fix(deploy-to-aws-uv): simplify legacy-api-key plumbing — read inherited secrets

chrisbc · chrisbc · commit a6199072debb · 2026-06-10T14:37:50.000+12:00
After review feedback (would have required all callers to switch from
`secrets: inherit` to an explicit secret block — a big breaking change),
revise the design so that the shared workflow reads inherited secrets
directly. Caller workflows keep `secrets: inherit` and need no changes.

The smoketest step's `legacy-api-key` input now picks up the first
non-empty value from a fallback chain of standard GNS-Science API-key
secrets:

    LEGACY_API_KEY
    NZSHM22_TOSHI_API_KEY
    NZSHM22_KORORAA_API_KEY
    NZSHM22_NSHM_MODEL_API_KEY
    NZSHM22_SOLVIS_API_KEY
    NZSHM22_HAZARD_API_KEY

Each consumer's serverless.yml wires its own named secret into the
Lambda authorizer's LEGACY_API_KEY env var; the same value flows
through to the smoketest with no extra plumbing.

The `secrets:` block on the workflow_call is dropped — no new caller-
facing API surface.
diff --git a/.github/workflows/deploy-to-aws-uv.yml b/.github/workflows/deploy-to-aws-uv.yml
@@ -94,16 +94,6 @@ on:
         type: string
         default: "data.*about.*Hello"
 
-    secrets:
-      smoketest-legacy-api-key:
-        description: |
-          Optional fallback API key used by the Smoke Test step when serverless
-          deploy output doesn't include a `TempApiKey-…` line (e.g. stacks that
-          have moved past `apiGateway.apiKeys` to a Lambda authorizer with
-          x-api-key compatibility). Passed to `apiSmokeTest`'s `legacy-api-key`
-          input and auto-masked.
-        required: false
-
 jobs:
 
   deploy:
@@ -191,4 +181,16 @@ jobs:
             expected-regex: ${{ inputs.smoketest-expected }}
             working-directory: ${{ inputs.working-directory}}
             url: ${{ (github.ref == 'refs/heads/main') && inputs.smoketest-url-prod || inputs.smoketest-url-test }}
-            legacy-api-key: ${{ secrets.smoketest-legacy-api-key }}
+            # Fallback x-api-key for stacks that have moved past `apiGateway.apiKeys`
+            # to a Lambda authorizer (so no TempApiKey-* line in deploy.out).
+            # Picks up any of the standard GNS-Science API-key secrets inherited via
+            # `secrets: inherit`. Each consumer's serverless.yml wires its own
+            # named secret into the Lambda authorizer's LEGACY_API_KEY env var.
+            legacy-api-key: >-
+              ${{ secrets.LEGACY_API_KEY
+                  || secrets.NZSHM22_TOSHI_API_KEY
+                  || secrets.NZSHM22_KORORAA_API_KEY
+                  || secrets.NZSHM22_NSHM_MODEL_API_KEY
+                  || secrets.NZSHM22_SOLVIS_API_KEY
+                  || secrets.NZSHM22_HAZARD_API_KEY
+                  || '' }}
