From 8086a0099c62bc6fbf7440203ebeb5555c802355 Mon Sep 17 00:00:00 2001
From: andrew <andrew@collectivelab.io>
Date: Sat, 18 Apr 2026 21:43:12 +0300
Subject: [PATCH] package workflow: read AWS config from secrets, not variables
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

On a public repo, Actions variables are not masked in workflow logs.
The AWS role ARN and artifact bucket name embed the AWS account ID —
not catastrophic, but norm-preserving to keep them out of public logs.

Switch all four values (region, role, project, bucket) from
`${{ vars.* }}` to `${{ secrets.* }}`. When secrets are passed via
`with:` to a reusable workflow, GitHub's masking still applies because
the value is added to the run's mask list as soon as the secret
reference is resolved.

Followup to #33 — should have landed as secrets from the start.
---
 .github/workflows/package.yml | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
index 7324e23..b75c13d 100644
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@@ -5,8 +5,10 @@ name: Package
 # main pushes today.
 #
 # Prerequisites:
-#   - Repo vars AWS_REGION, AWS_ROLE_TO_ASSUME, AWS_CODEBUILD_PACKAGE_PROJECT,
-#     AWS_ARTIFACT_BUCKET are set.
+#   - Repo secrets AWS_REGION, AWS_ROLE_TO_ASSUME, AWS_CODEBUILD_PACKAGE_PROJECT,
+#     AWS_ARTIFACT_BUCKET are set. Stored as secrets (not variables) so the
+#     AWS account ID embedded in the role ARN and bucket name stays masked in
+#     public workflow logs.
 #   - The shared workflow at ModernRelay/.github supports the `features` and
 #     `image_tag_suffix` inputs (ModernRelay/.github PR #2 or later).
 #
@@ -34,10 +36,10 @@ jobs:
     with:
       repository: ${{ github.repository }}
       source_ref: ${{ inputs.source_ref != '' && inputs.source_ref || github.sha }}
-      aws_region: ${{ vars.AWS_REGION }}
-      aws_role_to_assume: ${{ vars.AWS_ROLE_TO_ASSUME }}
-      aws_codebuild_package_project: ${{ vars.AWS_CODEBUILD_PACKAGE_PROJECT }}
-      aws_artifact_bucket: ${{ vars.AWS_ARTIFACT_BUCKET }}
+      aws_region: ${{ secrets.AWS_REGION }}
+      aws_role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+      aws_codebuild_package_project: ${{ secrets.AWS_CODEBUILD_PACKAGE_PROJECT }}
+      aws_artifact_bucket: ${{ secrets.AWS_ARTIFACT_BUCKET }}
 
   package_aws:
     name: Package aws-feature build
@@ -49,9 +51,9 @@ jobs:
     with:
       repository: ${{ github.repository }}
       source_ref: ${{ inputs.source_ref != '' && inputs.source_ref || github.sha }}
-      aws_region: ${{ vars.AWS_REGION }}
-      aws_role_to_assume: ${{ vars.AWS_ROLE_TO_ASSUME }}
-      aws_codebuild_package_project: ${{ vars.AWS_CODEBUILD_PACKAGE_PROJECT }}
-      aws_artifact_bucket: ${{ vars.AWS_ARTIFACT_BUCKET }}
+      aws_region: ${{ secrets.AWS_REGION }}
+      aws_role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+      aws_codebuild_package_project: ${{ secrets.AWS_CODEBUILD_PACKAGE_PROJECT }}
+      aws_artifact_bucket: ${{ secrets.AWS_ARTIFACT_BUCKET }}
       features: aws
       image_tag_suffix: "-aws"