From fbb0e7f2f21d938633a0f88a9d0423441840ac4a Mon Sep 17 00:00:00 2001
From: Zvonko Kaiser <zkaiser@nvidia.com>
Date: Wed, 30 Jul 2025 13:33:47 +0000
Subject: [PATCH] gpu: Add secrets passthrough to the workflow

We need to pass-through the secrets in all the needed workflows
ci, ci-on-push, ci-nightly, ci-devel

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
---
 .github/workflows/build-kata-static-tarball-amd64.yaml | 2 ++
 .github/workflows/ci-coco-stability.yaml               | 1 +
 .github/workflows/ci-devel.yaml                        | 1 +
 .github/workflows/ci-nightly.yaml                      | 2 ++
 .github/workflows/ci-on-push.yaml                      | 2 ++
 .github/workflows/ci-weekly.yaml                       | 4 ++++
 .github/workflows/ci.yaml                              | 5 ++++-
 .github/workflows/payload-after-push.yaml              | 1 +
 .github/workflows/release-amd64.yaml                   | 3 +++
 .github/workflows/release.yaml                         | 1 +
 10 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml
index f44144bd5e..bacba5068a 100644
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -23,6 +23,8 @@ on:
     secrets:
       QUAY_DEPLOYER_PASSWORD:
         required: false
+      KBUILD_SIGN_PIN:
+        required: true
 
 permissions:
   contents: read
diff --git a/.github/workflows/ci-coco-stability.yaml b/.github/workflows/ci-coco-stability.yaml
index f6936c1603..accb9cf9d2 100644
--- a/.github/workflows/ci-coco-stability.yaml
+++ b/.github/workflows/ci-coco-stability.yaml
@@ -31,3 +31,4 @@ jobs:
       AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
       AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
diff --git a/.github/workflows/ci-devel.yaml b/.github/workflows/ci-devel.yaml
index c3b0daf2e2..96ad37d1e7 100644
--- a/.github/workflows/ci-devel.yaml
+++ b/.github/workflows/ci-devel.yaml
@@ -28,6 +28,7 @@ jobs:
       ITA_KEY: ${{ secrets.ITA_KEY }}
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
       NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
 
   build-checks:
     uses: ./.github/workflows/build-checks.yaml
diff --git a/.github/workflows/ci-nightly.yaml b/.github/workflows/ci-nightly.yaml
index 0ea61d6eae..990d1a7c8f 100644
--- a/.github/workflows/ci-nightly.yaml
+++ b/.github/workflows/ci-nightly.yaml
@@ -31,3 +31,5 @@ jobs:
       CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
       ITA_KEY: ${{ secrets.ITA_KEY }}
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
diff --git a/.github/workflows/ci-on-push.yaml b/.github/workflows/ci-on-push.yaml
index dcbeb36167..7d58efc13c 100644
--- a/.github/workflows/ci-on-push.yaml
+++ b/.github/workflows/ci-on-push.yaml
@@ -52,3 +52,5 @@ jobs:
       CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
       ITA_KEY: ${{ secrets.ITA_KEY }}
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
diff --git a/.github/workflows/ci-weekly.yaml b/.github/workflows/ci-weekly.yaml
index 7f8744bc36..4b14c6645f 100644
--- a/.github/workflows/ci-weekly.yaml
+++ b/.github/workflows/ci-weekly.yaml
@@ -27,6 +27,8 @@ on:
         required: true
       QUAY_DEPLOYER_PASSWORD:
         required: true
+      KBUILD_SIGN_PIN:
+        required: true
 
 permissions:
   contents: read
@@ -43,6 +45,8 @@ jobs:
       tarball-suffix: -${{ inputs.tag }}
       commit-hash: ${{ inputs.commit-hash }}
       target-branch: ${{ inputs.target-branch }}
+    secrets:
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
 
   publish-kata-deploy-payload-amd64:
     needs: build-kata-static-tarball-amd64
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 6419c6a4a3..e157f9fbd4 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -35,9 +35,10 @@ on:
         required: true
       QUAY_DEPLOYER_PASSWORD:
         required: true
-
       NGC_API_KEY:
         required: true
+      KBUILD_SIGN_PIN:
+        required: true
 
 permissions:
   contents: read
@@ -55,6 +56,8 @@ jobs:
       tarball-suffix: -${{ inputs.tag }}
       commit-hash: ${{ inputs.commit-hash }}
       target-branch: ${{ inputs.target-branch }}
+    secrets:
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
 
   publish-kata-deploy-payload-amd64:
     needs: build-kata-static-tarball-amd64
diff --git a/.github/workflows/payload-after-push.yaml b/.github/workflows/payload-after-push.yaml
index 1ef9d55d54..566bcf14bd 100644
--- a/.github/workflows/payload-after-push.yaml
+++ b/.github/workflows/payload-after-push.yaml
@@ -25,6 +25,7 @@ jobs:
       target-branch: ${{ github.ref_name }}
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
 
   build-assets-arm64:
     permissions:
diff --git a/.github/workflows/release-amd64.yaml b/.github/workflows/release-amd64.yaml
index 88af72c9fc..129b8f3054 100644
--- a/.github/workflows/release-amd64.yaml
+++ b/.github/workflows/release-amd64.yaml
@@ -8,6 +8,8 @@ on:
     secrets:
       QUAY_DEPLOYER_PASSWORD:
         required: true
+      KBUILD_SIGN_PIN:
+        required: true
 
 permissions:
   contents: read
@@ -20,6 +22,7 @@ jobs:
       stage: release
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
     permissions:
       contents: read
       packages: write
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index c0723c8196..48171cac7b 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -35,6 +35,7 @@ jobs:
       target-arch: amd64
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
 
   build-and-push-assets-arm64:
     needs: release