From bfd2d7196577b3d92b423fb072880fb8ca1d4eab Mon Sep 17 00:00:00 2001
From: Daniel Kastl <daniel.kastl@gmail.com>
Date: Thu, 20 Nov 2025 10:20:59 +0900
Subject: [PATCH] Refactor publish-techdocs workflows to inherit secrets and
 remove unused parameters

Signed-off-by: Daniel Kastl <daniel.kastl@gmail.com>
---
 .github/workflows/publish-techdocs.yml            | 8 +-------
 .github/workflows/reusable-backstage-techdocs.yml | 5 ++++-
 workflow-templates/publish-techdocs.yml           | 4 +++-
 3 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/publish-techdocs.yml b/.github/workflows/publish-techdocs.yml
index 7ebce9c..d20ad24 100644
--- a/.github/workflows/publish-techdocs.yml
+++ b/.github/workflows/publish-techdocs.yml
@@ -11,10 +11,4 @@ on:
 jobs:
   publish:
     uses: geolonia/.github/.github/workflows/reusable-backstage-techdocs.yml@v1
-    # with:
-    #   environment: production
-    #   aws_region: ap-northeast-1
-    #   techdocs_bucket: ${{ vars.TECHDOCS_BUCKET }}
-    #   techdocs_entity: ${{ vars.TECHDOCS_ENTITY }}
-    # secrets:
-    #   AWS_ACCOUNT_ID: ${{ secrets.TECHDOCS_AWS_ACCOUNT_ID }}
+    secrets: inherit
diff --git a/.github/workflows/reusable-backstage-techdocs.yml b/.github/workflows/reusable-backstage-techdocs.yml
index 1dc1b0f..232615e 100644
--- a/.github/workflows/reusable-backstage-techdocs.yml
+++ b/.github/workflows/reusable-backstage-techdocs.yml
@@ -57,6 +57,9 @@ on:
       AWS_ACCOUNT_ID:
         description: "Account ID (used to build default role ARN)"
         required: false
+      TECHDOCS_AWS_ACCOUNT_ID:
+        description: "Org-level fallback Account ID (if AWS_ACCOUNT_ID not provided)"
+        required: false
 
 env:
   # ---- Cascading defaults: inputs -> vars -> opinionated constant ----
@@ -110,7 +113,7 @@ jobs:
       - name: Configure AWS credentials (OIDC)
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ inputs.aws_role_arn != '' && inputs.aws_role_arn || format('arn:aws:iam::{0}:role/GitHubActionsTechDocsPublisher', secrets.TECHDOCS_AWS_ACCOUNT_ID) }}
+          role-to-assume: ${{ inputs.aws_role_arn != '' && inputs.aws_role_arn || format('arn:aws:iam::{0}:role/GitHubActionsTechDocsPublisher', env.AWS_ACCOUNT_ID) }}
           aws-region: ${{ env.AWS_REGION }}
 
       - name: Generate TechDocs (no Docker)
diff --git a/workflow-templates/publish-techdocs.yml b/workflow-templates/publish-techdocs.yml
index 2e2dd2c..1386be1 100644
--- a/workflow-templates/publish-techdocs.yml
+++ b/workflow-templates/publish-techdocs.yml
@@ -33,5 +33,7 @@ jobs:
       # AWS role override (rare):
       # aws_role_arn: arn:aws:iam::123456789012:role/CustomTechDocsRole
 
+    # Inherit org/repo secrets; override by defining AWS_ACCOUNT_ID in the calling repo if needed.
     secrets:
-      AWS_ACCOUNT_ID: ${{ secrets.TECHDOCS_AWS_ACCOUNT_ID }}
+      inherit: true
+      # AWS_ACCOUNT_ID: ${{ secrets.TECHDOCS_AWS_ACCOUNT_ID }}