feat: allow reuse of workflows by other organizations

fredbi · fredbi · commit 4ae00ba4387e · 2025-12-11T19:15:13.000+01:00
Problem statement
=================
When using workflows such as:
  * contributors
  * bump-release
  * auto-merge

the retrieval of secrets for commit or tag PGP-signature and
token switch with a github app is currently specific to go-openapi.

Proposed solution
=================
The names of the secrets (not the secrets themselves) can be injected
via optional input parameters into these shared workflows.

Signed-off-by: Frederic BIDON &lt;fredbi@yahoo.com&gt;
diff --git a/.github/workflows/bump-release.yml b/.github/workflows/bump-release.yml
@@ -42,31 +42,42 @@ on:
           (use "|" to replace end of line).
         required: false
         type: string
-      env_gpg_private_key:
+      enable-tag-signing:
+        description: |
+          Enable PGP tag-signing by a bot user.
+
+          You must specify the GPG related inputs if they differ from the default names for secrets.
+        required: false
+        type: boolean
+        default: true
+      env-gpg-private-key:
         description: |
           PGP tag-signing by a bot user.
 
           This is the name of the secret to sign tags.
           It contains an armored GPG private key.
-          Tags are not signed if not provided.
+
+          This input does not contain the secret, but the name of the secret.
         required: false
         type: string
         default: CI_BOT_GPG_PRIVATE_KEY
-      env_passphrase:
+      env-passphrase:
         description: |
           PGP tag-signing by a bot user.
 
           This is the name of the secret that containts the passphrase to unlock the GPG key.
-          Tags are not signed if not provided.
+
+          This input does not contain the secret, but the name of the secret.
         required: false
         type: string
         default: CI_BOT_GPG_PASSPHRASE
-      env_fingerprint:
+      env-fingerprint:
         description: |
           PGP tag-signing by a bot user.
 
           This is the name of the secret that contains the fingerprint of the GPG key.
-          Tags are not signed if not provided.
+
+          This input does not contain the secret, but the name of the secret.
         required: false
         type: string
         default: CI_BOT_SIGNING_KEY
@@ -113,6 +124,7 @@ jobs:
           echo "::notice title=next-tag:${NEXT_TAG}"
       -
         name: Import GPG key
+        if: ${{ enable-tag-signing == 'true' }}
         uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
         # This is using the GPG signature of bot-go-openapi.
         #
@@ -121,9 +133,9 @@ jobs:
         # CI_BOT_SIGNING_KEY: the fingerprint of the subkey used (space removed)
         # NOTE(fredbi): extracted w/ gpg -K --homedir gnupg --keyid-format LONG --with-keygrip --fingerprint --with-subkey-fingerprint
         with:
-          gpg_private_key: ${{ secrets.CI_BOT_GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.CI_BOT_GPG_PASSPHRASE }}
-          fingerprint: ${{ secrets.CI_BOT_SIGNING_KEY }}
+          gpg_private_key: ${{ secrets[inputs.env-gpg-private-key] }}
+          passphrase: ${{ secrets[inputs.env-passphrase] }}
+          fingerprint: ${{ secrets[inputs.env-fingerprint] }}
           git_user_signingkey: true
           git_commit_gpgsign: true
           git_tag_gpgsign: true
@@ -143,8 +155,15 @@ jobs:
           fi
           echo "::notice title=tag-message:${MESSAGE}"
 
-          git tag -s -m "${MESSAGE}" "${NEXT_TAG}"
-          git tag -v "${NEXT_TAG}"
+          SIGNED=""
+          if [[ '${{ enable-tag-signing }}' == 'true' ]] ; then
+             SIGNED="-s"
+          fi
+
+          git tag "${SIGNED}" -m "${MESSAGE}" "${NEXT_TAG}"
+          if [[ -n "${SIGNED}" ]] ; then
+            git tag -v "${NEXT_TAG}"
+          fi
           git push origin "${NEXT_TAG}"
 
   gh-release:
diff --git a/.github/workflows/contributors.yml b/.github/workflows/contributors.yml
@@ -1,10 +1,71 @@
 name: Contributors
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
+    inputs:
+      env-app-id:
+        description: |
+          The name of the secret that contains the app ID of the user that creates the PR.
 
-permissions:
-  contents: read
+          This workflow exchanges the token to impersonate the app user, so we
+          don't have issues with the gihub-actions user approving or merging the PR.
+
+          This input does not contain the secret, but the name of the secret.
+        type: string
+        required: false
+        default: CI_BOT_APP_ID
+      env-app-private-key:
+        description: |
+          The name of the secret that contains the app secret key of the user that creates the PR.
+
+          This workflow exchanges the token to impersonate the app user, so we
+          don't have issues with the gihub-actions user approving or merging the PR.
+
+          This input does not contain the secret, but the name of the secret.
+        type: string
+        required: false
+        default: CI_BOT_APP_PRIVATE_KEY
+      enable-commit-signing:
+        required: false
+        type: boolean
+        default: true
+      env-gpg-private-key:
+        description: |
+          PGP tag-signing by a bot user.
+
+          This is the name of the secret to sign tags.
+          It contains an armored GPG private key.
+          Tags are not signed if not provided.
+
+          This input does not contain the secret, but the name of the secret.
+        required: false
+        type: string
+        default: CI_BOT_GPG_PRIVATE_KEY
+      env-passphrase:
+        description: |
+          PGP tag-signing by a bot user.
+
+          This is the name of the secret that containts the passphrase to unlock the GPG key.
+          Tags are not signed if not provided.
+
+          This input does not contain the secret, but the name of the secret.
+        required: false
+        type: string
+        default: CI_BOT_GPG_PASSPHRASE
+      env-fingerprint:
+        description: |
+          PGP tag-signing by a bot user.
+
+          This is the name of the secret that contains the fingerprint of the GPG key.
+          Tags are not signed if not provided.
+
+          This input does not contain the secret, but the name of the secret.
+        required: false
+        type: string
+        default: CI_BOT_SIGNING_KEY
 
 jobs:
   update-contributors:
@@ -36,15 +97,16 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: app-token
         with:
-          app-id: ${{ secrets.CI_BOT_APP_ID }}
-          private-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets[inputs.env-app-id] }}
+          private-key: ${{ secrets[inputs.env-app-private-key] }}
       -
         name: Import GPG key
         uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
+        if: ${{ inputs.enable-commit-signing == 'true' }}
         with:
-          gpg_private_key: ${{ secrets.CI_BOT_GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.CI_BOT_GPG_PASSPHRASE }}
-          fingerprint: ${{ secrets.CI_BOT_SIGNING_KEY }}
+          gpg_private_key: ${{ secrets[inputs.env-gpg-private-key] }}
+          passphrase: ${{ secrets[inputs.env-passphrase] }}
+          fingerprint: ${{ secrets[inputs.env-fingerprint] }}
           git_user_signingkey: true
           git_commit_gpgsign: true
           git_tag_gpgsign: true
@@ -62,7 +124,7 @@ jobs:
           draft: false
           assignees: fredbi
           reviewers: fredbi
-          sign-commits: true
+          sign-commits: ${{ inputs.enable-commit-signing }}
           signoff: true # DCO
 
   auto-merge:
