Context
Module test jobs need a safe way to receive caller-selected secrets and non-secret configuration without hard-coding every possible test credential name in Process-PSModule. Some modules need no test data, while others need module-specific environment variable names for API tokens, app credentials, service URLs, usernames, space keys, or similar test configuration.
Technical Decisions
Interface: Add one optional workflow-call secret named TestData to .github/workflows/workflow.yml. TestData is a single-line JSON object with optional secrets and variables maps:
{ "secrets": { "NAME": "value" }, "variables": { "NAME": "value" } }
Exposure model: Entries from both maps are exposed as environment variables in BeforeAll-ModuleLocal, Test-ModuleLocal, and AfterAll-ModuleLocal. Values under secrets are masked before they are written to GITHUB_ENV; values under variables are not masked.
Security boundary: Do not use broad secrets: inherit. The calling workflow must explicitly list the values it wants to expose in TestData, so the shared workflow only receives the caller-selected test data.
Validation: TestData must parse as a JSON object containing only optional secrets and variables maps. Map values must be scalar values. Keys must be safe environment-variable names matching ^[A-Za-z_][A-Za-z0-9_]*$ and must not override reserved variables such as PATH, CI, GITHUB_*, RUNNER_* or ACTIONS_*.
Masking and log readability: TestData must be passed as a single-line value after YAML folding. Pretty-printed JSON with nested indentation is not safe because YAML preserves more-indented lines inside a folded scalar; brace-only lines can become individual GitHub masks and pollute unrelated logs with ***.
Environment-scoped values: GitHub Environment secrets and variables are usable when the calling job sets environment: and explicitly includes those values in TestData; they are not exposed automatically.
Acceptance Criteria
Implementation Plan
Related
Context
Module test jobs need a safe way to receive caller-selected secrets and non-secret configuration without hard-coding every possible test credential name in
Process-PSModule. Some modules need no test data, while others need module-specific environment variable names for API tokens, app credentials, service URLs, usernames, space keys, or similar test configuration.Technical Decisions
Interface: Add one optional workflow-call secret named
TestDatato.github/workflows/workflow.yml.TestDatais a single-line JSON object with optionalsecretsandvariablesmaps:{ "secrets": { "NAME": "value" }, "variables": { "NAME": "value" } }Exposure model: Entries from both maps are exposed as environment variables in
BeforeAll-ModuleLocal,Test-ModuleLocal, andAfterAll-ModuleLocal. Values undersecretsare masked before they are written toGITHUB_ENV; values undervariablesare not masked.Security boundary: Do not use broad
secrets: inherit. The calling workflow must explicitly list the values it wants to expose inTestData, so the shared workflow only receives the caller-selected test data.Validation:
TestDatamust parse as a JSON object containing only optionalsecretsandvariablesmaps. Map values must be scalar values. Keys must be safe environment-variable names matching^[A-Za-z_][A-Za-z0-9_]*$and must not override reserved variables such asPATH,CI,GITHUB_*,RUNNER_*orACTIONS_*.Masking and log readability:
TestDatamust be passed as a single-line value after YAML folding. Pretty-printed JSON with nested indentation is not safe because YAML preserves more-indented lines inside a folded scalar; brace-only lines can become individual GitHub masks and pollute unrelated logs with***.Environment-scoped values: GitHub Environment secrets and variables are usable when the calling job sets
environment:and explicitly includes those values inTestData; they are not exposed automatically.Acceptance Criteria
.github/workflows/workflow.ymlor the*-ModuleLocalworkflows.GITHUB_ENV.variablesmap.TestData.environment:on the calling job plus explicit inclusion inTestData.TEST_*pass-through blocks are removed from the main reusable workflow and*-ModuleLocalworkflows.Implementation Plan
TEST_*secret inputs on.github/workflows/workflow.ymlwithTestData.TestDatatoBeforeAll-ModuleLocal,Test-ModuleLocal, andAfterAll-ModuleLocal.TestDatain the*-ModuleLocalworkflows and expose selected values throughGITHUB_ENV.GITHUB_ENV.TEST_*inputs toTestData.Related
secrets: inheritin ModuleLocal workflows #322 without adopting broadsecrets: inherit.