scipp · jokasimr · Jul 11, 2024 · Jul 11, 2024 · Jul 11, 2024
diff --git a/template/.github/workflows/docs.yml b/template/.github/workflows/docs.yml
@@ -42,6 +42,10 @@ jobs:
   docs:
     name: Build documentation
     runs-on: 'ubuntu-22.04'
+    env:
+        ESS_PROTECTED_FILESTORE_USERNAME: ${{ secrets.ESS_PROTECTED_FILESTORE_USERNAME }}
+        ESS_PROTECTED_FILESTORE_PASSWORD: ${{ secrets.ESS_PROTECTED_FILESTORE_PASSWORD }}
+
     steps:
       - run: sudo apt install --yes graphviz pandoc
       - uses: actions/checkout@v4

diff --git a/template/.github/workflows/nightly_at_main.yml b/template/.github/workflows/nightly_at_main.yml
@@ -20,10 +20,6 @@ jobs:
   tests:
     name: Tests
     needs: setup
-    env:
-        # Security note! The secrets are only added to workflows that run on trusted branches (main). If secrets are accessible in workflows that run on untrusted branches they can be extracted, see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#exfiltrating-data-from-a-runner.
-        ESS_PROTECTED_FILESTORE_USERNAME: ${{ secrets.ESS_PROTECTED_FILESTORE_USERNAME }}
-        ESS_PROTECTED_FILESTORE_PASSWORD: ${{ secrets.ESS_PROTECTED_FILESTORE_PASSWORD }}
     strategy:
       matrix:
         os: ['ubuntu-22.04']

diff --git a/template/.github/workflows/nightly_at_release.yml b/template/.github/workflows/nightly_at_release.yml
@@ -26,10 +26,6 @@ jobs:
   tests:
     name: Tests
     needs: setup
-    env:
-        # Security note! The secrets are only added to workflows that run on trusted branches (main). If secrets are accessible in workflows that run on untrusted branches they can be extracted, see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#exfiltrating-data-from-a-runner.
-        ESS_PROTECTED_FILESTORE_USERNAME: ${{ secrets.ESS_PROTECTED_FILESTORE_USERNAME }}
-        ESS_PROTECTED_FILESTORE_PASSWORD: ${{ secrets.ESS_PROTECTED_FILESTORE_PASSWORD }}
     strategy:
       matrix:
         os: ['ubuntu-22.04']

diff --git a/template/.github/workflows/test.yml b/template/.github/workflows/test.yml
@@ -43,6 +43,9 @@ on:
 jobs:
   test:
     runs-on: ${{ inputs.os-variant }}
+    env:
+        ESS_PROTECTED_FILESTORE_USERNAME: ${{ secrets.ESS_PROTECTED_FILESTORE_USERNAME }}
+        ESS_PROTECTED_FILESTORE_PASSWORD: ${{ secrets.ESS_PROTECTED_FILESTORE_PASSWORD }}
 
     steps:
       - uses: actions/checkout@v4

diff --git a/template/.github/workflows/unpinned.yml b/template/.github/workflows/unpinned.yml
@@ -26,10 +26,6 @@ jobs:
   tests:
     name: Tests
     needs: setup
-    env:
-        # Security note! The secrets are only added to workflows that run on trusted branches (main). If secrets are accessible in workflows that run on untrusted branches they can be extracted, see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#exfiltrating-data-from-a-runner.
-        ESS_PROTECTED_FILESTORE_USERNAME: ${{ secrets.ESS_PROTECTED_FILESTORE_USERNAME }}
-        ESS_PROTECTED_FILESTORE_PASSWORD: ${{ secrets.ESS_PROTECTED_FILESTORE_PASSWORD }}
     strategy:
       matrix:
         os: ['ubuntu-22.04']

diff --git a/template/.github/workflows/{% if orgname == 'scipp' %}release.yml{% endif %} b/template/.github/workflows/{% if orgname == 'scipp' %}release.yml{% endif %}
@@ -8,11 +8,6 @@ on:
 defaults:
   run:
     shell: bash -l {0}  # required for conda env
-  env:
-    # Security note! The secrets are only added to workflows that run on trusted branches (main). If secrets are accessible in workflows that run on untrusted branches they can be extracted, see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#exfiltrating-data-from-a-runner.
-    ESS_PROTECTED_FILESTORE_USERNAME: ${{ secrets.ESS_PROTECTED_FILESTORE_USERNAME }}
-    ESS_PROTECTED_FILESTORE_PASSWORD: ${{ secrets.ESS_PROTECTED_FILESTORE_PASSWORD }}
-
 
 jobs:
   build_conda: