improv(ci): set secrets as inherited for update ssm workflow (#4388)

sdangol · web-flow · commit 50da0e632eca · 2025-08-26T16:17:02.000+02:00
diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml
@@ -94,9 +94,8 @@ jobs:
   publish_layer:
     needs: publish-npm
     secrets:
-      AWS_LAYERS_BETA_ROLE_ARN: ${{ secrets.AWS_LAYERS_BETA_ROLE_ARN }}
-      AWS_LAYERS_PROD_ROLE_ARN: ${{ secrets.AWS_LAYERS_PROD_ROLE_ARN }}
-      TOKEN_GITHUB: ${{ secrets.GITHUB_TOKEN }}
+      # We use "inherit" because need to propagate the secrets to the reusable workflow, secrets are already scoped by using GitHub's deployment environments to mitigate the risk of secret exposure.
+      inherit
     permissions:
       id-token: write
       contents: write
diff --git a/.github/workflows/publish_layer.yml b/.github/workflows/publish_layer.yml
@@ -97,6 +97,9 @@ jobs:
       environment: prod
       package_version: ${{ inputs.latest_published_version }}
       layer-version: ${{ needs.deploy-prod.outputs.layer-version }}
+    secrets:
+      # We use "inherit" because need to propagate the secrets to the reusable workflow, secrets are already scoped by using GitHub's deployment environments to mitigate the risk of secret exposure.
+      inherit
 
   update_layer_arn_docs:
     needs: [deploy-prod]
