workflows: Replace secrets: inherit

Having secrets unconditionally being inherited is bad practice, so update the workflows to only pass through the minimal secrets that are needed Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-09-25 18:53:44 +00:00 · 2025-06-06 09:56:46 +01:00
parent 89d038d2b4
commit 66ef1c1198
23 changed files with 223 additions and 32 deletions
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -20,6 +20,9 @@ on:
        required: false
        type: string
        default: ""
+    secrets:
+      QUAY_DEPLOYER_PASSWORD:
+        required: false

 permissions:
  contents: read
--- a/.github/workflows/build-kata-static-tarball-arm64.yaml
+++ b/.github/workflows/build-kata-static-tarball-arm64.yaml
@@ -20,6 +20,9 @@ on:
        required: false
        type: string
        default: ""
+    secrets:
+      QUAY_DEPLOYER_PASSWORD:
+        required: false

 permissions:
  contents: read
--- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml
+++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml
@@ -20,6 +20,9 @@ on:
        required: false
        type: string
        default: ""
+    secrets:
+      QUAY_DEPLOYER_PASSWORD:
+        required: true

 permissions:
  contents: read
--- a/.github/workflows/build-kata-static-tarball-riscv64.yaml
+++ b/.github/workflows/build-kata-static-tarball-riscv64.yaml
@@ -20,6 +20,9 @@ on:
        required: false
        type: string
        default: ""
+    secrets:
+      QUAY_DEPLOYER_PASSWORD:
+        required: true

 permissions:
  contents: read
--- a/.github/workflows/build-kata-static-tarball-s390x.yaml
+++ b/.github/workflows/build-kata-static-tarball-s390x.yaml
@@ -20,6 +20,12 @@ on:
        required: false
        type: string
        default: ""
+    secrets:
+      CI_HKD_PATH:
+        required: true
+      QUAY_DEPLOYER_PASSWORD:
+        required: true
+

 permissions:
  contents: read
--- a/.github/workflows/ci-coco-stability.yaml
+++ b/.github/workflows/ci-coco-stability.yaml
@@ -24,4 +24,10 @@ jobs:
      pr-number: "weekly"
      tag: ${{ github.sha }}-weekly
      target-branch: ${{ github.ref_name }}
-    secrets: inherit
+    secrets:
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+      AZ_APPID: ${{ secrets.AZ_APPID }}
+      AZ_PASSWORD: ${{ secrets.AZ_PASSWORD }}
+      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
+      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
--- a/.github/workflows/ci-devel.yaml
+++ b/.github/workflows/ci-devel.yaml
@@ -18,7 +18,16 @@ jobs:
      pr-number: "dev"
      tag: ${{ github.sha }}-dev
      target-branch: ${{ github.ref_name }}
-    secrets: inherit
+
+    secrets:
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+      AZ_APPID: ${{ secrets.AZ_APPID }}
+      AZ_PASSWORD: ${{ secrets.AZ_PASSWORD }}
+      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
+      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
+      ITA_KEY: ${{ secrets.ITA_KEY }}
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  build-checks:
    uses: ./.github/workflows/build-checks.yaml
--- a/.github/workflows/ci-nightly.yaml
+++ b/.github/workflows/ci-nightly.yaml
@@ -23,4 +23,12 @@ jobs:
      pr-number: "nightly"
      tag: ${{ github.sha }}-nightly
      target-branch: ${{ github.ref_name }}
-    secrets: inherit
+    secrets:
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+      AZ_APPID: ${{ secrets.AZ_APPID }}
+      AZ_PASSWORD: ${{ secrets.AZ_PASSWORD }}
+      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
+      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
+      ITA_KEY: ${{ secrets.ITA_KEY }}
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
--- a/.github/workflows/ci-on-push.yaml
+++ b/.github/workflows/ci-on-push.yaml
@@ -44,4 +44,12 @@ jobs:
      tag: ${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.sha }}
      target-branch: ${{ github.event.pull_request.base.ref }}
      skip-test: ${{ needs.skipper.outputs.skip_test }}
-    secrets: inherit
+    secrets:
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+      AZ_APPID: ${{ secrets.AZ_APPID }}
+      AZ_PASSWORD: ${{ secrets.AZ_PASSWORD }}
+      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
+      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
+      ITA_KEY: ${{ secrets.ITA_KEY }}
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
--- a/.github/workflows/ci-weekly.yaml
+++ b/.github/workflows/ci-weekly.yaml
@@ -15,6 +15,20 @@ on:
        required: false
        type: string
        default: ""
+    secrets:
+      AUTHENTICATED_IMAGE_PASSWORD:
+        required: true
+
+      AZ_APPID:
+        required: true
+      AZ_PASSWORD:
+        required: true
+      AZ_TENANT_ID:
+       required: true
+      AZ_SUBSCRIPTION_ID:
+        required: true
+      QUAY_DEPLOYER_PASSWORD:
+        required: true

 permissions:
  contents: read
@@ -47,7 +61,8 @@ jobs:
      target-branch: ${{ inputs.target-branch }}
      runner: ubuntu-22.04
      arch: amd64
-    secrets: inherit
+    secrets:
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  build-and-publish-tee-confidential-unencrypted-image:
    permissions:
@@ -100,4 +115,9 @@ jobs:
      pr-number: ${{ inputs.pr-number }}
      target-branch: ${{ inputs.target-branch }}
      tarball-suffix: -${{ inputs.tag }}
-    secrets: inherit
+    secrets:
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+      AZ_APPID: ${{ secrets.AZ_APPID }}
+      AZ_PASSWORD: ${{ secrets.AZ_PASSWORD }}
+      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
+      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -19,6 +19,24 @@ on:
        required: false
        type: string
        default: no
+    secrets:
+      AUTHENTICATED_IMAGE_PASSWORD:
+        required: true
+
+      AZ_APPID:
+        required: true
+      AZ_PASSWORD:
+        required: true
+      AZ_TENANT_ID:
+       required: true
+      AZ_SUBSCRIPTION_ID:
+        required: true
+      CI_HKD_PATH:
+        required: true
+      ITA_KEY:
+        required: true
+      QUAY_DEPLOYER_PASSWORD:
+        required: true

 permissions:
  contents: read
@@ -51,7 +69,8 @@ jobs:
      target-branch: ${{ inputs.target-branch }}
      runner: ubuntu-22.04
      arch: amd64
-    secrets: inherit
+    secrets:
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  build-kata-static-tarball-arm64:
    permissions:
@@ -80,7 +99,8 @@ jobs:
      target-branch: ${{ inputs.target-branch }}
      runner: ubuntu-22.04-arm
      arch: arm64
-    secrets: inherit
+    secrets:
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  build-kata-static-tarball-s390x:
    permissions:
@@ -93,7 +113,9 @@ jobs:
      tarball-suffix: -${{ inputs.tag }}
      commit-hash: ${{ inputs.commit-hash }}
      target-branch: ${{ inputs.target-branch }}
-    secrets: inherit
+    secrets:
+      CI_HKD_PATH: ${{ secrets.ci_hkd_path }}
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  build-kata-static-tarball-ppc64le:
    permissions:
@@ -104,6 +126,8 @@ jobs:
      tarball-suffix: -${{ inputs.tag }}
      commit-hash: ${{ inputs.commit-hash }}
      target-branch: ${{ inputs.target-branch }}
+    secrets:
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  build-kata-static-tarball-riscv64:
    permissions:
@@ -116,7 +140,8 @@ jobs:
      tarball-suffix: -${{ inputs.tag }}
      commit-hash: ${{ inputs.commit-hash }}
      target-branch: ${{ inputs.target-branch }}
-    secrets: inherit
+    secrets:
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  publish-kata-deploy-payload-s390x:
    needs: build-kata-static-tarball-s390x
@@ -133,7 +158,8 @@ jobs:
      target-branch: ${{ inputs.target-branch }}
      runner: s390x
      arch: s390x
-    secrets: inherit
+    secrets:
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  publish-kata-deploy-payload-ppc64le:
    needs: build-kata-static-tarball-ppc64le
@@ -150,7 +176,8 @@ jobs:
      target-branch: ${{ inputs.target-branch }}
      runner: ppc64le
      arch: ppc64le
-    secrets: inherit
+    secrets:
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  build-and-publish-tee-confidential-unencrypted-image:
    permissions:
@@ -266,7 +293,11 @@ jobs:
      commit-hash: ${{ inputs.commit-hash }}
      pr-number: ${{ inputs.pr-number }}
      target-branch: ${{ inputs.target-branch }}
-    secrets: inherit
+    secrets:
+      AZ_APPID: ${{ secrets.AZ_APPID }}
+      AZ_PASSWORD: ${{ secrets.AZ_PASSWORD }}
+      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
+      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}

  run-k8s-tests-on-amd64:
    if: ${{ inputs.skip-test != 'yes' }}
@@ -279,7 +310,6 @@ jobs:
      commit-hash: ${{ inputs.commit-hash }}
      pr-number: ${{ inputs.pr-number }}
      target-branch: ${{ inputs.target-branch }}
-    secrets: inherit

  run-k8s-tests-on-arm64:
    if: ${{ inputs.skip-test != 'yes' }}
@@ -308,7 +338,13 @@ jobs:
      commit-hash: ${{ inputs.commit-hash }}
      pr-number: ${{ inputs.pr-number }}
      target-branch: ${{ inputs.target-branch }}
-    secrets: inherit
+    secrets:
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+      AZ_APPID: ${{ secrets.AZ_APPID }}
+      AZ_PASSWORD: ${{ secrets.AZ_PASSWORD }}
+      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
+      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      ITA_KEY: ${{ secrets.ITA_KEY }}

  run-k8s-tests-on-zvsi:
    if: ${{ inputs.skip-test != 'yes' }}
@@ -321,7 +357,8 @@ jobs:
      commit-hash: ${{ inputs.commit-hash }}
      pr-number: ${{ inputs.pr-number }}
      target-branch: ${{ inputs.target-branch }}
-    secrets: inherit
+    secrets:
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}

  run-k8s-tests-on-ppc64le:
    if: ${{ inputs.skip-test != 'yes' }}
--- a/.github/workflows/payload-after-push.yaml
+++ b/.github/workflows/payload-after-push.yaml
@@ -23,7 +23,8 @@ jobs:
      commit-hash: ${{ github.sha }}
      push-to-registry: yes
      target-branch: ${{ github.ref_name }}
-    secrets: inherit
+    secrets:
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  build-assets-arm64:
    permissions:
@@ -36,7 +37,8 @@ jobs:
      commit-hash: ${{ github.sha }}
      push-to-registry: yes
      target-branch: ${{ github.ref_name }}
-    secrets: inherit
+    secrets:
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  build-assets-s390x:
    permissions:
@@ -49,7 +51,9 @@ jobs:
      commit-hash: ${{ github.sha }}
      push-to-registry: yes
      target-branch: ${{ github.ref_name }}
-    secrets: inherit
+    secrets:
+      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  build-assets-ppc64le:
    permissions:
@@ -60,7 +64,8 @@ jobs:
      commit-hash: ${{ github.sha }}
      push-to-registry: yes
      target-branch: ${{ github.ref_name }}
-    secrets: inherit
+    secrets:
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  publish-kata-deploy-payload-amd64:
    needs: build-assets-amd64
@@ -76,7 +81,8 @@ jobs:
      target-branch: ${{ github.ref_name }}
      runner: ubuntu-22.04
      arch: amd64
-    secrets: inherit
+    secrets:
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  publish-kata-deploy-payload-arm64:
    needs: build-assets-arm64
@@ -92,7 +98,8 @@ jobs:
      target-branch: ${{ github.ref_name }}
      runner: ubuntu-22.04-arm
      arch: arm64
-    secrets: inherit
+    secrets:
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  publish-kata-deploy-payload-s390x:
    needs: build-assets-s390x
@@ -108,7 +115,8 @@ jobs:
      target-branch: ${{ github.ref_name }}
      runner: s390x
      arch: s390x
-    secrets: inherit
+    secrets:
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  publish-kata-deploy-payload-ppc64le:
    needs: build-assets-ppc64le
@@ -124,7 +132,8 @@ jobs:
      target-branch: ${{ github.ref_name }}
      runner: ppc64le
      arch: ppc64le
-    secrets: inherit
+    secrets:
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  publish-manifest:
    runs-on: ubuntu-22.04
--- a/.github/workflows/publish-kata-deploy-payload.yaml
+++ b/.github/workflows/publish-kata-deploy-payload.yaml
@@ -30,6 +30,9 @@ on:
        description: The arch of the tarball.
        required: true
        type: string
+    secrets:
+      QUAY_DEPLOYER_PASSWORD:
+        required: true

 permissions:
  contents: read
--- a/.github/workflows/release-amd64.yaml
+++ b/.github/workflows/release-amd64.yaml
@@ -5,6 +5,9 @@ on:
      target-arch:
        required: true
        type: string
+    secrets:
+      QUAY_DEPLOYER_PASSWORD:
+        required: true

 permissions:
  contents: read
@@ -15,7 +18,8 @@ jobs:
    with:
      push-to-registry: yes
      stage: release
-    secrets: inherit
+    secrets:
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  kata-deploy:
    needs: build-kata-static-tarball-amd64
--- a/.github/workflows/release-arm64.yaml
+++ b/.github/workflows/release-arm64.yaml
@@ -5,6 +5,9 @@ on:
      target-arch:
        required: true
        type: string
+    secrets:
+      QUAY_DEPLOYER_PASSWORD:
+        required: true

 permissions:
  contents: read
@@ -15,7 +18,8 @@ jobs:
    with:
      push-to-registry: yes
      stage: release
-    secrets: inherit
+    secrets:
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  kata-deploy:
    needs: build-kata-static-tarball-arm64
--- a/.github/workflows/release-ppc64le.yaml
+++ b/.github/workflows/release-ppc64le.yaml
@@ -5,6 +5,9 @@ on:
      target-arch:
        required: true
        type: string
+    secrets:
+      QUAY_DEPLOYER_PASSWORD:
+        required: true

 permissions:
  contents: read
@@ -15,7 +18,8 @@ jobs:
    with:
      push-to-registry: yes
      stage: release
-    secrets: inherit
+    secrets:
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  kata-deploy:
    needs: build-kata-static-tarball-ppc64le
--- a/.github/workflows/release-s390x.yaml
+++ b/.github/workflows/release-s390x.yaml
@@ -5,6 +5,11 @@ on:
      target-arch:
        required: true
        type: string
+    secrets:
+      CI_HKD_PATH:
+        required: true
+      QUAY_DEPLOYER_PASSWORD:
+        required: true

 permissions:
  contents: read
@@ -15,7 +20,10 @@ jobs:
    with:
      push-to-registry: yes
      stage: release
-    secrets: inherit
+    secrets:
+      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+

  kata-deploy:
    needs: build-kata-static-tarball-s390x
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -30,7 +30,8 @@ jobs:
    uses: ./.github/workflows/release-amd64.yaml
    with:
      target-arch: amd64
-    secrets: inherit
+    secrets:
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  build-and-push-assets-arm64:
    needs: release
@@ -42,7 +43,8 @@ jobs:
    uses: ./.github/workflows/release-arm64.yaml
    with:
      target-arch: arm64
-    secrets: inherit
+    secrets:
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  build-and-push-assets-s390x:
    needs: release
@@ -54,7 +56,9 @@ jobs:
    uses: ./.github/workflows/release-s390x.yaml
    with:
      target-arch: s390x
-    secrets: inherit
+    secrets:
+      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  build-and-push-assets-ppc64le:
    needs: release
@@ -64,7 +68,8 @@ jobs:
    uses: ./.github/workflows/release-ppc64le.yaml
    with:
      target-arch: ppc64le
-    secrets: inherit
+    secrets:
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  publish-multi-arch-images:
    runs-on: ubuntu-22.04
--- a/.github/workflows/run-k8s-tests-on-aks.yaml
+++ b/.github/workflows/run-k8s-tests-on-aks.yaml
@@ -24,6 +24,17 @@ on:
        required: false
        type: string
        default: ""
+    secrets:
+
+      AZ_APPID:
+        required: true
+      AZ_PASSWORD:
+        required: true
+      AZ_TENANT_ID:
+       required: true
+      AZ_SUBSCRIPTION_ID:
+        required: true
+

 permissions:
  contents: read
--- a/.github/workflows/run-k8s-tests-on-zvsi.yaml
+++ b/.github/workflows/run-k8s-tests-on-zvsi.yaml
@@ -21,6 +21,9 @@ on:
        required: false
        type: string
        default: ""
+    secrets:
+      AUTHENTICATED_IMAGE_PASSWORD:
+        required: true

 permissions:
  contents: read
--- a/.github/workflows/run-kata-coco-stability-tests.yaml
+++ b/.github/workflows/run-kata-coco-stability-tests.yaml
@@ -24,6 +24,18 @@ on:
      tarball-suffix:
        required: false
        type: string
+    secrets:
+
+      AZ_APPID:
+        required: true
+      AZ_PASSWORD:
+        required: true
+      AZ_TENANT_ID:
+       required: true
+      AZ_SUBSCRIPTION_ID:
+        required: true
+      AUTHENTICATED_IMAGE_PASSWORD:
+        required: true

 permissions:
  contents: read
--- a/.github/workflows/run-kata-coco-tests.yaml
+++ b/.github/workflows/run-kata-coco-tests.yaml
@@ -24,6 +24,19 @@ on:
        required: false
        type: string
        default: ""
+    secrets:
+      AUTHENTICATED_IMAGE_PASSWORD:
+        required: true
+      AZ_APPID:
+        required: true
+      AZ_PASSWORD:
+        required: true
+      AZ_TENANT_ID:
+       required: true
+      AZ_SUBSCRIPTION_ID:
+        required: true
+      ITA_KEY:
+        required: true

 permissions:
  contents: read
--- a/.github/workflows/run-kata-deploy-tests-on-aks.yaml
+++ b/.github/workflows/run-kata-deploy-tests-on-aks.yaml
@@ -21,6 +21,15 @@ on:
        required: false
        type: string
        default: ""
+    secrets:
+      AZ_APPID:
+        required: true
+      AZ_PASSWORD:
+        required: true
+      AZ_TENANT_ID:
+       required: true
+      AZ_SUBSCRIPTION_ID:
+        required: true

 permissions:
  contents: read