[MOSIP-44447] Secure Docker tokens using dynamic GitHub secrets instead of user input

.github/workflows/image-transfer.yml

@@ -8,8 +8,20 @@ on:
         required: true
         default: ''
         type: string
-      TOKEN:
-        description: 'provide docker hub token'
+      SECRET_NAME:
+        description: 'Select the GitHub secret name for Docker registry token'
+        required: true
+        default: 'MOSIPDEV2_DOCKER_TOKEN'
+        type: choice
+        options:
+          - MOSIPDEV2_DOCKER_TOKEN
+          - MOSIPQA_DOCKER_TOKEN
+          - MOSIPID_DOCKER_TOKEN
+          - MOSIPINT_DOCKER_TOKEN
+          - INJISTACK_DOCKER_TOKEN
+          - custom
+      CUSTOM_SECRET_NAME:
+        description: 'If SECRET_NAME is "custom", enter the GitHub secret name here'
         required: false
         default: ''
         type: string
@@ -43,27 +55,61 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       TOKEN: ${{ steps.ORG_TOKEN.outputs.TOKEN }}
-      USERNAME: ${{ steps.ORG_TOKEN.outputs.USERNAME }}
     steps:
-      - name: Check if input TOKEN is empty
-        if: ${{  inputs.TOKEN == ''  }}
+      - name: Resolve secret name
         id: ORG_TOKEN
+        env:
+          SELECTED_SECRET: ${{ inputs.SECRET_NAME }}
+          CUSTOM_SECRET: ${{ inputs.CUSTOM_SECRET_NAME }}
         run: |
-          if [[ ${{ inputs.DESTINATION_ORGANIZATION }} == mosipqa ]]; then
-            echo "TOKEN=QA_NAMESPACE_DOCKER_HUB" >> $GITHUB_OUTPUT
-            echo "USERNAME=DOCKER_USERNAME" >> $GITHUB_OUTPUT
+          if [ "$SELECTED_SECRET" = "custom" ]; then
+            # User selected custom — CUSTOM_SECRET_NAME is required
+            if [ -z "$CUSTOM_SECRET" ]; then
+              printf '❌ ERROR: CUSTOM_SECRET_NAME is required when SECRET_NAME is set to "custom"\n' >&2
+              printf 'Please provide the GitHub secret name in the CUSTOM_SECRET_NAME field\n' >&2
+              exit 1
+            fi
+
+            # Validate custom secret name format (GitHub only allows [A-Z0-9_], must start with [A-Z_])
+            if ! printf '%s' "$CUSTOM_SECRET" | grep -qE '^[A-Za-z_][A-Za-z0-9_]*$'; then
+              printf '❌ ERROR: Invalid secret name: "%s"\n' "$CUSTOM_SECRET" >&2
+              printf 'GitHub secret names must:\n' >&2
+              printf '  - Start with a letter or underscore\n' >&2
+              printf '  - Contain only letters, numbers, and underscores\n' >&2
+              printf '  - No spaces, hyphens, or special characters\n' >&2
+              printf 'Example: MY_ORG_DOCKER_TOKEN\n' >&2
+              exit 1
+            fi
+
+            TOKEN_SECRET="$CUSTOM_SECRET"
+            printf 'Using custom secret name: %s\n' "$TOKEN_SECRET"
+          else
+            TOKEN_SECRET="$SELECTED_SECRET"
+            printf 'Using predefined secret name: %s\n' "$TOKEN_SECRET"
           fi
-          if [[ ${{ inputs.DESTINATION_ORGANIZATION }} == mosipint ]]; then
-            echo "TOKEN=INT_NAMESPACE_DOCKER_HUB" >> $GITHUB_OUTPUT
-            echo "USERNAME=DOCKER_USERNAME" >> $GITHUB_OUTPUT
-          fi
-      - name: Print Secret Name
+
+          printf 'TOKEN=%s\n' "$TOKEN_SECRET" >> "$GITHUB_OUTPUT"
+
+      - name: Validate secret configuration
+        env:
+          TOKEN_EXISTS: ${{ secrets[steps.ORG_TOKEN.outputs.TOKEN] != '' }}
+          SECRET_NAME: ${{ steps.ORG_TOKEN.outputs.TOKEN }}
+          DESTINATION_ORGANIZATION: ${{ inputs.DESTINATION_ORGANIZATION }}
         run: |
-          echo "ORGANIZATION NAME :  ${{ inputs.DESTINATION_ORGANIZATION }} "
-          echo "SECRET NAME : ${{ steps.ORG_TOKEN.outputs.TOKEN }}"
-          echo "USERNAME : ${{ steps.ORG_TOKEN.outputs.USERNAME }}"
-          echo "REGISTRY URL : ${{ inputs.REGISTRY_URL }}"
-
+          if [ "$TOKEN_EXISTS" != "true" ]; then
+            printf '❌ ERROR: Secret '\''%s'\'' is not configured or is empty\n' "$SECRET_NAME"
+            printf '\n'
+            printf 'Please configure the following secret in GitHub repository settings:\n'
+            printf '  Secret name: %s\n' "$SECRET_NAME"
+            printf '  Path: Settings → Secrets and variables → Actions → New repository secret\n'
+            printf '\n'
+            printf 'For organization '\''%s'\'', you need:\n' "$DESTINATION_ORGANIZATION"
+            printf '  - Secret: %s\n' "$SECRET_NAME"
+            printf '  - Value: Your Docker registry token/password\n'
+            exit 1
+          fi
+
+          printf '✅ Secret '\''%s'\'' is configured\n' "$SECRET_NAME"
   Image-transfer:
     needs: chk_token
     uses: mosip/kattu/.github/workflows/image-transfer.yml@master
@@ -74,6 +120,6 @@ jobs:
       ENABLE_WIREGUARD: ${{ inputs.ENABLE_WIREGUARD }}
       USERNAME: ${{ inputs.USERNAME }}
     secrets:
-      TOKEN: "${{ secrets[needs.chk_token.outputs.TOKEN] || inputs.TOKEN }}"
+      TOKEN: "${{ secrets[needs.chk_token.outputs.TOKEN] }}"
       SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_DEVOPS }}
       WIREGUARD_CONFIG: ${{ secrets.WIREGUARD_CONFIG }}

release/vidivi/README.md

@@ -192,19 +192,68 @@ Execute the [Manual workflow to transfer images](https://github.com/mosip/releas
 | Input | Description | Required | Default | Example |
 |-------|-------------|----------|---------|---------|
 | `USERNAME` | Registry username | Yes | - | `robot$mosipdev+release-bot` (Harbor)<br>`myusername` (Docker Hub) |
-| `TOKEN` | Registry token/password | Yes (secret) | - | Robot account token or personal access token |
-| `DESTINATION_ORGANIZATION` | Destination org/project | Yes | - | `mosipid`, `library`, `myproject` |
+| `SECRET_NAME` | Select the GitHub secret name for Docker registry token (dropdown) | Yes | `MOSIPDEV2_DOCKER_TOKEN` | `MOSIPID_DOCKER_TOKEN`, `custom` |
+| `CUSTOM_SECRET_NAME` | Custom secret name (only required if `SECRET_NAME` is set to `custom`) | No | - | `MY_ORG_DOCKER_TOKEN` |
+| `DESTINATION_ORGANIZATION` | Destination org/project | Yes | - | `mosipid`, `mosipqa`, `myproject` |
 | `REGISTRY_URL` | Destination registry URL | Yes | `https://index.docker.io/v1/` | `https://harbor.example.com` |
 | `REGISTRY_TYPE` | Registry type | Yes | `dockerhub` | `dockerhub`, `harbor`, `other` |
 | `ENABLE_WIREGUARD` | Enable VPN for private networks | No | `false` | `true` or `false` |
 
+**`SECRET_NAME` Options:**
+
+| Option | Description |
+|---|---|
+| `MOSIPDEV2_DOCKER_TOKEN` | Token for `mosipdev2` organization |
+| `MOSIPQA_DOCKER_TOKEN` | Token for `mosipqa` organization |
+| `MOSIPID_DOCKER_TOKEN` | Token for `mosipid` organization |
+| `MOSIPINT_DOCKER_TOKEN` | Token for `mosipint` organization |
+| `INJISTACK_DOCKER_TOKEN` | Token for `injistack` organization |
+| `custom` | Enter your own secret name in `CUSTOM_SECRET_NAME` field |
+
 ### Workflow Secrets
 
-Configure these in GitHub repository settings → Secrets:
+**Required Secrets:**
+1. **`<SECRET_NAME>`**: Registry authentication token — select from predefined options or provide a custom name
+   - Docker Hub: Personal Access Token or Account Password
+   - Harbor: Robot account token
+   - Other registries: Appropriate authentication token
+
+2. **`SLACK_WEBHOOK_DEVOPS`**: Slack notification webhook (shared across all workflows)
+
+3. **`WIREGUARD_CONFIG`**: (Optional) WireGuard VPN configuration for private registries
+
+**Custom SECRET_NAME Validation:**
+
+When `SECRET_NAME` is set to `custom`, the `CUSTOM_SECRET_NAME` field is **required** and validated:
+- Must start with a letter or underscore
+- Can only contain letters, numbers, and underscores (`[A-Za-z0-9_]`)
+- No spaces, hyphens, or special characters
+
+| `CUSTOM_SECRET_NAME` | Valid? |
+|---|---|
+| `MY_ORG_DOCKER_TOKEN` | ✅ |
+| `_PRIVATE_TOKEN` | ✅ |
+| `my-org-token` | ❌ Hyphens not allowed |
+| `MY SECRET` | ❌ Spaces not allowed |
+| *(empty)* | ❌ Required when `custom` is selected |
 
-- `TOKEN`: Registry authentication token
-- `SLACK_WEBHOOK_URL`: Slack notification webhook
-- `WIREGUARD_CONFIG`: (Optional) WireGuard VPN configuration for private registries
+**How to Add Secrets:**
+1. Go to GitHub repository → Settings → Secrets and variables → Actions
+2. Click "New repository secret"
+3. Create the secret with the exact name you will provide as `SECRET_NAME` input
+4. Set the value to your Docker registry token/password
+
+**Protected Organizations:**
+
+Certain destination organizations (e.g., `mosipid`) are protected in the `mosip/kattu` reusable workflow. Transfers to protected organizations require **admin** access on the calling repository. This prevents accidental overwrites of production images by non-admin users.
+
+> **Note:** This protection is enforced in the `mosip/kattu` reusable workflow, so it cannot be bypassed by modifying the caller workflow.
+
+**Security Benefits:**
+- Tokens are never exposed in workflow logs
+- Each organization has isolated credentials
+- No hardcoded credentials in workflow files
+- Protected organizations require admin access for transfers
 
 ### Running the Workflow
 
@@ -214,12 +263,20 @@ Configure these in GitHub repository settings → Secrets:
 4. Fill in the required inputs:
    ```
    USERNAME: robot$mosipdev+release-bot
+   SECRET_NAME: MOSIPID_DOCKER_TOKEN    (select from dropdown)
+   CUSTOM_SECRET_NAME:                  (leave empty unless SECRET_NAME is "custom")
    DESTINATION_ORGANIZATION: mosipid
    REGISTRY_URL: https://harbor.mosip.net
    REGISTRY_TYPE: harbor
    ENABLE_WIREGUARD: true (if registry is on private network)
    ```
-5. Click "Run workflow"
+5. If using `custom` for `SECRET_NAME`, enter the secret name in `CUSTOM_SECRET_NAME`:
+   ```
+   SECRET_NAME: custom
+   CUSTOM_SECRET_NAME: MY_ORG_DOCKER_TOKEN
+   ```
+6. Ensure the selected/custom secret is configured under **Settings → Secrets and variables → Actions**
+7. Click "Run workflow"
 
 ### Workflow Features