Nova jobs couldn't get secrets from the caller's environment

[huydhn]

GitHub secrets can be accessible from an environment (best practice) or be available repo-wide. The latter is not secure with self-hosted runners as we have learnt in the past. However, AFAICT, trying to pass secrets from the caller's environment to Nova jobs is not possible atm as there is no way to set the environment variable with Nova.

Here is what I try to do (and fail):

• Create an environment called test-passing-secrets with main branch protection and a dummy secret, let's say FOOBAR
• Try to pass FOOBAR to a Linux Nova job

jobs:
  test-passing-secrets-not-working:
    uses: ./.github/workflows/linux_job.yml
    environment: test-passing-secrets <--- invalid GH syntax
    secrets: inherit
    with:
      runner: linux.2xlarge
      script: |
        # Try to access SECRET_FOOBAR here

This limits the usefulness of Nova jobs, for example it cannot be use to access HuggingFace, upload to pypi or conda where secret tokens are needed.

This is more like an issue with the way GitHub handle reusable workflows where it currently doesn't allow environment to be set. However, maybe there is a workaround that folks know.

cc @seemethere @ZainRizvi

Ref

https://docs.github.com/en/actions/sharing-automations/reusing-workflows#supported-keywords-for-jobs-that-call-a-reusable-workflow

[clee2000]

Notes: this isn't specific to NOVA, it's all reusable actions. We should bring this up to GH during the next meeting