From e7d11d46499985b57684463cb4e89ee4500df638 Mon Sep 17 00:00:00 2001
From: Francois Ferrand <francois.ferrand@scality.com>
Date: Wed, 22 Apr 2026 18:41:49 +0200
Subject: [PATCH 1/2] do not install plugin if secret not available

Issue: ZENKO-5260
---
 .github/workflows/claude-code-review.yml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index 2b91124..784fdd8 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -87,8 +87,20 @@ jobs:
         uses: actions/github-script@v7
         env:
           PLUGIN_MARKETPLACES: ${{ inputs.plugin_marketplaces }}
+          PLUGINS: ${{ inputs.plugins }}
+          HAS_APP_KEY: ${{ secrets.ACTIONS_APP_PRIVATE_KEY != '' }}
         with:
           script: |
+            const hasAppKey = process.env.HAS_APP_KEY === 'true';
+            if (!hasAppKey) {
+              core.warning('ACTIONS_APP_PRIVATE_KEY secret is not set; skipping plugin marketplaces and plugins.');
+              core.setOutput('checkouts', '[]');
+              core.setOutput('repositories', '');
+              core.setOutput('marketplaces', '');
+              core.setOutput('plugins', '');
+              return;
+            }
+
             // Entries using `<url>#<ref>` syntax are not supported natively by
             // the claude-code plugin loader. Extract them so we can clone the
             // repo locally and substitute the entry with the local path.
@@ -106,9 +118,11 @@ jobs:
 
               return `./${path}`;
             });
+
             core.setOutput('checkouts', JSON.stringify(checkouts));
             core.setOutput('repositories', checkouts.map(c => c.repo).join('\n'));
             core.setOutput('marketplaces', marketplaces.join('\n'));
+            core.setOutput('plugins', process.env.PLUGINS || '');
 
       - name: Get token for marketplace repositories
         if: steps.marketplaces.outputs.repositories != ''
@@ -150,7 +164,7 @@ jobs:
             --allowedTools ${{ inputs.allowed-tools }}
             --model "${{ inputs.model }}"
           plugin_marketplaces: ${{ steps.marketplaces.outputs.marketplaces }}
-          plugins: ${{ inputs.plugins }}
+          plugins: ${{ steps.marketplaces.outputs.plugins }}
           additional_permissions: |
             ${{ inputs.summary-mode != 'comment' && 'checks: write' || '' }}
         env:

From 76bc76f33964a5547a3a09adc23d1b0b1e7e235d Mon Sep 17 00:00:00 2001
From: Francois Ferrand <francois.ferrand@scality.com>
Date: Wed, 22 Apr 2026 18:42:22 +0200
Subject: [PATCH 2/2] inherit secrets to simplify workflows

Issue: ZENKO-5260
---
 .github/workflows/review.yml | 14 ++------------
 docs/index.md                | 21 ++++++++++++++++++++-
 2 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml
index fee54d1..d735a54 100644
--- a/.github/workflows/review.yml
+++ b/.github/workflows/review.yml
@@ -10,19 +10,9 @@ jobs:
   review:
     if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
     uses: ./.github/workflows/claude-code-review.yml
-    secrets:
-      GCP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
-      GCP_SERVICE_ACCOUNT: ${{ secrets.GCP_SERVICE_ACCOUNT }}
-      ANTHROPIC_VERTEX_PROJECT_ID: ${{ secrets.ANTHROPIC_VERTEX_PROJECT_ID }}
-      CLOUD_ML_REGION: ${{ secrets.CLOUD_ML_REGION }}
-      ACTIONS_APP_PRIVATE_KEY: ${{ secrets.ACTIONS_APP_PRIVATE_KEY }}
+    secrets: inherit
 
   review-dependency-bump:
     if: github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]'
     uses: ./.github/workflows/claude-code-dependency-review.yml
-    secrets:
-      GCP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
-      GCP_SERVICE_ACCOUNT: ${{ secrets.GCP_SERVICE_ACCOUNT }}
-      ANTHROPIC_VERTEX_PROJECT_ID: ${{ secrets.ANTHROPIC_VERTEX_PROJECT_ID }}
-      CLOUD_ML_REGION: ${{ secrets.CLOUD_ML_REGION }}
-      ACTIONS_APP_PRIVATE_KEY: ${{ secrets.ACTIONS_APP_PRIVATE_KEY }}
+    secrets: inherit
diff --git a/docs/index.md b/docs/index.md
index 39c32f7..74faf73 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -1,3 +1,22 @@
 # Workflows
 
-This repository is used to share GitHub Actions reusable workflows across the organization.
\ No newline at end of file
+This repository is used to share GitHub Actions reusable workflows across the organization.
+
+## Calling conventions
+
+When calling any workflow from this repository, prefer `secrets: inherit` over listing
+secrets explicitly:
+
+```yaml
+jobs:
+  docker-build:
+    uses: scality/workflows/.github/workflows/docker-build.yaml@v2
+    with:
+      name: my-image
+    secrets: inherit
+```
+
+This way, if a reusable workflow starts requiring a new secret, consuming repos pick it
+up automatically instead of silently breaking until each caller is patched. Only fall
+back to explicit `secrets:` mapping when the caller's secret name does not match the
+name expected by the reusable workflow.