improv(ci): Moved the secrets expanded in the run block to env variables (#4370)

sdangol · web-flow · commit 4942af64e84b · 2025-08-22T16:09:39.000+02:00
diff --git a/.github/workflows/bootstrap_region.yml b/.github/workflows/bootstrap_region.yml
@@ -99,4 +99,6 @@ jobs:
         run: go install github.com/aws-powertools/actions/layer-balancer/cmd/balance@29979bc5339bf54f76a11ac36ff67701986bb0f0
       - id: run-balance
         name: Run Balance
-        run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role ${{ secrets.BALANCE_ROLE_ARN }} -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
+        env:
+          BALANCE_ROLE_ARN: ${{ secrets.BALANCE_ROLE_ARN }}
+        run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
diff --git a/.github/workflows/dispatch_analytics.yml b/.github/workflows/dispatch_analytics.yml
diff --git a/.github/workflows/layer_balance.yml b/.github/workflows/layer_balance.yml
@@ -40,6 +40,8 @@ jobs:
       contents: read
       id-token: write
     environment: layer-${{ inputs.environment }}
+    env:
+      BALANCE_ROLE_ARN: ${{ secrets.BALANCE_ROLE_ARN }}
     steps:
       - id: credentials
         name: AWS Credentials
@@ -62,8 +64,8 @@ jobs:
       - id: run-balance-new-region
         name: Run Balance
         if: ${{ inputs.start_at == '' }}
-        run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role ${{ secrets.BALANCE_ROLE_ARN }} -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
+        run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
       - id: run-balance-existing
         name: Run Balance (Existing Region)
         if: ${{ inputs.start_at != '' }}
-        run: balance -read-region us-east-1 -start-at ${{ inputs.start_at }} -write-region ${{ inputs.region }} -write-role ${{ secrets.BALANCE_ROLE_ARN }} -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
+        run: balance -read-region us-east-1 -start-at ${{ inputs.start_at }} -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml
@@ -53,8 +53,10 @@ jobs:
           node-version: "22"
           cache: "npm"
       - name: Setup auth tokens
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
-          npm set "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}"
+          npm set "//registry.npmjs.org/:_authToken=$NPM_TOKEN"
       - name: Setup dependencies
         uses: aws-powertools/actions/.github/actions/cached-node-modules@29979bc5339bf54f76a11ac36ff67701986bb0f0
       - name: Publish to npm
diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml
@@ -44,8 +44,10 @@ jobs:
           node-version: "22"
           cache: "npm"
       - name: Setup auth tokens
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
-          npm set "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}"
+          npm set "//registry.npmjs.org/:_authToken=$NPM_TOKEN"
       - name: Setup dependencies
         uses: aws-powertools/actions/.github/actions/cached-node-modules@29979bc5339bf54f76a11ac36ff67701986bb0f0
       - name: Publish to npm
diff --git a/.github/workflows/reusable_publish_docs.yml b/.github/workflows/reusable_publish_docs.yml
@@ -97,22 +97,25 @@ jobs:
         env:
           VERSION: ${{ inputs.version }}
           ALIAS: ${{ inputs.alias }}
+          AWS_DOCS_BUCKET: ${{ secrets.AWS_DOCS_BUCKET }}
         run: |
           aws s3 sync \
             site/ \
-            s3://${{ secrets.AWS_DOCS_BUCKET }}/lambda-typescript/${{ env.VERSION }}/
+            s3://$AWS_DOCS_BUCKET/lambda-typescript/$VERSION/
       - name: Deploy Docs (Alias)
         env:
           VERSION: ${{ inputs.version }}
           ALIAS: ${{ inputs.alias }}
+          AWS_DOCS_BUCKET: ${{ secrets.AWS_DOCS_BUCKET }}
         run: |
           aws s3 sync \
             site/ \
-            s3://${{ secrets.AWS_DOCS_BUCKET }}/lambda-typescript/${{ env.ALIAS }}/
+            s3://$AWS_DOCS_BUCKET/lambda-typescript/$ALIAS/
       - name: Deploy Docs (Version JSON)
         env:
           VERSION: ${{ inputs.version }}
           ALIAS: ${{ inputs.alias }}
+          AWS_DOCS_BUCKET: ${{ secrets.AWS_DOCS_BUCKET }}
         # We originally used "mike" from PyPi to manage versions for us, but since we moved to S3, we can't use it to manage versions any more.
         # Instead, we're using some shell script that manages the versions.
         #
@@ -127,10 +130,10 @@ jobs:
         #   4. Once done, we'll upload it back to S3.
         run: |
           aws s3 cp \
-            s3://${{ secrets.AWS_DOCS_BUCKET }}/lambda-typescript/versions.json \
+            s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json \
             versions_old.json
-          jq 'del(.[].aliases[] | select(. == "${{ env.ALIAS }}"))' < versions_old.json > versions_proc.json
-          jq '. as $o | [{"title": "${{ env.VERSION }}", "version": "${{ env.VERSION }}", "aliases": ["${{ env.ALIAS }}"] }] as $n | $n | if .[0].title | test("[a-z]+") or any($o[].title == $n[0].title;.) then [($o | .[] | select(.title == $n[0].title).aliases += $n[0].aliases | . )] else $n + $o end' < versions_proc.json > versions.json
+          jq 'del(.[].aliases[] | select(. == "$ALIAS"))' < versions_old.json > versions_proc.json
+          jq '. as $o | [{"title": "$VERSION", "version": "$VERSION", "aliases": ["$ALIAS"] }] as $n | $n | if .[0].title | test("[a-z]+") or any($o[].title == $n[0].title;.) then [($o | .[] | select(.title == $n[0].title).aliases += $n[0].aliases | . )] else $n + $o end' < versions_proc.json > versions.json
           aws s3 cp \
             versions.json \
-            s3://${{ secrets.AWS_DOCS_BUCKET }}/lambda-typescript/versions.json
+            s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json
