Clean up unnecessary secrets #3199

Author: padms

.github/workflows/PREPROD-studios.yaml

@@ -105,7 +105,6 @@ jobs:
           datasetName: ${{ matrix.dataset }}
           githubToken: ${{ secrets.GITHUB_TOKEN }}
           sanityApiToken: ${{ secrets.SANITY_API_TOKEN }}
-          sanityHistoryApiToken: ${{ secrets.SANITY_STUDIO_HISTORY_API_TOKEN }}
           sanityPreviewToken: ${{ secrets.SANITY_STUDIO_PREVIEW_SECRET }}
           brandmasterUrl: ${{ secrets.SANITY_STUDIO_BRANDMASTER_URL }}
           brandmasterPluginSource: ${{ secrets.SANITY_STUDIO_BRANDMASTER_PLUGIN_SOURCE }}

.github/workflows/UPGRADE-DEV-studio.yaml

@@ -35,7 +35,6 @@ jobs:
           datasetName: ${{ matrix.dataset }}
           githubToken: ${{ secrets.GITHUB_TOKEN }}
           sanityApiToken: ${{ secrets.SANITY_API_TOKEN }}
-          sanityHistoryApiToken: ${{ secrets.SANITY_STUDIO_HISTORY_API_TOKEN }}
           sanityPreviewToken: ${{ secrets.SANITY_STUDIO_PREVIEW_SECRET }}
           brandmasterUrl: ${{ secrets.SANITY_STUDIO_BRANDMASTER_URL }}
           brandmasterPluginSource: ${{ secrets.SANITY_STUDIO_BRANDMASTER_PLUGIN_SOURCE }}

.github/workflows/deploy-studio/action.yaml

@@ -96,23 +96,27 @@ runs:
     - name: Build sanity container ⚙️
       id: build
       shell: bash
+      env:
+        SANITY_API_TOKEN: ${{ inputs.sanityApiToken }}
+        FOTOWARE_AF_EXPORT_KEY: ${{ inputs.fotowareAfExportKey }}
+        SCREEN9_TOKEN: ${{ inputs.screen9token }}
+        SANITY_STUDIO_PREVIEW_SECRET: ${{ inputs.sanityPreviewToken }}
       run: |
         docker build . \
           --cache-from ${{ inputs.imageName }}:${{ env.IMAGE_TAG }} \
           --build-arg ARG_SANITY_DATASET=${{ inputs.datasetName }} \
-          --build-arg ARG_SANITY_PREVIEW=${{ inputs.sanityPreviewToken }} \
-          --build-arg ARG_SANITY_API_TOKEN=${{ inputs.sanityApiToken }} \
-          --build-arg ARG_SANITY_HISTORY_API_TOKEN=${{ inputs.sanityHistoryApiToken }} \
+          --secret id=SANITY_STUDIO_PREVIEW_SECRET \
+          --secret id=SANITY_API_TOKEN \
           --build-arg ARG_BRANDMASTER_URL=${{ inputs.brandmasterUrl }} \
           --build-arg ARG_BRANDMASTER_PLUGIN="${{ inputs.brandmasterPluginSource }}" \
           --build-arg ARG_FOTOWARE_CLIENT_ID="${{ inputs.fotowareClientId }}" \
           --build-arg ARG_FOTOWARE_TENANT_URL="${{ inputs.fotowareTenantUrl }}" \
           --build-arg ARG_FOTOWARE_REDIRECT_ORIGIN="${{ inputs.fotowareRedirectOrigin }}" \
           --build-arg ARG_FOTOWARE_REDIRECT_URI="${{ inputs.fotowareRedirectUri }}" \
           --build-arg ARG_FOTOWARE_AF_EXPORT_URL="${{ inputs.fotowareAfExportUrl }}" \
-          --build-arg ARG_FOTOWARE_AF_EXPORT_KEY="${{ inputs.fotowareAfExportKey }}" \
+          --secret id=FOTOWARE_AF_EXPORT_KEY \
           --build-arg ARG_SCREEN9_ACCOUNT_ID="${{ inputs.screen9accountId }}" \
-          --build-arg ARG_SCREEN9_TOKEN="${{ inputs.screen9token }}" \
+          --secret id=SCREEN9_TOKEN \
           --build-arg ARG_SANITY_STUDIO_PREVIEW_URL="${{ inputs.previewUrl }}" \
           --file studio/Dockerfile \
           --tag ${{ inputs.imageName }}:${{ env.IMAGE_TAG }} \

.github/workflows/deploy-web/action.yaml

@@ -86,7 +86,7 @@ runs:
           --cache-from ${{ inputs.imageName }}:${{ env.IMAGE_TAG}} \
           --build-arg ARG_SANITY_PROJECT_ID=${{ inputs.projectId }} \
           --build-arg ARG_SANITY_DATASET=${{ inputs.datasetName }} \
-          --secret id=sanity_api_token,env=SANITY_API_TOKEN \
+          --secret id=SANITY_API_TOKEN \
           --build-arg ARG_ALGOLIA_APP_ID=${{ inputs.algoliaAppId }} \
           --build-arg ARG_ALGOLIA_SEARCH_API_KEY=${{ inputs.algoliaApiKey }} \
           --build-arg ARG_ENV=${{ inputs.environment }} \

studio/Dockerfile

@@ -17,42 +17,34 @@ COPY ./pnpm-lock.yaml ./
 COPY ./tsconfig.base.json ./
 COPY ./studio ./studio
 
-ARG ARG_SANITY_API_TOKEN
-ARG ARG_SANITY_MUTATION_TOKEN
-ARG ARG_SANITY_HISTORY_API_TOKEN
 ARG ARG_SANITY_PROJECT_ID
 ARG ARG_SANITY_DATASET
-ARG ARG_SANITY_PREVIEW
 ARG ARG_BRANDMASTER_URL
 ARG ARG_BRANDMASTER_PLUGIN
 ARG ARG_FOTOWARE_CLIENT_ID
 ARG ARG_FOTOWARE_TENANT_URL
 ARG ARG_FOTOWARE_REDIRECT_ORIGIN
 ARG ARG_FOTOWARE_AF_EXPORT_URL
-ARG ARG_FOTOWARE_AF_EXPORT_KEY
 ARG ARG_SCREEN9_ACCOUNT_ID
-ARG ARG_SCREEN9_TOKEN
 ARG ARG_SANITY_STUDIO_PREVIEW_URL
 
-ENV SANITY_STUDIO_API_TOKEN=${ARG_SANITY_API_TOKEN}
-ENV SANITY_STUDIO_MUTATION_TOKEN=${ARG_SANITY_MUTATION_TOKEN}
-ENV SANITY_STUDIO_HISTORY_API_TOKEN=${ARG_SANITY_HISTORY_API_TOKEN}
 ENV SANITY_STUDIO_API_PROJECT_ID=${ARG_SANITY_PROJECT_ID}
 ENV SANITY_STUDIO_API_DATASET=${ARG_SANITY_DATASET}
-ENV SANITY_STUDIO_PREVIEW_SECRET=${ARG_SANITY_PREVIEW}
 ENV SANITY_STUDIO_BRANDMASTER_URL=${ARG_BRANDMASTER_URL}
 ENV SANITY_STUDIO_BRANDMASTER_PLUGIN_SOURCE=${ARG_BRANDMASTER_PLUGIN}
 ENV SANITY_STUDIO_FOTOWARE_CLIENT_ID=${ARG_FOTOWARE_CLIENT_ID}
 ENV SANITY_STUDIO_FOTOWARE_TENANT_URL=${ARG_FOTOWARE_TENANT_URL}
 ENV SANITY_STUDIO_FOTOWARE_REDIRECT_ORIGIN=${ARG_FOTOWARE_REDIRECT_ORIGIN}
 ENV SANITY_STUDIO_FOTOWARE_AF_EXPORT_URL=${ARG_FOTOWARE_AF_EXPORT_URL}
-ENV SANITY_STUDIO_FOTOWARE_AF_EXPORT_KEY=${ARG_FOTOWARE_AF_EXPORT_KEY}
 ENV SANITY_STUDIO_SCREEN9_ACCOUNT_ID=${ARG_SCREEN9_ACCOUNT_ID}
-ENV SANITY_STUDIO_SCREEN9_TOKEN=${ARG_SCREEN9_TOKEN}
 ENV SANITY_STUDIO_PREVIEW_URL=${ARG_SANITY_STUDIO_PREVIEW_URL}
 
 RUN --mount=type=cache,id=pnpm,target=/pnpm/store pnpm studio install --frozen-lockfile 
-RUN pnpm studio build
+RUN --mount=type=secret,id=SANITY_API_TOKEN,env=SANITY_API_TOKEN \
+    --mount=type=secret,id=SANITY_STUDIO_PREVIEW_SECRET,env=SANITY_STUDIO_PREVIEW_SECRET \
+    --mount=type=secret,id=FOTOWARE_AF_EXPORT_KEY,env=FOTOWARE_AF_EXPORT_KEY \
+    --mount=type=secret,id=SCREEN9_TOKEN,env=SCREEN9_TOKEN \
+    pnpm studio build
 
 # Run
 FROM node:lts-alpine AS runner

studio/actions/ResetCrossDatasetToken.ts

@@ -38,7 +38,7 @@ ENV NEXT_PUBLIC_ARCHIVE_CONTENT_LINK=${ARG_ARCHIVE_CONTENT_LINK}
 ENV NEXT_PUBLIC_FRIENDLY_CAPTCHA_SITEKEY=${ARG_FRIENDLY_CAPTCHA_SITEKEY}
 ENV NEXT_TELEMETRY_DISABLED=1
 
-RUN --mount=type=secret,id=sanity_api_token,env=SANITY_API_TOKEN \
+RUN --mount=type=secret,id=SANITY_API_TOKEN,env=SANITY_API_TOKEN \
     pnpm web build