Refactor secret passing

.github/workflows/build/action.yml

@@ -3,9 +3,6 @@ name: 'Build'
 description: 'Build the app'
 
 inputs:
-  secrets:
-    required: true
-
   prod: # id of input
     description: 'Production build flag'
     required: false
@@ -23,29 +20,29 @@ runs:
       env:
         NEXT_PUBLIC_IS_PRODUCTION: ${{ inputs.prod }}
         NEXT_PUBLIC_CYPRESS_MNEMONIC: ${{ inputs.e2e_mnemonic }}
-        NEXT_PUBLIC_GATEWAY_URL_PRODUCTION: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_GATEWAY_URL_PRODUCTION }}
-        NEXT_PUBLIC_GATEWAY_URL_STAGING: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_GATEWAY_URL_STAGING }}
-        NEXT_PUBLIC_SAFE_VERSION: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_SAFE_VERSION }}
-        NEXT_PUBLIC_BEAMER_ID: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_BEAMER_ID }}
-        NEXT_PUBLIC_GOOGLE_TAG_MANAGER_DEVELOPMENT_AUTH: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_GOOGLE_TAG_MANAGER_DEVELOPMENT_AUTH }}
-        NEXT_PUBLIC_GOOGLE_TAG_MANAGER_ID: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_GOOGLE_TAG_MANAGER_ID }}
-        NEXT_PUBLIC_GOOGLE_TAG_MANAGER_LATEST_AUTH: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_GOOGLE_TAG_MANAGER_LATEST_AUTH }}
-        NEXT_PUBLIC_GOOGLE_TAG_MANAGER_LIVE_AUTH: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_GOOGLE_TAG_MANAGER_LIVE_AUTH }}
-        NEXT_PUBLIC_INFURA_TOKEN: ${{ inputs.prod && fromJSON(inputs.secrets).NEXT_PUBLIC_INFURA_TOKEN || fromJSON(inputs.secrets).NEXT_PUBLIC_INFURA_TOKEN_DEVSTAGING }}
-        NEXT_PUBLIC_SAFE_APPS_INFURA_TOKEN: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_SAFE_APPS_INFURA_TOKEN || fromJSON(inputs.secrets).NEXT_PUBLIC_SAFE_APPS_INFURA_TOKEN_DEVSTAGING }}
-        NEXT_PUBLIC_SENTRY_DSN: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_SENTRY_DSN }}
-        NEXT_PUBLIC_TENDERLY_ORG_NAME: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_TENDERLY_ORG_NAME }}
-        NEXT_PUBLIC_TENDERLY_PROJECT_NAME: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_TENDERLY_PROJECT_NAME }}
-        NEXT_PUBLIC_TENDERLY_SIMULATE_ENDPOINT_URL: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_TENDERLY_SIMULATE_ENDPOINT_URL }}
-        NEXT_PUBLIC_WC_PROJECT_ID: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_WC_PROJECT_ID }}
-        NEXT_PUBLIC_SAFE_RELAY_SERVICE_URL_PRODUCTION: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_SAFE_GELATO_RELAY_SERVICE_URL_PRODUCTION }}
-        NEXT_PUBLIC_SAFE_RELAY_SERVICE_URL_STAGING: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_SAFE_GELATO_RELAY_SERVICE_URL_STAGING }}
-        NEXT_PUBLIC_IS_OFFICIAL_HOST: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_IS_OFFICIAL_HOST }}
-        NEXT_PUBLIC_REDEFINE_API: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_REDEFINE_API }}
-        NEXT_PUBLIC_SOCIAL_WALLET_OPTIONS_STAGING: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_SOCIAL_WALLET_OPTIONS_STAGING }}
-        NEXT_PUBLIC_SOCIAL_WALLET_OPTIONS_PRODUCTION: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_SOCIAL_WALLET_OPTIONS_PRODUCTION }}
-        NEXT_PUBLIC_FIREBASE_OPTIONS_PRODUCTION: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_FIREBASE_OPTIONS_PRODUCTION }}
-        NEXT_PUBLIC_FIREBASE_OPTIONS_STAGING: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_FIREBASE_OPTIONS_STAGING }}
-        NEXT_PUBLIC_FIREBASE_VAPID_KEY_PRODUCTION: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_FIREBASE_VAPID_KEY_PRODUCTION }}
-        NEXT_PUBLIC_FIREBASE_VAPID_KEY_STAGING: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_FIREBASE_VAPID_KEY_STAGING }}
-        NEXT_PUBLIC_SPINDL_SDK_KEY: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_SPINDL_SDK_KEY }}
+        NEXT_PUBLIC_GATEWAY_URL_PRODUCTION: ${{ secrets.NEXT_PUBLIC_GATEWAY_URL_PRODUCTION }}
+        NEXT_PUBLIC_GATEWAY_URL_STAGING: ${{ secrets.NEXT_PUBLIC_GATEWAY_URL_STAGING }}
+        NEXT_PUBLIC_SAFE_VERSION: ${{ secrets.NEXT_PUBLIC_SAFE_VERSION }}
+        NEXT_PUBLIC_BEAMER_ID: ${{ secrets.NEXT_PUBLIC_BEAMER_ID }}
+        NEXT_PUBLIC_GOOGLE_TAG_MANAGER_DEVELOPMENT_AUTH: ${{ secrets.NEXT_PUBLIC_GOOGLE_TAG_MANAGER_DEVELOPMENT_AUTH }}
+        NEXT_PUBLIC_GOOGLE_TAG_MANAGER_ID: ${{ secrets.NEXT_PUBLIC_GOOGLE_TAG_MANAGER_ID }}
+        NEXT_PUBLIC_GOOGLE_TAG_MANAGER_LATEST_AUTH: ${{ secrets.NEXT_PUBLIC_GOOGLE_TAG_MANAGER_LATEST_AUTH }}
+        NEXT_PUBLIC_GOOGLE_TAG_MANAGER_LIVE_AUTH: ${{ secrets.NEXT_PUBLIC_GOOGLE_TAG_MANAGER_LIVE_AUTH }}
+        NEXT_PUBLIC_INFURA_TOKEN: ${{ inputs.prod && secrets.NEXT_PUBLIC_INFURA_TOKEN || secrets.NEXT_PUBLIC_INFURA_TOKEN_DEVSTAGING }}
+        NEXT_PUBLIC_SAFE_APPS_INFURA_TOKEN: ${{ secrets.NEXT_PUBLIC_SAFE_APPS_INFURA_TOKEN || secrets.NEXT_PUBLIC_SAFE_APPS_INFURA_TOKEN_DEVSTAGING }}
+        NEXT_PUBLIC_SENTRY_DSN: ${{ secrets.NEXT_PUBLIC_SENTRY_DSN }}
+        NEXT_PUBLIC_TENDERLY_ORG_NAME: ${{ secrets.NEXT_PUBLIC_TENDERLY_ORG_NAME }}
+        NEXT_PUBLIC_TENDERLY_PROJECT_NAME: ${{ secrets.NEXT_PUBLIC_TENDERLY_PROJECT_NAME }}
+        NEXT_PUBLIC_TENDERLY_SIMULATE_ENDPOINT_URL: ${{ secrets.NEXT_PUBLIC_TENDERLY_SIMULATE_ENDPOINT_URL }}
+        NEXT_PUBLIC_WC_PROJECT_ID: ${{ secrets.NEXT_PUBLIC_WC_PROJECT_ID }}
+        NEXT_PUBLIC_SAFE_RELAY_SERVICE_URL_PRODUCTION: ${{ secrets.NEXT_PUBLIC_SAFE_GELATO_RELAY_SERVICE_URL_PRODUCTION }}
+        NEXT_PUBLIC_SAFE_RELAY_SERVICE_URL_STAGING: ${{ secrets.NEXT_PUBLIC_SAFE_GELATO_RELAY_SERVICE_URL_STAGING }}
+        NEXT_PUBLIC_IS_OFFICIAL_HOST: ${{ secrets.NEXT_PUBLIC_IS_OFFICIAL_HOST }}
+        NEXT_PUBLIC_REDEFINE_API: ${{ secrets.NEXT_PUBLIC_REDEFINE_API }}
+        NEXT_PUBLIC_SOCIAL_WALLET_OPTIONS_STAGING: ${{ secrets.NEXT_PUBLIC_SOCIAL_WALLET_OPTIONS_STAGING }}
+        NEXT_PUBLIC_SOCIAL_WALLET_OPTIONS_PRODUCTION: ${{ secrets.NEXT_PUBLIC_SOCIAL_WALLET_OPTIONS_PRODUCTION }}
+        NEXT_PUBLIC_FIREBASE_OPTIONS_PRODUCTION: ${{ secrets.NEXT_PUBLIC_FIREBASE_OPTIONS_PRODUCTION }}
+        NEXT_PUBLIC_FIREBASE_OPTIONS_STAGING: ${{ secrets.NEXT_PUBLIC_FIREBASE_OPTIONS_STAGING }}
+        NEXT_PUBLIC_FIREBASE_VAPID_KEY_PRODUCTION: ${{ secrets.NEXT_PUBLIC_FIREBASE_VAPID_KEY_PRODUCTION }}
+        NEXT_PUBLIC_FIREBASE_VAPID_KEY_STAGING: ${{ secrets.NEXT_PUBLIC_FIREBASE_VAPID_KEY_STAGING }}
+        NEXT_PUBLIC_SPINDL_SDK_KEY: ${{ secrets.NEXT_PUBLIC_SPINDL_SDK_KEY }}

.github/workflows/cypress/action.yml

@@ -3,10 +3,6 @@ name: 'Cypress'
 description: 'Run Cypress'
 
 inputs:
-  secrets:
-    description: 'GitHub secrets as JSON'
-    required: true
-
   spec:
     description: 'A glob pattern for which tests to run'
     required: true
@@ -35,9 +31,9 @@ runs:
         sudo apt-get install ./google-chrome-stable_current_amd64.deb
 
     - uses: ./.github/workflows/build
+      secrets: inherit
       with:
-        secrets: ${{ inputs.secrets }}
-        e2e_mnemonic: ${{ fromJSON(inputs.secrets).NEXT_PUBLIC_CYPRESS_MNEMONIC }}
+        e2e_mnemonic: ${{ secrets.NEXT_PUBLIC_CYPRESS_MNEMONIC }}
 
     - name: Serve
       shell: bash
@@ -52,7 +48,7 @@ runs:
         record: true
         config: baseUrl=http://localhost:8080
       env:
-        CYPRESS_RECORD_KEY: ${{ inputs.record_key || fromJSON(inputs.secrets).CYPRESS_RECORD_KEY }}
-        GITHUB_TOKEN: ${{ fromJSON(inputs.secrets).GITHUB_TOKEN }}
+        CYPRESS_RECORD_KEY: ${{ inputs.record_key || secrets.CYPRESS_RECORD_KEY }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         CYPRESS_PROJECT_ID: ${{ inputs.project_id }}
-        CYPRESS_WALLET_CREDENTIALS: ${{ fromJSON(inputs.secrets).CYPRESS_WALLET_CREDENTIALS }}
+        CYPRESS_WALLET_CREDENTIALS: ${{ secrets.CYPRESS_WALLET_CREDENTIALS }}

.github/workflows/deploy-dev.yml

@@ -39,8 +39,8 @@ jobs:
       - uses: ./.github/workflows/yarn
 
       - uses: ./.github/workflows/build
+        secrets: inherit
         with:
-          secrets: ${{ toJSON(secrets) }}
           prod: ${{ github.ref == 'refs/heads/main' }}
 
       - uses: ./.github/workflows/build-storybook

.github/workflows/deploy-production.yml

@@ -19,8 +19,8 @@ jobs:
       - uses: ./.github/workflows/yarn
 
       - uses: ./.github/workflows/build
+        secrets: inherit
         with:
-          secrets: ${{ toJSON(secrets) }}
           prod: ${{ true }}
 
       - name: Create archive

.github/workflows/e2e-hp-ondemand.yml

@@ -21,8 +21,8 @@ jobs:
       - uses: actions/checkout@v4
 
       - uses: ./.github/workflows/cypress
+        secrets: inherit
         with:
-          secrets: ${{ toJSON(secrets) }}
           spec: |
             cypress/e2e/happypath/*.cy.js
           group: 'Happy path on demand tests'

.github/workflows/e2e-ondemand.yml

@@ -21,8 +21,8 @@ jobs:
       - uses: actions/checkout@v4
 
       - uses: ./.github/workflows/cypress
+        secrets: inherit
         with:
-          secrets: ${{ toJSON(secrets) }}
           spec: |
             cypress/e2e/regression/*.cy.js
             cypress/e2e/safe-apps/*.cy.js

.github/workflows/e2e-regression.yml

@@ -22,7 +22,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - uses: ./.github/workflows/cypress
+        secrets: inherit
         with:
-          secrets: ${{ toJSON(secrets) }}
           spec: cypress/e2e/**/*.cy.js
           group: 'Regression tests'

.github/workflows/e2e-safe-apps.yml

@@ -20,10 +20,9 @@ jobs:
       - uses: actions/checkout@v4
 
       - uses: ./.github/workflows/cypress
+        secrets: inherit
         with:
-          secrets: ${{ toJSON(secrets) }}
           spec: cypress/e2e/safe-apps/*.cy.js
           group: 'Safe Apps tests'
           project_id: okn21k
           record_key: ${{ secrets.CYPRESS_SAFE_APPS_RECORD_KEY }}
-

.github/workflows/e2e-smoke.yml

@@ -21,7 +21,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - uses: ./.github/workflows/cypress
+        secrets: inherit
         with:
-          secrets: ${{ toJSON(secrets) }}
           spec: cypress/e2e/smoke/*.cy.js
           group: 'Smoke tests'

.github/workflows/nextjs-bundle-analysis.yml

@@ -25,8 +25,7 @@ jobs:
 
       - name: Build next.js app
         uses: ./.github/workflows/build
-        with:
-          secrets: ${{ toJSON(secrets) }}
+        secrets: inherit
 
       - name: Analyze bundle
         run: npx -p nextjs-bundle-analysis report