From 515a900a96504d36abd71929b13d9c0b34c9a966 Mon Sep 17 00:00:00 2001
From: Thomas Sibley <tsibley@fredhutch.org>
Date: Wed, 10 May 2023 14:20:49 -0700
Subject: [PATCH 1/2] pathogen-repo-ci: Avoid the secret-check step before
 docker.io login
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

@victorlin pointed out¹ that we could launder access to the secrets
context thru the step env context without the need for an extra step.

I avoid putting the secret itself into the environment (which only
increases its potential visibility) and put only its presence/absence
instead.

¹ <https://github.com/nextstrain/.github/pull/38#discussion_r1190281387>
---
 .github/workflows/pathogen-repo-ci.yaml | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/pathogen-repo-ci.yaml b/.github/workflows/pathogen-repo-ci.yaml
index ef38e70..2246dfd 100644
--- a/.github/workflows/pathogen-repo-ci.yaml
+++ b/.github/workflows/pathogen-repo-ci.yaml
@@ -66,14 +66,12 @@ jobs:
       # repos on GitHub but only available here to this reusable workflow when
       # called with "secrets: inherit".  On Docker Hub, the token is granted
       # "public read-only" access.
-      - id: DOCKER_TOKEN_PUBLIC_READ_ONLY
-        name: Check if DOCKER_TOKEN_PUBLIC_READ_ONLY secret is available
+      #
+      # The secrets context is not allowed in "if:" conditions, so we must
+      # launder it thru env.
+      - if: env.token-available == 'true'
         env:
-          DOCKER_TOKEN_PUBLIC_READ_ONLY: ${{ secrets.DOCKER_TOKEN_PUBLIC_READ_ONLY }}
-        run: |
-          tee -a "$GITHUB_OUTPUT" <<<available=${DOCKER_TOKEN_PUBLIC_READ_ONLY:+yes}
-
-      - if: steps.DOCKER_TOKEN_PUBLIC_READ_ONLY.outputs.available == 'yes'
+          token-available: ${{ secrets.DOCKER_TOKEN_PUBLIC_READ_ONLY != '' }}
         name: Log in to docker.io
         uses: docker/login-action@v2
         with:

From d3921304e1bc89702af39866868d00debebb8803 Mon Sep 17 00:00:00 2001
From: Thomas Sibley <tsibley@fredhutch.org>
Date: Wed, 10 May 2023 14:53:25 -0700
Subject: [PATCH 2/2] ci: Test "secrets: inherit" for pathogen-repo-ci

So we can see that the optional docker.io login step continues to work
(or not).  Only added to one invocation of the workflow so we can
compare it disabled in the other invocations.
---
 .github/workflows/ci.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index f5bc540..04d0691 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -17,6 +17,7 @@ jobs:
     uses: ./.github/workflows/pathogen-repo-ci.yaml
     with:
       repo: nextstrain/zika
+    secrets: inherit
 
   test-pathogen-repo-ci-no-example-data:
     uses: ./.github/workflows/pathogen-repo-ci.yaml