chore: Change secret handling to inherit in call-chatOps.yml

[hudeng-go]

Summary by Sourcery

Build:

• Adjust GitHub Actions workflow configuration to inherit secrets when invoking the shared chatOps workflow.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Updates the reusable GitHub Actions workflow call to inherit all secrets instead of explicitly passing APP_PRIVATE_KEY.

Flow diagram for secret inheritance in call-chatOps workflow

flowchart TD
    A["call-chatOps.yml triggers"] --> B["Job chatopt starts"]
    B --> C["Uses reusable workflow chatOps.yml"]
    C --> D["GitHub resolves secrets with inherit"]
    D --> E["All available repo/org secrets provided to reusable workflow"]

Loading

File-Level Changes

Change	Details	Files
Adjust secret propagation for the reusable chatOps workflow to use GitHub Actions secrets: inherit.	Replace explicit APP_PRIVATE_KEY secret mapping with secrets: inherit on the reusable workflow job Rely on the caller workflow’s configured secrets for the chatOps workflow instead of hard-coding a single secret	.github/workflows/call-chatOps.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• Switching to secrets: inherit exposes all available secrets to the reusable workflow; consider keeping an explicit secrets mapping (or limiting secrets via the called workflow) to maintain principle-of-least-privilege access.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Switching to `secrets: inherit` exposes all available secrets to the reusable workflow; consider keeping an explicit secrets mapping (or limiting secrets via the called workflow) to maintain principle-of-least-privilege access.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: BLumia, hudeng-go

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deepin-ci-robot]

deepin pr auto review

这段代码修改涉及 GitHub Actions 工作流中的 call-chatOps.yml 文件，主要是对 secrets（密钥）的传递方式进行了变更。

以下是详细的代码审查意见，包括语法逻辑、代码质量、代码性能和代码安全方面的分析：

1. 语法逻辑

• 审查结果：通过。
• 分析：
  • secrets: inherit 是 GitHub Actions 提供的标准语法，用于将当前工作流（调用者）的所有可用密钥自动传递给被调用的工作流（被调用者）。
  • 原代码 secrets: APP_PRIVATE_KEY: ... 也是合法的语法，用于显式传递特定的单个密钥。
  • 修改后的逻辑是：不再显式指定 APP_PRIVATE_KEY，而是直接继承调用者上下文中所有的 secrets。这在逻辑上是成立的，前提是调用者环境确实拥有被调用者所需的密钥。

2. 代码质量

• 审查结果：改进。
• 分析：
  • 优点：代码更简洁。如果被调用的工作流（linuxdeepin/.github/.github/workflows/chatOps.yml）需要使用多个密钥，或者未来可能增加新的密钥依赖，使用 inherit 可以避免在调用方频繁修改代码来同步新增的密钥。它减少了维护成本，符合 DRY（Don't Repeat Yourself）原则。
  • 潜在风险：显式传递（原代码）虽然繁琐，但具有"自文档化"的优点，一眼就能看出该工作流依赖 APP_PRIVATE_KEY。改为 inherit 后，依赖关系变得隐式，开发者需要查看被调用的工作流定义才能知道具体需要哪些密钥。

3. 代码性能

• 审查结果：无显著影响。
• 分析：
  • 这只是配置层面的变更，不涉及运行时代码。无论是显式指定一个密钥还是继承所有密钥，GitHub Actions 在启动 Runner 之前处理这些配置的开销差异可以忽略不计。

4. 代码安全

• 审查结果：需要警惕 / 存在风险。
• 分析：
  • 过度授权风险：这是最主要的安全隐患。原代码只传递了 APP_PRIVATE_KEY，遵循了"最小权限原则"。修改为 inherit 后，当前仓库中所有的 Secrets 都会被传递给 linuxdeepin/.github 仓库下的工作流。
  • 信任边界：这种修改意味着你完全信任 linuxdeepin/.github 仓库的维护者以及该仓库中 chatOps.yml 的代码逻辑。如果被调用的工作流被恶意修改（例如添加了 echo ${{ secrets.SOME_OTHER_SECRET }}），或者该仓库被黑客攻击，当前仓库的所有敏感信息（如数据库密码、API Token、部署密钥等）都可能泄露。
  • 建议：如果 chatOps.yml 仅仅是为了处理 ChatOps 相关的逻辑，通常只需要特定的密钥（如 APP_PRIVATE_KEY）。除非该工作流确实需要访问当前仓库的所有上下文，否则建议回退到显式传递，或者仅列出必需的密钥列表。

改进建议

方案 A：如果该工作流确实只需要 APP_PRIVATE_KEY（推荐）
为了安全起见，建议恢复显式传递，或者明确列出所需密钥，防止意外泄露其他无关的敏感信息。

jobs:
  chatopt:
    uses: linuxdeepin/.github/.github/workflows/chatOps.yml@master
    secrets:
      APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}

方案 B：如果该工作流确实需要多个密钥，且为了方便维护
如果你确定该工作流是内部可信的，并且确实需要多个密钥，可以使用 inherit，但建议在注释中说明原因，并确保被调用的仓库安全策略严格。

jobs:
  chatopt:
    uses: linuxdeepin/.github/.github/workflows/chatOps.yml@master
    # 注意：inherit 会传递当前仓库的所有 Secrets，请确保被调用的工作流来源可信
    secrets: inherit

总结：
虽然 secrets: inherit 提升了代码的简洁性和可维护性，但在安全性上引入了过度授权的风险。除非有明确的必要性，否则建议优先使用显式传递密钥的方式。