Pass secret directly, not as env var (#1750)

sensei100 · web-flow · commit fce98cab3d31 · 2025-07-23T15:52:22.000-04:00
diff --git a/.github/workflows/prod-deploy.yml b/.github/workflows/prod-deploy.yml
@@ -14,7 +14,6 @@ concurrency:
 
 env:
   COB_DATAPIPELINE_BRANCH: ${{ github.ref_name }}
-  ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
 
 jobs:
   prod-deploy:
@@ -51,4 +50,4 @@ jobs:
         working-directory: ansible-playbook-airflow
         run: |
           pipenv run ansible-galaxy install -r requirements.yml
-          pipenv run ansible-playbook -i inventory/prod playbook.yml --tags "jumphost,role::airflow::dags" --vault-id @env:ANSIBLE_VAULT_PASSWORD -e 'ansible_ssh_port=9229' -e cob_datapipeline_branch=$COB_DATAPIPELINE_BRANCH
+          pipenv run ansible-playbook -i inventory/prod playbook.yml --tags "jumphost,role::airflow::dags" --vault-id ${{ secrets.ANSIBLE_VAULT_PASSWORD }} -e 'ansible_ssh_port=9229' -e cob_datapipeline_branch=$COB_DATAPIPELINE_BRANCH
diff --git a/.github/workflows/qa-deploy.yml b/.github/workflows/qa-deploy.yml
@@ -15,9 +15,6 @@ concurrency:
 jobs:
   qa-deploy:
     runs-on: ubuntu-latest
-    env:
-      ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
-
     timeout-minutes: 30
     strategy:
       matrix:
@@ -50,4 +47,4 @@ jobs:
         working-directory: ansible-playbook-airflow
         run: |
           pipenv run ansible-galaxy install -r requirements.yml
-          pipenv run ansible-playbook -i inventory/qa playbook.yml --tags "jumphost,role::airflow::dags" --vault-id @env:ANSIBLE_VAULT_PASSWORD -e 'ansible_ssh_port=9229'
+          pipenv run ansible-playbook -i inventory/qa playbook.yml --tags "jumphost,role::airflow::dags" --vault-id ${{ secrets.ANSIBLE_VAULT_PASSWORD }} -e 'ansible_ssh_port=9229'
