deploy-path }} output-dir: ${{ inputs.output-dir }} - ssh-host: ${{ secrets.server-host }} - ssh-user: ${{ secrets.server-user }} - ssh-private-key: ${{ secrets.ssh-private-key }} - ssh-path: ${{ secrets.server-path }}${{ steps.compute-path.outputs.deploy-path }} + ssh-host: ${{ secrets.SERVER_HOST }} + ssh-user: ${{ secrets.SERVER_USER }} + ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} + ssh-path: ${{ secrets.SERVER_PATH }}${{ steps.compute-path.outputs.deploy-path }} dry-run: ${{ inputs.dry-run }} is-production: ${{ steps.compute-path.outputs.is-production }} @@ -167,8 +148,8 @@ jobs: if: ${{ success() && github.event_name != 'pull_request' && steps.check-slack.outputs.success-enabled == 'true' }} uses: kryota-dev/actions/.github/actions/slack-notify-success@568519d2e5e2722d8d2340f594f6af3e1564852e # v0.0.7 with: - channel-id: ${{ secrets.slack-channel-id }} - bot-oauth-token: ${{ secrets.slack-bot-oauth-token }} + channel-id: ${{ secrets.SLACK_CHANNEL_ID }} + bot-oauth-token: ${{ secrets.SLACK_BOT_OAUTH_TOKEN }} title: 'Web Hosting deploy succeeded' message: '${{ inputs.home-url }}${{ steps.compute-path.outputs.deploy-path }}/' @@ -176,8 +157,8 @@ jobs: if: ${{ failure() && github.event_name != 'pull_request' && steps.check-slack.outputs.failure-enabled == 'true' }} uses: kryota-dev/actions/.github/actions/slack-notify-failure@568519d2e5e2722d8d2340f594f6af3e1564852e # v0.0.7 with: - webhook-url: ${{ secrets.slack-webhook-url }} - mention-user: ${{ secrets.slack-mention-user }} + webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} + mention-user: ${{ secrets.SLACK_MENTION_USER }} title: 'Web Hosting deploy failed' # --- Hide Previous Failed Comments --- diff --git a/.github/workflows/my-release.yml b/.github/workflows/my-release.yml index 6cac68a..89e0764 100644 --- a/.github/workflows/my-release.yml +++ b/.github/workflows/my-release.yml @@ -17,5 +17,3 @@ jobs: uses: ./.github/workflows/tagpr-release.yml with: environment: release - secrets: - app-token: ${{ secrets.APP_TOKEN }} diff --git a/.github/workflows/my-update-release-pr.yml b/.github/workflows/my-update-release-pr.yml index ca505b8..211d476 100644 --- a/.github/workflows/my-update-release-pr.yml +++ b/.github/workflows/my-update-release-pr.yml @@ -20,5 +20,3 @@ jobs: uses: ./.github/workflows/tagpr-release.yml with: environment: release - secrets: - app-token: ${{ secrets.APP_TOKEN }} diff --git a/.github/workflows/tagpr-release.yml b/.github/workflows/tagpr-release.yml index a7d0f8c..1555c3c 100644 --- a/.github/workflows/tagpr-release.yml +++ b/.github/workflows/tagpr-release.yml @@ -8,10 +8,6 @@ on: description: "GitHub Environment name for secret access" type: string required: true - secrets: - app-token: - description: "Personal Access Token for tagpr (requires 'repo' and 'workflow' scopes)" - required: true outputs: tag: description: "The version tag created by tagpr (empty if no release)" @@ -36,13 +32,13 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: - token: ${{ secrets.app-token }} + token: ${{ secrets.APP_TOKEN }} persist-credentials: false - uses: Songmu/tagpr@b3fb89424646b06c8aa460f50307c60b6a541425 # v1.17.1 id: tagpr env: - GITHUB_TOKEN: ${{ secrets.app-token }} + GITHUB_TOKEN: ${{ secrets.APP_TOKEN }} bump_major_tag: needs: tagpr @@ -55,13 +51,13 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: - token: ${{ secrets.app-token }} + token: ${{ secrets.APP_TOKEN }} persist-credentials: false - name: Update major tag env: TAG: ${{ needs.tagpr.outputs.tag }} - GITHUB_TOKEN: ${{ secrets.app-token }} + GITHUB_TOKEN: ${{ secrets.APP_TOKEN }} REPO: ${{ github.repository }} run: | git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${REPO}.git" diff --git a/.github/workflows/undeploy-web-hosting.yml b/.github/workflows/undeploy-web-hosting.yml index 895476a..93877e2 100644 --- a/.github/workflows/undeploy-web-hosting.yml +++ b/.github/workflows/undeploy-web-hosting.yml @@ -32,17 +32,6 @@ on: type: string required: false default: 'false' - secrets: - server-host: - required: true - server-user: - required: true - server-path: - required: true - server-password: - required: false - ssh-private-key: - required: false permissions: {} @@ -70,10 +59,10 @@ jobs: if: ${{ inputs.deploy-type == 'ftp' }} uses: kryota-dev/actions/.github/actions/undeploy-web-hosting-ftp@568519d2e5e2722d8d2340f594f6af3e1564852e # v0.0.7 with: - ftp-server: ${{ secrets.server-host }} - ftp-username: ${{ secrets.server-user }} - ftp-password: ${{ secrets.server-password }} - target-path: ${{ secrets.server-path }}${{ steps.compute-path.outputs.deploy-path }} + ftp-server: ${{ secrets.SERVER_HOST }} + ftp-username: ${{ secrets.SERVER_USER }} + ftp-password: ${{ secrets.SERVER_PASSWORD }} + target-path: ${{ secrets.SERVER_PATH }}${{ steps.compute-path.outputs.deploy-path }} dry-run: ${{ inputs.dry-run }} # --- rsync Delete --- @@ -81,10 +70,10 @@ jobs: if: ${{ inputs.deploy-type == 'rsync' }} uses: kryota-dev/actions/.github/actions/undeploy-web-hosting-rsync@568519d2e5e2722d8d2340f594f6af3e1564852e # v0.0.7 with: - ssh-host: ${{ secrets.server-host }} - ssh-user: ${{ secrets.server-user }} - ssh-private-key: ${{ secrets.ssh-private-key }} - target-path: ${{ secrets.server-path }}${{ steps.compute-path.outputs.deploy-path }} + ssh-host: ${{ secrets.SERVER_HOST }} + ssh-user: ${{ secrets.SERVER_USER }} + ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} + target-path: ${{ secrets.SERVER_PATH }}${{ steps.compute-path.outputs.deploy-path }} dry-run: ${{ inputs.dry-run }} # --- PR Comments --- From a54dc3c7df1fff340b120fab62618050ba3745c4 Mon Sep 17 00:00:00 2001 From: kryota-dev <50436249+kryota-dev@users.noreply.github.com> Date: Fri, 13 Mar 2026 10:24:18 +0900 Subject: [PATCH 6/6] docs: update documentation for environment-direct secrets architecture - Replace Secrets section with Environment Secrets section - Remove secrets: blocks from Usage/Examples - Update secret names to UPPER_SNAKE_CASE in Behavior/Prerequisites - Add breaking change entry to CHANGELOG Co-Authored-By: Claude Opus 4.6 --- .../workflows/docs/deploy-web-hosting.ja.md | 83 ++++--------------- .github/workflows/docs/deploy-web-hosting.md | 83 ++++--------------- .github/workflows/docs/tagpr-release.ja.md | 22 ++--- .github/workflows/docs/tagpr-release.md | 22 ++--- .../workflows/docs/undeploy-web-hosting.ja.md | 53 +++--------- .../workflows/docs/undeploy-web-hosting.md | 53 +++--------- CHANGELOG.md | 1 + 7 files changed, 67 insertions(+), 250 deletions(-) diff --git a/.github/workflows/docs/deploy-web-hosting.ja.md b/.github/workflows/docs/deploy-web-hosting.ja.md index 3b0320e..d6c20c9 100644 --- a/.github/workflows/docs/deploy-web-hosting.ja.md +++ b/.github/workflows/docs/deploy-web-hosting.ja.md @@ -50,42 +50,6 @@ jobs: # ref-name - ブランチ名の上書き(空の場合は github context から自動取得) # Optional (default: '') ref-name: '' - secrets: - # server-host - デプロイ先サーバーのホスト名 - # Required - server-host: ${{ secrets.SERVER_HOST }} - - # server-user - デプロイ先サーバーのユーザー名 - # Required - server-user: ${{ secrets.SERVER_USER }} - - # server-path - デプロイ先サーバーのパス - # Required - server-path: ${{ secrets.SERVER_PATH }} - - # server-password - デプロイ先サーバーのパスワード(FTP 使用時に必要) - # Optional - server-password: ${{ secrets.SERVER_PASSWORD }} - - # ssh-private-key - SSH 秘密鍵(rsync 使用時に必要) - # Optional - ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} - - # slack-channel-id - Slack 通知先チャンネル ID - # Optional - slack-channel-id: ${{ secrets.SLACK_CHANNEL_ID }} - - # slack-bot-oauth-token - Slack Bot の OAuth トークン - # Optional - slack-bot-oauth-token: ${{ secrets.SLACK_BOT_OAUTH_TOKEN }} - - # slack-webhook-url - Slack Incoming Webhook URL - # Optional - slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} - - # slack-mention-user - Slack で失敗時にメンションするユーザー - # Optional - slack-mention-user: ${{ secrets.SLACK_MENTION_USER }} ``` ## Inputs @@ -102,19 +66,21 @@ jobs: | `production-branch` | 本番ブランチ名 | No | `'main'` | | `ref-name` | ブランチ名の上書き(空の場合は github context から自動取得) | No | `''` | -## Secrets +## Environment Secrets + +`environment` input で指定した GitHub Environment に以下のシークレットを設定する必要があります: | Name | Description | Required | |------|-------------|----------| -| `server-host` | デプロイ先サーバーのホスト名 | Yes | -| `server-user` | デプロイ先サーバーのユーザー名 | Yes | -| `server-path` | デプロイ先サーバーのパス | Yes | -| `server-password` | デプロイ先サーバーのパスワード(FTP 使用時に必要) | No | -| `ssh-private-key` | SSH 秘密鍵(rsync 使用時に必要) | No | -| `slack-channel-id` | Slack 通知先チャンネル ID | No | -| `slack-bot-oauth-token` | Slack Bot の OAuth トークン | No | -| `slack-webhook-url` | Slack Incoming Webhook URL | No | -| `slack-mention-user` | Slack で失敗時にメンションするユーザー | No | +| `SERVER_HOST` | デプロイ先サーバーのホスト名 | Yes | +| `SERVER_USER` | デプロイ先サーバーのユーザー名 | Yes | +| `SERVER_PATH` | デプロイ先サーバーのパス | Yes | +| `SERVER_PASSWORD` | デプロイ先サーバーのパスワード(FTP 使用時に必要) | Conditional | +| `SSH_PRIVATE_KEY` | SSH 秘密鍵(rsync 使用時に必要) | Conditional | +| `SLACK_CHANNEL_ID` | Slack 通知先チャンネル ID | No | +| `SLACK_BOT_OAUTH_TOKEN` | Slack Bot の OAuth トークン | No | +| `SLACK_WEBHOOK_URL` | Slack Incoming Webhook URL | No | +| `SLACK_MENTION_USER` | Slack で失敗時にメンションするユーザー | No | ## Permissions @@ -137,11 +103,6 @@ jobs: deploy-type: 'ftp' artifact-name: 'build-output' output-dir: 'dist' - secrets: - server-host: ${{ secrets.SERVER_HOST }} - server-user: ${{ secrets.SERVER_USER }} - server-path: ${{ secrets.SERVER_PATH }} - server-password: ${{ secrets.SERVER_PASSWORD }} ``` ### rsync でデプロイする(Slack 通知付き) @@ -159,15 +120,6 @@ jobs: output-dir: 'dist' base-path-prefix: '/my-project' home-url: 'https://example.com' - secrets: - server-host: ${{ secrets.SERVER_HOST }} - server-user: ${{ secrets.SERVER_USER }} - server-path: ${{ secrets.SERVER_PATH }} - ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} - slack-channel-id: ${{ secrets.SLACK_CHANNEL_ID }} - slack-bot-oauth-token: ${{ secrets.SLACK_BOT_OAUTH_TOKEN }} - slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} - slack-mention-user: ${{ secrets.SLACK_MENTION_USER }} ``` ### ドライランで確認する @@ -184,11 +136,6 @@ jobs: artifact-name: 'build-output' output-dir: 'dist' dry-run: 'true' - secrets: - server-host: ${{ secrets.SERVER_HOST }} - server-user: ${{ secrets.SERVER_USER }} - server-path: ${{ secrets.SERVER_PATH }} - ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} ``` ## Behavior @@ -196,7 +143,7 @@ jobs: このワークフローは `deploy` ジョブで構成され、以下の順序で実行されます。 1. `compute-web-hosting-deploy-path` Composite Action でデプロイ先パスを計算 -2. Slack 設定チェック(`slack-channel-id` + `slack-bot-oauth-token` があれば成功通知可能、`slack-webhook-url` があれば失敗通知可能) +2. Slack 設定チェック(`SLACK_CHANNEL_ID` + `SLACK_BOT_OAUTH_TOKEN` があれば成功通知可能、`SLACK_WEBHOOK_URL` があれば失敗通知可能) 3. `actions/download-artifact@v4.3.0` でビルドアーティファクトをダウンロード 4. `deploy-type` の値に応じてデプロイを実行 - `'ftp'`: `deploy-web-hosting-ftp` Composite Action を使用 @@ -209,5 +156,5 @@ jobs: - 呼び出し元リポジトリに `environment` input に対応する GitHub Environment が存在し、必要なシークレットが Environment レベルで設定されていること - 呼び出し元ワークフローで `actions/upload-artifact` によるビルド成果物のアップロードが完了していること -- `deploy-type` が `'ftp'` の場合: `server-password` が必要 -- `deploy-type` が `'rsync'` の場合: `ssh-private-key` が必要 +- `deploy-type` が `'ftp'` の場合: `SERVER_PASSWORD` が必要 +- `deploy-type` が `'rsync'` の場合: `SSH_PRIVATE_KEY` が必要 diff --git a/.github/workflows/docs/deploy-web-hosting.md b/.github/workflows/docs/deploy-web-hosting.md index 3fc6f5c..6b19575 100644 --- a/.github/workflows/docs/deploy-web-hosting.md +++ b/.github/workflows/docs/deploy-web-hosting.md @@ -50,42 +50,6 @@ jobs: # ref-name - Branch name override (auto-detected from github context if empty) # Optional (default: '') ref-name: '' - secrets: - # server-host - Deployment server hostname - # Required - server-host: ${{ secrets.SERVER_HOST }} - - # server-user - Deployment server username - # Required - server-user: ${{ secrets.SERVER_USER }} - - # server-path - Deployment server path - # Required - server-path: ${{ secrets.SERVER_PATH }} - - # server-password - Deployment server password (required for FTP) - # Optional - server-password: ${{ secrets.SERVER_PASSWORD }} - - # ssh-private-key - SSH private key (required for rsync) - # Optional - ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} - - # slack-channel-id - Slack notification channel ID - # Optional - slack-channel-id: ${{ secrets.SLACK_CHANNEL_ID }} - - # slack-bot-oauth-token - Slack Bot OAuth token - # Optional - slack-bot-oauth-token: ${{ secrets.SLACK_BOT_OAUTH_TOKEN }} - - # slack-webhook-url - Slack Incoming Webhook URL - # Optional - slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} - - # slack-mention-user - Slack user to mention on failure - # Optional - slack-mention-user: ${{ secrets.SLACK_MENTION_USER }} ``` ## Inputs @@ -102,19 +66,21 @@ jobs: | `production-branch` | Production branch name | No | `'main'` | | `ref-name` | Branch name override (auto-detected from github context if empty) | No | `''` | -## Secrets +## Environment Secrets + +The following secrets must be configured in the GitHub Environment specified by the `environment` input: | Name | Description | Required | |------|-------------|----------| -| `server-host` | Deployment server hostname | Yes | -| `server-user` | Deployment server username | Yes | -| `server-path` | Deployment server path | Yes | -| `server-password` | Deployment server password (required for FTP) | No | -| `ssh-private-key` | SSH private key (required for rsync) | No | -| `slack-channel-id` | Slack notification channel ID | No | -| `slack-bot-oauth-token` | Slack Bot OAuth token | No | -| `slack-webhook-url` | Slack Incoming Webhook URL | No | -| `slack-mention-user` | Slack user to mention on failure | No | +| `SERVER_HOST` | Deployment server hostname | Yes | +| `SERVER_USER` | Deployment server username | Yes | +| `SERVER_PATH` | Deployment server path | Yes | +| `SERVER_PASSWORD` | Deployment server password (required for FTP) | Conditional | +| `SSH_PRIVATE_KEY` | SSH private key (required for rsync) | Conditional | +| `SLACK_CHANNEL_ID` | Slack notification channel ID | No | +| `SLACK_BOT_OAUTH_TOKEN` | Slack Bot OAuth token | No | +| `SLACK_WEBHOOK_URL` | Slack Incoming Webhook URL | No | +| `SLACK_MENTION_USER` | Slack user to mention on failure | No | ## Permissions @@ -137,11 +103,6 @@ jobs: deploy-type: 'ftp' artifact-name: 'build-output' output-dir: 'dist' - secrets: - server-host: ${{ secrets.SERVER_HOST }} - server-user: ${{ secrets.SERVER_USER }} - server-path: ${{ secrets.SERVER_PATH }} - server-password: ${{ secrets.SERVER_PASSWORD }} ``` ### Deploy via rsync (with Slack notifications) @@ -159,15 +120,6 @@ jobs: output-dir: 'dist' base-path-prefix: '/my-project' home-url: 'https://example.com' - secrets: - server-host: ${{ secrets.SERVER_HOST }} - server-user: ${{ secrets.SERVER_USER }} - server-path: ${{ secrets.SERVER_PATH }} - ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} - slack-channel-id: ${{ secrets.SLACK_CHANNEL_ID }} - slack-bot-oauth-token: ${{ secrets.SLACK_BOT_OAUTH_TOKEN }} - slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} - slack-mention-user: ${{ secrets.SLACK_MENTION_USER }} ``` ### Verify with dry-run @@ -184,11 +136,6 @@ jobs: artifact-name: 'build-output' output-dir: 'dist' dry-run: 'true' - secrets: - server-host: ${{ secrets.SERVER_HOST }} - server-user: ${{ secrets.SERVER_USER }} - server-path: ${{ secrets.SERVER_PATH }} - ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} ``` ## Behavior @@ -196,7 +143,7 @@ jobs: This workflow consists of a `deploy` job and executes in the following order: 1. Compute the deployment path using the `compute-web-hosting-deploy-path` Composite Action -2. Check Slack configuration (`slack-channel-id` + `slack-bot-oauth-token` enables success notifications, `slack-webhook-url` enables failure notifications) +2. Check Slack configuration (`SLACK_CHANNEL_ID` + `SLACK_BOT_OAUTH_TOKEN` enables success notifications, `SLACK_WEBHOOK_URL` enables failure notifications) 3. Download build artifacts with `actions/download-artifact@v4.3.0` 4. Execute deployment based on the `deploy-type` value - `'ftp'`: Uses the `deploy-web-hosting-ftp` Composite Action @@ -209,5 +156,5 @@ This workflow consists of a `deploy` job and executes in the following order: - A GitHub Environment matching the `environment` input must exist in the caller's repository, with the required secrets configured at the environment level - Build artifacts must have been uploaded via `actions/upload-artifact` in the calling workflow -- For `deploy-type` `'ftp'`: `server-password` is required -- For `deploy-type` `'rsync'`: `ssh-private-key` is required +- For `deploy-type` `'ftp'`: `SERVER_PASSWORD` is required +- For `deploy-type` `'rsync'`: `SSH_PRIVATE_KEY` is required diff --git a/.github/workflows/docs/tagpr-release.ja.md b/.github/workflows/docs/tagpr-release.ja.md index a5d01db..d4cb7e5 100644 --- a/.github/workflows/docs/tagpr-release.ja.md +++ b/.github/workflows/docs/tagpr-release.ja.md @@ -19,10 +19,6 @@ jobs: # environment - シークレットアクセス用の GitHub Environment 名 # Required environment: 'release' - secrets: - # app-token - tagpr 用の Personal Access Token('repo' と 'workflow' スコープが必要) - # Required - app-token: ${{ secrets.APP_TOKEN }} ``` ## Inputs @@ -31,11 +27,13 @@ jobs: |------|-------------|----------|---------| | `environment` | シークレットアクセス用の GitHub Environment 名 | Yes | - | -## Secrets +## Environment Secrets + +`environment` input で指定した GitHub Environment に以下のシークレットを設定する必要があります: | Name | Description | Required | |------|-------------|----------| -| `app-token` | tagpr 用の Personal Access Token(`repo` と `workflow` スコープが必要) | Yes | +| `APP_TOKEN` | tagpr 用の Personal Access Token(`repo` と `workflow` スコープが必要) | Yes | ## Outputs @@ -63,8 +61,6 @@ jobs: uses: kryota-dev/actions/.github/workflows/tagpr-release.yml@v0 with: environment: 'release' - secrets: - app-token: ${{ secrets.APP_TOKEN }} ``` ### リリース後に後続ジョブを実行する @@ -78,8 +74,6 @@ jobs: uses: kryota-dev/actions/.github/workflows/tagpr-release.yml@v0 with: environment: 'release' - secrets: - app-token: ${{ secrets.APP_TOKEN }} post-release: needs: release @@ -97,20 +91,20 @@ jobs: ### tagpr ジョブ -1. `actions/checkout@v6` でリポジトリをチェックアウト(token: `app-token`、`persist-credentials: false`) -2. `Songmu/tagpr@v1.17.1` を実行してリリース PR の作成・マージ・タグ付けを行う(`GITHUB_TOKEN: app-token`) +1. `actions/checkout@v6` でリポジトリをチェックアウト(token: `APP_TOKEN`、`persist-credentials: false`) +2. `Songmu/tagpr@v1.17.1` を実行してリリース PR の作成・マージ・タグ付けを行う(`GITHUB_TOKEN: APP_TOKEN`) 3. リリースされた場合はバージョンタグを `tag` output として出力(リリースがなければ空) ### bump_major_tag ジョブ `tagpr` ジョブの完了後、タグが作成された場合(`tag != ''`)のみ実行されます。 -1. `actions/checkout@v6` でリポジトリをチェックアウト(token: `app-token`、`persist-credentials: false`) +1. `actions/checkout@v6` でリポジトリをチェックアウト(token: `APP_TOKEN`、`persist-credentials: false`) 2. タグからメジャーバージョンを抽出(例: `v1.2.3` → `v1`) 3. `git tag -f` でメジャータグを更新し、`git push --force` でリモートに反映 ## Prerequisites -- 呼び出し元リポジトリに `environment` input に対応する GitHub Environment が存在し、`app-token` シークレットが Environment レベルで設定されていること +- 呼び出し元リポジトリに `environment` input に対応する GitHub Environment が存在し、`APP_TOKEN` シークレットが Environment レベルで設定されていること - GitHub App Token または Personal Access Token(`repo` + `workflow` スコープ)が必要 - `.tagpr` 設定ファイルがリポジトリに存在すること diff --git a/.github/workflows/docs/tagpr-release.md b/.github/workflows/docs/tagpr-release.md index f441883..2719e66 100644 --- a/.github/workflows/docs/tagpr-release.md +++ b/.github/workflows/docs/tagpr-release.md @@ -19,10 +19,6 @@ jobs: # environment - GitHub Environment name for secret access # Required environment: 'release' - secrets: - # app-token - Personal Access Token for tagpr (requires 'repo' and 'workflow' scopes) - # Required - app-token: ${{ secrets.APP_TOKEN }} ``` ## Inputs @@ -31,11 +27,13 @@ jobs: |------|-------------|----------|---------| | `environment` | GitHub Environment name for secret access | Yes | - | -## Secrets +## Environment Secrets + +The following secrets must be configured in the GitHub Environment specified by the `environment` input: | Name | Description | Required | |------|-------------|----------| -| `app-token` | Personal Access Token for tagpr (requires `repo` and `workflow` scopes) | Yes | +| `APP_TOKEN` | Personal Access Token for tagpr (requires `repo` and `workflow` scopes) | Yes | ## Outputs @@ -63,8 +61,6 @@ jobs: uses: kryota-dev/actions/.github/workflows/tagpr-release.yml@v0 with: environment: 'release' - secrets: - app-token: ${{ secrets.APP_TOKEN }} ``` ### Running follow-up jobs after release @@ -78,8 +74,6 @@ jobs: uses: kryota-dev/actions/.github/workflows/tagpr-release.yml@v0 with: environment: 'release' - secrets: - app-token: ${{ secrets.APP_TOKEN }} post-release: needs: release @@ -97,20 +91,20 @@ This workflow consists of two jobs: `tagpr` and `bump_major_tag`. ### tagpr Job -1. Check out the repository with `actions/checkout@v6` (token: `app-token`, `persist-credentials: false`) -2. Run `Songmu/tagpr@v1.17.1` to create/merge release PRs and tag releases (`GITHUB_TOKEN: app-token`) +1. Check out the repository with `actions/checkout@v6` (token: `APP_TOKEN`, `persist-credentials: false`) +2. Run `Songmu/tagpr@v1.17.1` to create/merge release PRs and tag releases (`GITHUB_TOKEN: APP_TOKEN`) 3. If a release is made, output the version tag as the `tag` output (empty if no release) ### bump_major_tag Job Runs only after the `tagpr` job completes and a tag was created (`tag != ''`). -1. Check out the repository with `actions/checkout@v6` (token: `app-token`, `persist-credentials: false`) +1. Check out the repository with `actions/checkout@v6` (token: `APP_TOKEN`, `persist-credentials: false`) 2. Extract the major version from the tag (e.g., `v1.2.3` → `v1`) 3. Update the major tag with `git tag -f` and push to remote with `git push --force` ## Prerequisites -- A GitHub Environment matching the `environment` input must exist in the caller's repository, with the `app-token` secret configured at the environment level +- A GitHub Environment matching the `environment` input must exist in the caller's repository, with `APP_TOKEN` configured as an environment secret - GitHub App Token or Personal Access Token (requires `repo` + `workflow` scopes) - `.tagpr` configuration file must exist in the repository diff --git a/.github/workflows/docs/undeploy-web-hosting.ja.md b/.github/workflows/docs/undeploy-web-hosting.ja.md index 9d454d7..f942b36 100644 --- a/.github/workflows/docs/undeploy-web-hosting.ja.md +++ b/.github/workflows/docs/undeploy-web-hosting.ja.md @@ -39,26 +39,6 @@ jobs: # dry-run - ドライランモード # Optional (default: 'false') dry-run: 'false' - secrets: - # server-host - デプロイ先サーバーのホスト名 - # Required - server-host: ${{ secrets.SERVER_HOST }} - - # server-user - デプロイ先サーバーのユーザー名 - # Required - server-user: ${{ secrets.SERVER_USER }} - - # server-path - デプロイ先サーバーのパス - # Required - server-path: ${{ secrets.SERVER_PATH }} - - # server-password - デプロイ先サーバーのパスワード(FTP 使用時に必要) - # Optional - server-password: ${{ secrets.SERVER_PASSWORD }} - - # ssh-private-key - SSH 秘密鍵(rsync 使用時に必要) - # Optional - ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} ``` ## Inputs @@ -72,15 +52,17 @@ jobs: | `ref-name` | ブランチ名の上書き(空の場合は github context から自動取得) | No | `''` | | `dry-run` | ドライランモード | No | `'false'` | -## Secrets +## Environment Secrets + +`environment` input で指定した GitHub Environment に以下のシークレットを設定する必要があります: | Name | Description | Required | |------|-------------|----------| -| `server-host` | デプロイ先サーバーのホスト名 | Yes | -| `server-user` | デプロイ先サーバーのユーザー名 | Yes | -| `server-path` | デプロイ先サーバーのパス | Yes | -| `server-password` | デプロイ先サーバーのパスワード(FTP 使用時に必要) | No | -| `ssh-private-key` | SSH 秘密鍵(rsync 使用時に必要) | No | +| `SERVER_HOST` | デプロイ先サーバーのホスト名 | Yes | +| `SERVER_USER` | デプロイ先サーバーのユーザー名 | Yes | +| `SERVER_PATH` | デプロイ先サーバーのパス | Yes | +| `SERVER_PASSWORD` | デプロイ先サーバーのパスワード(FTP 使用時に必要) | Conditional | +| `SSH_PRIVATE_KEY` | SSH 秘密鍵(rsync 使用時に必要) | Conditional | ## Permissions @@ -103,11 +85,6 @@ jobs: with: environment: 'production' deploy-type: 'ftp' - secrets: - server-host: ${{ secrets.SERVER_HOST }} - server-user: ${{ secrets.SERVER_USER }} - server-path: ${{ secrets.SERVER_PATH }} - server-password: ${{ secrets.SERVER_PASSWORD }} ``` ### rsync でフィーチャー環境を削除する(パスプレフィックス付き) @@ -123,11 +100,6 @@ jobs: environment: 'production' deploy-type: 'rsync' base-path-prefix: '/my-project' - secrets: - server-host: ${{ secrets.SERVER_HOST }} - server-user: ${{ secrets.SERVER_USER }} - server-path: ${{ secrets.SERVER_PATH }} - ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} ``` ### ドライランで確認する @@ -143,11 +115,6 @@ jobs: environment: 'staging' deploy-type: 'rsync' dry-run: 'true' - secrets: - server-host: ${{ secrets.SERVER_HOST }} - server-user: ${{ secrets.SERVER_USER }} - server-path: ${{ secrets.SERVER_PATH }} - ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} ``` ## Behavior @@ -164,5 +131,5 @@ jobs: ## Prerequisites - 呼び出し元リポジトリに `environment` input に対応する GitHub Environment が存在し、必要なシークレットが Environment レベルで設定されていること -- `deploy-type` が `'ftp'` の場合: `server-password` が必要 -- `deploy-type` が `'rsync'` の場合: `ssh-private-key` が必要 +- `deploy-type` が `'ftp'` の場合: `SERVER_PASSWORD` が必要 +- `deploy-type` が `'rsync'` の場合: `SSH_PRIVATE_KEY` が必要 diff --git a/.github/workflows/docs/undeploy-web-hosting.md b/.github/workflows/docs/undeploy-web-hosting.md index e7298eb..31b9607 100644 --- a/.github/workflows/docs/undeploy-web-hosting.md +++ b/.github/workflows/docs/undeploy-web-hosting.md @@ -39,26 +39,6 @@ jobs: # dry-run - Dry-run mode # Optional (default: 'false') dry-run: 'false' - secrets: - # server-host - Deployment server hostname - # Required - server-host: ${{ secrets.SERVER_HOST }} - - # server-user - Deployment server username - # Required - server-user: ${{ secrets.SERVER_USER }} - - # server-path - Deployment server path - # Required - server-path: ${{ secrets.SERVER_PATH }} - - # server-password - Deployment server password (required for FTP) - # Optional - server-password: ${{ secrets.SERVER_PASSWORD }} - - # ssh-private-key - SSH private key (required for rsync) - # Optional - ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} ``` ## Inputs @@ -72,15 +52,17 @@ jobs: | `ref-name` | Branch name override (auto-detected from github context if empty) | No | `''` | | `dry-run` | Dry-run mode | No | `'false'` | -## Secrets +## Environment Secrets + +The following secrets must be configured in the GitHub Environment specified by the `environment` input: | Name | Description | Required | |------|-------------|----------| -| `server-host` | Deployment server hostname | Yes | -| `server-user` | Deployment server username | Yes | -| `server-path` | Deployment server path | Yes | -| `server-password` | Deployment server password (required for FTP) | No | -| `ssh-private-key` | SSH private key (required for rsync) | No | +| `SERVER_HOST` | Deployment server hostname | Yes | +| `SERVER_USER` | Deployment server username | Yes | +| `SERVER_PATH` | Deployment server path | Yes | +| `SERVER_PASSWORD` | Deployment server password (required for FTP) | Conditional | +| `SSH_PRIVATE_KEY` | SSH private key (required for rsync) | Conditional | ## Permissions @@ -103,11 +85,6 @@ jobs: with: environment: 'production' deploy-type: 'ftp' - secrets: - server-host: ${{ secrets.SERVER_HOST }} - server-user: ${{ secrets.SERVER_USER }} - server-path: ${{ secrets.SERVER_PATH }} - server-password: ${{ secrets.SERVER_PASSWORD }} ``` ### Remove feature environment via rsync (with path prefix) @@ -123,11 +100,6 @@ jobs: environment: 'production' deploy-type: 'rsync' base-path-prefix: '/my-project' - secrets: - server-host: ${{ secrets.SERVER_HOST }} - server-user: ${{ secrets.SERVER_USER }} - server-path: ${{ secrets.SERVER_PATH }} - ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} ``` ### Verify with dry-run @@ -143,11 +115,6 @@ jobs: environment: 'staging' deploy-type: 'rsync' dry-run: 'true' - secrets: - server-host: ${{ secrets.SERVER_HOST }} - server-user: ${{ secrets.SERVER_USER }} - server-path: ${{ secrets.SERVER_PATH }} - ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} ``` ## Behavior @@ -164,5 +131,5 @@ This workflow consists of a `delete` job and executes in the following order: ## Prerequisites - A GitHub Environment matching the `environment` input must exist in the caller's repository, with the required secrets configured at the environment level -- For `deploy-type` `'ftp'`: `server-password` is required -- For `deploy-type` `'rsync'`: `ssh-private-key` is required +- For `deploy-type` `'ftp'`: `SERVER_PASSWORD` is required +- For `deploy-type` `'rsync'`: `SSH_PRIVATE_KEY` is required diff --git a/CHANGELOG.md b/CHANGELOG.md index 0e0157c..cac54ad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## [Unreleased] ### Breaking Changes - Add required `environment` input to `deploy-web-hosting.yml`, `tagpr-release.yml`, and `undeploy-web-hosting.yml` to enforce GitHub Environment-scoped secret access (zizmor `secrets-outside-env` audit). Existing callers must create a GitHub Environment and pass the `environment` input. +- Remove `workflow_call.secrets` from all Reusable Workflows. Secrets are now read directly from the GitHub Environment via `environment:` on each job. Callers no longer pass `secrets:` blocks; instead, configure secrets at the environment level (UPPER_SNAKE_CASE naming: `APP_TOKEN`, `SERVER_HOST`, etc.). ## [v0.1.0](https://github.com/kryota-dev/actions/compare/v0.0.9...v0.1.0) - 2026-03-06 ### Other Changes