package workflow: read AWS config from secrets, not variables

On a public repo, Actions variables are not masked in workflow logs. The AWS role ARN and artifact bucket name embed the AWS account ID — not catastrophic, but norm-preserving to keep them out of public logs. Switch all four values (region, role, project, bucket) from `${{ vars.* }}` to `${{ secrets.* }}`. When secrets are passed via `with:` to a reusable workflow, GitHub's masking still applies because the value is added to the run's mask list as soon as the secret reference is resolved. Followup to #33 — should have landed as secrets from the start.
2026-06-09 01:35:18 +02:00 · 2026-04-18 21:43:12 +03:00 · 2026-04-18 21:43:12 +03:00 · 8086a0099c
commit 8086a0099c
parent aa260cc2b9
1 changed files with 12 additions and 10 deletions
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@ -5,8 +5,10 @@ name: Package
 # main pushes today.
 #
 # Prerequisites:
-#   - Repo vars AWS_REGION, AWS_ROLE_TO_ASSUME, AWS_CODEBUILD_PACKAGE_PROJECT,
-#     AWS_ARTIFACT_BUCKET are set.
+#   - Repo secrets AWS_REGION, AWS_ROLE_TO_ASSUME, AWS_CODEBUILD_PACKAGE_PROJECT,
+#     AWS_ARTIFACT_BUCKET are set. Stored as secrets (not variables) so the
+#     AWS account ID embedded in the role ARN and bucket name stays masked in
+#     public workflow logs.
 #   - The shared workflow at ModernRelay/.github supports the `features` and
 #     `image_tag_suffix` inputs (ModernRelay/.github PR #2 or later).
 #
@ -34,10 +36,10 @@ jobs:
    with:
      repository: ${{ github.repository }}
      source_ref: ${{ inputs.source_ref != '' && inputs.source_ref || github.sha }}
-      aws_region: ${{ vars.AWS_REGION }}
-      aws_role_to_assume: ${{ vars.AWS_ROLE_TO_ASSUME }}
-      aws_codebuild_package_project: ${{ vars.AWS_CODEBUILD_PACKAGE_PROJECT }}
-      aws_artifact_bucket: ${{ vars.AWS_ARTIFACT_BUCKET }}
+      aws_region: ${{ secrets.AWS_REGION }}
+      aws_role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+      aws_codebuild_package_project: ${{ secrets.AWS_CODEBUILD_PACKAGE_PROJECT }}
+      aws_artifact_bucket: ${{ secrets.AWS_ARTIFACT_BUCKET }}

  package_aws:
    name: Package aws-feature build
@ -49,9 +51,9 @@ jobs:
    with:
      repository: ${{ github.repository }}
      source_ref: ${{ inputs.source_ref != '' && inputs.source_ref || github.sha }}
-      aws_region: ${{ vars.AWS_REGION }}
-      aws_role_to_assume: ${{ vars.AWS_ROLE_TO_ASSUME }}
-      aws_codebuild_package_project: ${{ vars.AWS_CODEBUILD_PACKAGE_PROJECT }}
-      aws_artifact_bucket: ${{ vars.AWS_ARTIFACT_BUCKET }}
+      aws_region: ${{ secrets.AWS_REGION }}
+      aws_role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+      aws_codebuild_package_project: ${{ secrets.AWS_CODEBUILD_PACKAGE_PROJECT }}
+      aws_artifact_bucket: ${{ secrets.AWS_ARTIFACT_BUCKET }}
      features: aws
      image_tag_suffix: "-aws"