fix: add secret fallback in intermediate workflow forwarding

fredbi · claude · fredbi · commit d576d75a9a54 · 2026-02-09T14:01:03.000+01:00
When callers use `secrets: inherit`, the declared secret inputs
(e.g., gpg-private-key) are empty — only org-level secrets
(e.g., CI_BOT_GPG_PRIVATE_KEY) are available. Without fallbacks
in the intermediate forwarding, nested workflows receive empty
secrets and the leaf-level fallbacks never trigger.

Adds `|| secrets.CI_BOT_*` fallback to both nested workflow calls
in bump-release-monorepo.yml, matching the pattern already used in
bump-release.yml and prepare-release-monorepo.yml.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/bump-release-monorepo.yml b/.github/workflows/bump-release-monorepo.yml
@@ -153,9 +153,9 @@ jobs:
       cliff-config: ${{ inputs.cliff-config }}
       cliff-config-url: ${{ inputs.cliff-config-url }}
     secrets:
-      gpg-private-key: ${{ secrets.gpg-private-key }}
-      gpg-passphrase: ${{ secrets.gpg-passphrase }}
-      gpg-fingerprint: ${{ secrets.gpg-fingerprint }}
+      gpg-private-key: ${{ secrets.gpg-private-key || secrets.CI_BOT_GPG_PRIVATE_KEY }}
+      gpg-passphrase: ${{ secrets.gpg-passphrase || secrets.CI_BOT_GPG_PASSPHRASE }}
+      gpg-fingerprint: ${{ secrets.gpg-fingerprint || secrets.CI_BOT_SIGNING_KEY }}
 
   determine-next-tag:
     name: Determine next tag [monorepo]
@@ -213,11 +213,11 @@ jobs:
       target-tag: ${{ needs.determine-next-tag.outputs.next-tag }}
       enable-commit-signing: ${{ inputs.enable-commit-signing }}
     secrets:
-      github-app-id: ${{ secrets.github-app-id }}
-      github-app-private-key: ${{ secrets.github-app-private-key }}
-      gpg-private-key: ${{ secrets.gpg-private-key }}
-      gpg-passphrase: ${{ secrets.gpg-passphrase }}
-      gpg-fingerprint: ${{ secrets.gpg-fingerprint }}
+      github-app-id: ${{ secrets.github-app-id || secrets.CI_BOT_APP_ID }}
+      github-app-private-key: ${{ secrets.github-app-private-key || secrets.CI_BOT_APP_PRIVATE_KEY }}
+      gpg-private-key: ${{ secrets.gpg-private-key || secrets.CI_BOT_GPG_PRIVATE_KEY }}
+      gpg-passphrase: ${{ secrets.gpg-passphrase || secrets.CI_BOT_GPG_PASSPHRASE }}
+      gpg-fingerprint: ${{ secrets.gpg-fingerprint || secrets.CI_BOT_SIGNING_KEY }}
 
   wait-for-merge:
     name: Wait for PR merge [monorepo]
