feat: allow reuse of workflows by other organizations

Problem statement
=================
When using workflows such as:
  * contributors
  * bump-release
  * auto-merge

the retrieval of secrets for commit or tag PGP-signature and
token switch with a github app is currently specific to go-openapi.

Proposed solution
=================
The names of the secrets (not the secrets themselves) can be injected
via optional input parameters into these shared workflows.

To avoid excessive secret exposure in workflows, usage of the injected secrets
is handed over to a dedicated action, that configures GPG (for signing
secrets) or switches token (for github app token exchange).

Signed-off-by: Frederic BIDON <fredbi@yahoo.com>

Author: fredbi

.github/workflows/auto-merge.yml

@@ -2,6 +2,24 @@ name: Dependabot auto-merge
 
 on:
   workflow_call:
+    inputs:
+      enable-organization-bot:
+        description: |
+          Enable automatic approval and merge of PRs initiated by a bot.
+
+        type: boolean
+        required: false
+        default: true
+      organization-bot:
+        description: |
+          The bot name for your organization,
+          for which you wish to enable auto-merge.
+
+          Example: bot-go-openapi[bot]
+
+        type: string
+        required: false
+        default: 'bot-go-openapi[bot]'
 
 permissions:
   contents: read
@@ -50,7 +68,7 @@ jobs:
       contents: write
       pull-requests: write
     runs-on: ubuntu-latest
-    if: ${{ github.event.pull_request.user.login == 'bot-go-openapi[bot]' }}
+    if: ${{ inputs.enable-organization-bot == 'true' && github.event.pull_request.user.login == inputs.organization-bot }}
     env:
       PR_URL: ${{github.event.pull_request.html_url}}
       GH_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/bump-release.yml

@@ -42,6 +42,14 @@ on:
           (use "|" to replace end of line).
         required: false
         type: string
+      enable-tag-signing:
+        description: |
+          Enable PGP tag-signing by a bot user.
+
+          When enabled, you must pass the GPG secrets to this workflow.
+        required: false
+        type: boolean
+        default: true
       cliff-config:
         type: string
         required: false
@@ -52,6 +60,31 @@ on:
         required: false
         default: 'https://raw.githubusercontent.com/go-openapi/ci-workflows/refs/heads/master/.cliff.toml'
         description: 'URL to the remote git-cliff config file (used if local config does not exist)'
+    secrets:
+      gpg-private-key:
+        description: |
+          GPG private key in armored format for signing tags.
+
+          Default for go-openapi: CI_BOT_GPG_PRIVATE_KEY
+
+          Required when enable-tag-signing is true.
+        required: false
+      gpg-passphrase:
+        description: |
+          Passphrase to unlock the GPG private key.
+
+          Default for go-openapi: CI_BOT_GPG_PASSPHRASE
+
+          Required when enable-tag-signing is true.
+        required: false
+      gpg-fingerprint:
+        description: |
+          Fingerprint of the GPG signing key (spaces removed).
+
+          Default for go-openapi: CI_BOT_SIGNING_KEY
+
+          Required when enable-tag-signing is true.
+        required: false
 
 jobs:
   tag-release:
@@ -94,21 +127,23 @@ jobs:
           echo "next-tag=${NEXT_TAG}" >> "$GITHUB_OUTPUT"
           echo "::notice title=next-tag:${NEXT_TAG}"
       -
-        name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
+        name: Configure bot credentials
+        if: ${{ inputs.enable-tag-signing == 'true' }}
+        uses: go-openapi/gh-actions/ci-jobs/bot-credentials@6c7952706aa7afa9141262485767d9270ef5b00b # master
         # This is using the GPG signature of bot-go-openapi.
         #
-        # CI_BOT_GPG_PRIVATE_KEY: the bot gpg key, armored
-        # CI_BOT_GPG_PASSPHRASE: the bot gpg passphrase
-        # CI_BOT_SIGNING_KEY: the fingerprint of the subkey used (space removed)
+        # For go-openapi repos (using secrets: inherit):
+        #   Falls back to: CI_BOT_GPG_PRIVATE_KEY, CI_BOT_GPG_PASSPHRASE, CI_BOT_SIGNING_KEY
+        #
+        # For other orgs: explicitly pass secrets with your custom names
         # NOTE(fredbi): extracted w/ gpg -K --homedir gnupg --keyid-format LONG --with-keygrip --fingerprint --with-subkey-fingerprint
         with:
-          gpg_private_key: ${{ secrets.CI_BOT_GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.CI_BOT_GPG_PASSPHRASE }}
-          fingerprint: ${{ secrets.CI_BOT_SIGNING_KEY }}
-          git_user_signingkey: true
-          git_commit_gpgsign: true
-          git_tag_gpgsign: true
+          enable-gpg-signing: 'true'
+          gpg-private-key: ${{ secrets.gpg-private-key || secrets.CI_BOT_GPG_PRIVATE_KEY }}
+          gpg-passphrase: ${{ secrets.gpg-passphrase || secrets.CI_BOT_GPG_PASSPHRASE }}
+          gpg-fingerprint: ${{ secrets.gpg-fingerprint || secrets.CI_BOT_SIGNING_KEY }}
+          enable-tag-signing: 'true'
+          enable-commit-signing: 'false'
       -
         name: Create and sign tag
         env:
@@ -125,8 +160,15 @@ jobs:
           fi
           echo "::notice title=tag-message:${MESSAGE}"
 
-          git tag -s -m "${MESSAGE}" "${NEXT_TAG}"
-          git tag -v "${NEXT_TAG}"
+          SIGNED=""
+          if [[ '${{ inputs.enable-tag-signing }}' == 'true' ]] ; then
+             SIGNED="-s"
+          fi
+
+          git tag "${SIGNED}" -m "${MESSAGE}" "${NEXT_TAG}"
+          if [[ -n "${SIGNED}" ]] ; then
+            git tag -v "${NEXT_TAG}"
+          fi
           git push origin "${NEXT_TAG}"
 
   gh-release:

.github/workflows/contributors.yml

@@ -1,10 +1,60 @@
 name: Contributors
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
+    inputs:
+      enable-commit-signing:
+        description: |
+          Enable GPG commit signing by a bot user.
 
-permissions:
-  contents: read
+          When enabled, commits in the pull request will be signed with the bot's GPG key.
+        required: false
+        type: boolean
+        default: true
+    secrets:
+      github-app-id:
+        description: |
+          GitHub App ID for bot user authentication.
+
+          Default for go-openapi: CI_BOT_APP_ID
+
+          Required to create pull requests as the bot user.
+        required: false
+      github-app-private-key:
+        description: |
+          GitHub App private key in PEM format.
+
+          Default for go-openapi: CI_BOT_APP_PRIVATE_KEY
+
+          Required to create pull requests as the bot user.
+        required: false
+      gpg-private-key:
+        description: |
+          GPG private key in armored format for signing commits.
+
+          Default for go-openapi: CI_BOT_GPG_PRIVATE_KEY
+
+          Required when enable-commit-signing is true.
+        required: false
+      gpg-passphrase:
+        description: |
+          Passphrase to unlock the GPG private key.
+
+          Default for go-openapi: CI_BOT_GPG_PASSPHRASE
+
+          Required when enable-commit-signing is true.
+        required: false
+      gpg-fingerprint:
+        description: |
+          Fingerprint of the GPG signing key (spaces removed).
+
+          Default for go-openapi: CI_BOT_SIGNING_KEY
+
+          Required when enable-commit-signing is true.
+        required: false
 
 jobs:
   update-contributors:
@@ -32,22 +82,23 @@ jobs:
           rm -rf contributors.json
           mv contributors.md CONTRIBUTORS.md
       -
-        name: Switch to go-openapi bot user
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-        id: app-token
-        with:
-          app-id: ${{ secrets.CI_BOT_APP_ID }}
-          private-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
-      -
-        name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
+        name: Configure bot credentials
+        uses: go-openapi/gh-actions/ci-jobs/bot-credentials@6c7952706aa7afa9141262485767d9270ef5b00b # master
+        id: bot-credentials
+        # For go-openapi repos (using secrets: inherit):
+        #   Falls back to: CI_BOT_APP_ID, CI_BOT_APP_PRIVATE_KEY, CI_BOT_GPG_PRIVATE_KEY, etc.
+        #
+        # For other orgs: explicitly pass secrets with your custom names
         with:
-          gpg_private_key: ${{ secrets.CI_BOT_GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.CI_BOT_GPG_PASSPHRASE }}
-          fingerprint: ${{ secrets.CI_BOT_SIGNING_KEY }}
-          git_user_signingkey: true
-          git_commit_gpgsign: true
-          git_tag_gpgsign: true
+          enable-github-app: 'true'
+          github-app-id: ${{ secrets.github-app-id || secrets.CI_BOT_APP_ID }}
+          github-app-private-key: ${{ secrets.github-app-private-key || secrets.CI_BOT_APP_PRIVATE_KEY }}
+          enable-gpg-signing: ${{ inputs.enable-commit-signing }}
+          gpg-private-key: ${{ secrets.gpg-private-key || secrets.CI_BOT_GPG_PRIVATE_KEY }}
+          gpg-passphrase: ${{ secrets.gpg-passphrase || secrets.CI_BOT_GPG_PASSPHRASE }}
+          gpg-fingerprint: ${{ secrets.gpg-fingerprint || secrets.CI_BOT_SIGNING_KEY }}
+          enable-commit-signing: 'true'
+          enable-tag-signing: 'false'
       -
         name: Create a PR
         id: create-pull-request
@@ -57,12 +108,12 @@ jobs:
           branch: doc/contributors-bot
           delete-branch: true
           title: "doc: updated contributors file"
-          token: ${{ steps.app-token.outputs.token }}
+          token: ${{ steps.bot-credentials.outputs.app-token }}
           labels: "bot"
           draft: false
           assignees: fredbi
           reviewers: fredbi
-          sign-commits: true
+          sign-commits: ${{ inputs.enable-commit-signing }}
           signoff: true # DCO
 
   auto-merge: