From 984719c7499bb84a99bcfe9ec7665817308d6eca Mon Sep 17 00:00:00 2001
From: Jonathan Hartman
 <208858388+cx-jonathan-hartman@users.noreply.github.com>
Date: Tue, 16 Jun 2026 17:54:01 -0700
Subject: [PATCH] fix(actions): declare secrets used by reusable workflows

Adds explicit on.workflow_call.secrets declarations for all secrets
referenced in the workflow body, replacing implicit reliance on
callers using secrets: inherit.
---
 .github/workflows/ai-code-review.yml    |  3 +++
 .github/workflows/dispatch-workflow.yml |  3 +++
 .github/workflows/jira_close.yml        |  5 +++++
 .github/workflows/jira_notify.yml       |  9 +++++++++
 .github/workflows/release-notify.yml    | 13 +++++++++++++
 5 files changed, 33 insertions(+)

diff --git a/.github/workflows/ai-code-review.yml b/.github/workflows/ai-code-review.yml
index 1003cd5..2d970ba 100644
--- a/.github/workflows/ai-code-review.yml
+++ b/.github/workflows/ai-code-review.yml
@@ -13,6 +13,9 @@ on:
         required: false
         default: ''
         type: string
+    secrets:
+      OPENAI_API_KEY:
+        required: true
 
 permissions: {}
 
diff --git a/.github/workflows/dispatch-workflow.yml b/.github/workflows/dispatch-workflow.yml
index b17278c..cf6ef58 100644
--- a/.github/workflows/dispatch-workflow.yml
+++ b/.github/workflows/dispatch-workflow.yml
@@ -24,6 +24,9 @@ on:
         required: false
         default: ''
         type: string
+    secrets:
+      DISPATCH_GH_TOKEN:
+        required: true
 
 permissions:
   contents: read
diff --git a/.github/workflows/jira_close.yml b/.github/workflows/jira_close.yml
index 370a8f4..c02cd96 100644
--- a/.github/workflows/jira_close.yml
+++ b/.github/workflows/jira_close.yml
@@ -11,6 +11,11 @@ on:
         description: 'Repository full name (owner/repo)'
         required: true
         type: string
+    secrets:
+      AST_JIRA_API_TOKEN:
+        required: true
+      AST_JIRA_USER_EMAIL:
+        required: true
 
 jobs:
   close_jira:
diff --git a/.github/workflows/jira_notify.yml b/.github/workflows/jira_notify.yml
index ba728ad..1166955 100644
--- a/.github/workflows/jira_notify.yml
+++ b/.github/workflows/jira_notify.yml
@@ -20,6 +20,15 @@ on:
         description: 'Repository name'
         required: true
         type: string
+    secrets:
+      AST_JIRA_API_TOKEN:
+        required: true
+      AST_JIRA_USER_EMAIL:
+        required: true
+      JIRA_FIELDS_BUG:
+        required: true
+      JIRA_FIELDS_OTHER:
+        required: true
 
 jobs:
   notify_jira:
diff --git a/.github/workflows/release-notify.yml b/.github/workflows/release-notify.yml
index 35d61b4..45b8081 100644
--- a/.github/workflows/release-notify.yml
+++ b/.github/workflows/release-notify.yml
@@ -21,6 +21,19 @@ on:
       jira_product_name:
         required: true
         type: string
+    secrets:
+      JIRA_AUTOMATION_WEBHOOK_TOKEN:
+        required: true
+      JIRA_RELEASE_WEBHOOK_TOKEN:
+        required: true
+      JIRA_RELEASE_WEBHOOK_URL:
+        required: true
+      JIRA_TICKETS_WEBHOOK_URL:
+        required: true
+      MS_TEAMS_WEBHOOK_URL:
+        required: true
+      MS_TEAMS_WEBHOOK_URL_SYPHER:
+        required: true
 
 jobs:
   notify-teams: