From c1200bee8c9122fab8430028e05ec8cbdb2ca082 Mon Sep 17 00:00:00 2001
From: Ron <45816308+rjaegers@users.noreply.github.com>
Date: Thu, 5 Feb 2026 19:09:30 +0100
Subject: [PATCH 1/5] ci: reduce the scope of acceptance test secrets

---
 .github/workflows/continuous-integration.yml |  5 -----
 .github/workflows/wc-acceptance-test.yml     | 10 +---------
 .github/workflows/wc-build-push-test.yml     | 13 -------------
 3 files changed, 1 insertion(+), 27 deletions(-)

diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
index 479028fc..349829b7 100644
--- a/.github/workflows/continuous-integration.yml
+++ b/.github/workflows/continuous-integration.yml
@@ -36,11 +36,6 @@ jobs:
       matrix:
         flavor: [cpp, rust]
     uses: ./.github/workflows/wc-build-push-test.yml
-    secrets:
-      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
-      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
-      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
-      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
     permissions:
       actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets
       attestations: write # is needed by actions/attest-build-provenance to push attestations
diff --git a/.github/workflows/wc-acceptance-test.yml b/.github/workflows/wc-acceptance-test.yml
index cef9db1c..facbafd7 100644
--- a/.github/workflows/wc-acceptance-test.yml
+++ b/.github/workflows/wc-acceptance-test.yml
@@ -13,15 +13,6 @@ on:
       acceptance-test-path:
         required: true
         type: string
-    secrets:
-      TEST_GITHUB_TOKEN:
-        required: true
-      TEST_GITHUB_USER:
-        required: true
-      TEST_GITHUB_PASSWORD:
-        required: true
-      TEST_GITHUB_TOTP_SECRET:
-        required: true
 
 concurrency:
   group: ${{ github.workflow }}
@@ -34,6 +25,7 @@ jobs:
   test:
     name: Acceptance Test
     runs-on: ubuntu-latest
+    environment: acceptance-testing
     steps:
       - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
diff --git a/.github/workflows/wc-build-push-test.yml b/.github/workflows/wc-build-push-test.yml
index 28a1a3e9..09180724 100644
--- a/.github/workflows/wc-build-push-test.yml
+++ b/.github/workflows/wc-build-push-test.yml
@@ -93,14 +93,6 @@ on:
       DOCKER_REGISTRY_USERNAME:
         description: User name for Docker login, if not provided the GitHub actor will be used
         required: false
-      TEST_GITHUB_PASSWORD:
-        required: false
-      TEST_GITHUB_TOKEN:
-        required: false
-      TEST_GITHUB_TOTP_SECRET:
-        required: false
-      TEST_GITHUB_USER:
-        required: false
 
 permissions: {}
 
@@ -153,11 +145,6 @@ jobs:
     uses: ./.github/workflows/wc-acceptance-test.yml
     permissions:
       contents: read
-    secrets:
-      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
-      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
-      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
-      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
     with:
       image-basename: ${{ needs.build-push.outputs.image-basename }}
       devcontainer-file: ${{ inputs.test-devcontainer-file }}

From 2bbcc8e1175cb66b6fda464d112149c66860d0fc Mon Sep 17 00:00:00 2001
From: Ron <45816308+rjaegers@users.noreply.github.com>
Date: Tue, 24 Feb 2026 10:50:15 +0100
Subject: [PATCH 2/5] ci: different strategy to use environment secrets

---
 .github/workflows/continuous-integration.yml |  6 ++++++
 .github/workflows/release-build.yml          |  1 +
 .github/workflows/wc-acceptance-test.yml     | 10 +++++++++-
 .github/workflows/wc-build-push-test.yml     | 13 +++++++++++++
 4 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
index 349829b7..f9697e72 100644
--- a/.github/workflows/continuous-integration.yml
+++ b/.github/workflows/continuous-integration.yml
@@ -32,10 +32,16 @@ jobs:
   build-push-flavors:
     name: Build → Push → Test (🍨 ${{ matrix.flavor }})
     needs: build-push-base
+    environment: acceptance-testing
     strategy:
       matrix:
         flavor: [cpp, rust]
     uses: ./.github/workflows/wc-build-push-test.yml
+    secrets:
+      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
+      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
+      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
+      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
     permissions:
       actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets
       attestations: write # is needed by actions/attest-build-provenance to push attestations
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index f68dae43..3f70e85a 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -31,6 +31,7 @@ jobs:
   build-push-flavors:
     name: Build → Push → Test (🍨 ${{ matrix.flavor }})
     needs: build-push-base
+    environment: acceptance-testing
     strategy:
       matrix:
         flavor: [cpp, rust]
diff --git a/.github/workflows/wc-acceptance-test.yml b/.github/workflows/wc-acceptance-test.yml
index facbafd7..cef9db1c 100644
--- a/.github/workflows/wc-acceptance-test.yml
+++ b/.github/workflows/wc-acceptance-test.yml
@@ -13,6 +13,15 @@ on:
       acceptance-test-path:
         required: true
         type: string
+    secrets:
+      TEST_GITHUB_TOKEN:
+        required: true
+      TEST_GITHUB_USER:
+        required: true
+      TEST_GITHUB_PASSWORD:
+        required: true
+      TEST_GITHUB_TOTP_SECRET:
+        required: true
 
 concurrency:
   group: ${{ github.workflow }}
@@ -25,7 +34,6 @@ jobs:
   test:
     name: Acceptance Test
     runs-on: ubuntu-latest
-    environment: acceptance-testing
     steps:
       - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
diff --git a/.github/workflows/wc-build-push-test.yml b/.github/workflows/wc-build-push-test.yml
index 09180724..28a1a3e9 100644
--- a/.github/workflows/wc-build-push-test.yml
+++ b/.github/workflows/wc-build-push-test.yml
@@ -93,6 +93,14 @@ on:
       DOCKER_REGISTRY_USERNAME:
         description: User name for Docker login, if not provided the GitHub actor will be used
         required: false
+      TEST_GITHUB_PASSWORD:
+        required: false
+      TEST_GITHUB_TOKEN:
+        required: false
+      TEST_GITHUB_TOTP_SECRET:
+        required: false
+      TEST_GITHUB_USER:
+        required: false
 
 permissions: {}
 
@@ -145,6 +153,11 @@ jobs:
     uses: ./.github/workflows/wc-acceptance-test.yml
     permissions:
       contents: read
+    secrets:
+      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
+      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
+      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
+      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
     with:
       image-basename: ${{ needs.build-push.outputs.image-basename }}
       devcontainer-file: ${{ inputs.test-devcontainer-file }}

From 399c1fe74ae5264d0f6d2b3d0456a3fa35a68494 Mon Sep 17 00:00:00 2001
From: Ron <45816308+rjaegers@users.noreply.github.com>
Date: Tue, 24 Feb 2026 10:59:20 +0100
Subject: [PATCH 3/5] ci: try to get environment at the correct place

---
 .github/workflows/continuous-integration.yml | 1 -
 .github/workflows/release-build.yml          | 1 -
 .github/workflows/wc-acceptance-test.yml     | 1 +
 3 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
index c5ce2cb9..6810ea56 100644
--- a/.github/workflows/continuous-integration.yml
+++ b/.github/workflows/continuous-integration.yml
@@ -33,7 +33,6 @@ jobs:
   build-push-flavors:
     name: Build → Push → Test (🍨 ${{ matrix.flavor }})
     needs: build-push-base
-    environment: acceptance-testing
     strategy:
       matrix:
         flavor: [cpp, rust]
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index acc0a4db..48600189 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -32,7 +32,6 @@ jobs:
   build-push-flavors:
     name: Build → Push → Test (🍨 ${{ matrix.flavor }})
     needs: build-push-base
-    environment: acceptance-testing
     strategy:
       matrix:
         flavor: [cpp, rust]
diff --git a/.github/workflows/wc-acceptance-test.yml b/.github/workflows/wc-acceptance-test.yml
index 03db817a..95ec0075 100644
--- a/.github/workflows/wc-acceptance-test.yml
+++ b/.github/workflows/wc-acceptance-test.yml
@@ -34,6 +34,7 @@ jobs:
   test:
     name: Acceptance Test
     runs-on: ubuntu-latest
+    environment: acceptance-testing
     steps:
       - uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
         with:

From 2ff00bba526f5a7fd1ea1d8ac39b498c0fc01d68 Mon Sep 17 00:00:00 2001
From: Ron <45816308+rjaegers@users.noreply.github.com>
Date: Tue, 24 Feb 2026 12:37:49 +0000
Subject: [PATCH 4/5] ci: don't run acceptance test for dependabot

---
 .github/workflows/continuous-integration.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
index 6810ea56..fc9fbf5e 100644
--- a/.github/workflows/continuous-integration.yml
+++ b/.github/workflows/continuous-integration.yml
@@ -58,8 +58,8 @@ jobs:
       enable-edge-tag: ${{ github.event_name == 'merge_group' }}
       image-name: ${{ github.repository }}-${{ matrix.flavor }}
       integration-test-file: test/${{ matrix.flavor }}/integration-tests.bats
-      acceptance-test-path: ${{ matrix.flavor == 'cpp' && 'test/cpp/features' || '' }}
-      test-devcontainer-file: ${{ matrix.flavor == 'cpp' && '.devcontainer/cpp-test/devcontainer.json' || '' }}
+      acceptance-test-path: ${{ (github.actor == 'dependabot[bot]' || matrix.flavor != 'cpp') && '' || 'test/cpp/features' }}
+      test-devcontainer-file: .devcontainer/${{ matrix.flavor }}-test/devcontainer.json
 
   dependency-review:
     name: 🔍 Dependency Review

From 4c3089b57ac5533091d414da5205519ec8c324b1 Mon Sep 17 00:00:00 2001
From: Ron <45816308+rjaegers@users.noreply.github.com>
Date: Tue, 24 Feb 2026 13:00:26 +0000
Subject: [PATCH 5/5] ci: update condition

---
 .github/workflows/continuous-integration.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
index fc9fbf5e..184fab9e 100644
--- a/.github/workflows/continuous-integration.yml
+++ b/.github/workflows/continuous-integration.yml
@@ -58,7 +58,7 @@ jobs:
       enable-edge-tag: ${{ github.event_name == 'merge_group' }}
       image-name: ${{ github.repository }}-${{ matrix.flavor }}
       integration-test-file: test/${{ matrix.flavor }}/integration-tests.bats
-      acceptance-test-path: ${{ (github.actor == 'dependabot[bot]' || matrix.flavor != 'cpp') && '' || 'test/cpp/features' }}
+      acceptance-test-path: ${{ (github.actor != 'dependabot[bot]' && matrix.flavor == 'cpp') && 'test/cpp/features' || '' }}
       test-devcontainer-file: .devcontainer/${{ matrix.flavor }}-test/devcontainer.json
 
   dependency-review: