Skip to content

Support passing arbitrary secrets as environment variables to test jobs #52

Description

Context

Module test jobs need a safe way to receive caller-selected secrets and non-secret configuration without hard-coding every possible test credential name in Process-PSModule. Some modules need no test data, while others need module-specific environment variable names for API tokens, app credentials, service URLs, usernames, space keys, or similar test configuration.

Technical Decisions

Interface: Add one optional workflow-call secret named TestData to .github/workflows/workflow.yml. TestData is a single-line JSON object with optional secrets and variables maps:

{ "secrets": { "NAME": "value" }, "variables": { "NAME": "value" } }

Exposure model: Entries from both maps are exposed as environment variables in BeforeAll-ModuleLocal, Test-ModuleLocal, and AfterAll-ModuleLocal. Values under secrets are masked before they are written to GITHUB_ENV; values under variables are not masked.

Security boundary: Do not use broad secrets: inherit. The calling workflow must explicitly list the values it wants to expose in TestData, so the shared workflow only receives the caller-selected test data.

Validation: TestData must parse as a JSON object containing only optional secrets and variables maps. Map values must be scalar values. Keys must be safe environment-variable names matching ^[A-Za-z_][A-Za-z0-9_]*$ and must not override reserved variables such as PATH, CI, GITHUB_*, RUNNER_* or ACTIONS_*.

Masking and log readability: TestData must be passed as a single-line value after YAML folding. Pretty-printed JSON with nested indentation is not safe because YAML preserves more-indented lines inside a folded scalar; brace-only lines can become individual GitHub masks and pollute unrelated logs with ***.

Environment-scoped values: GitHub Environment secrets and variables are usable when the calling job sets environment: and explicitly includes those values in TestData; they are not exposed automatically.

Acceptance Criteria

  • Test jobs can read arbitrary, module-defined secret names without changing the shared workflow.
  • No module-specific secret names are hard-coded in .github/workflows/workflow.yml or the *-ModuleLocal workflows.
  • Secret values are masked in logs before being exposed through GITHUB_ENV.
  • Non-secret configuration is supported through the variables map.
  • Modules that need no test data work unchanged by omitting TestData.
  • Environment-scoped secrets and variables are documented as requiring environment: on the calling job plus explicit inclusion in TestData.
  • The duplicated fixed TEST_* pass-through blocks are removed from the main reusable workflow and *-ModuleLocal workflows.

Implementation Plan

  • Replace the fixed workflow-call TEST_* secret inputs on .github/workflows/workflow.yml with TestData.
  • Pass TestData to BeforeAll-ModuleLocal, Test-ModuleLocal, and AfterAll-ModuleLocal.
  • Parse TestData in the *-ModuleLocal workflows and expose selected values through GITHUB_ENV.
  • Mask secret values and avoid printing secret key names.
  • Validate JSON shape, environment-variable names, reserved names, and scalar values before writing to GITHUB_ENV.
  • Document the breaking migration path from fixed TEST_* inputs to TestData.
  • Document safe YAML folding, variable syntax, base64 guidance for complex secrets, and environment-scoped values.

Related

Metadata

Metadata

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions