ci: replace secrets: inherit with explicit secret forwarding

[cjroth]

Summary

• Replace secrets: inherit in release.yml with explicit per-platform secret declarations
• Each downstream workflow (desktop, iOS, Android) now declares exactly which secrets it needs in its on.workflow_call.secrets block
• The parent release.yml passes only the secrets each platform actually uses
• Reduces blast radius — a compromised Android build can no longer access Apple signing keys, and vice versa
• version-bump.yml only uses GITHUB_TOKEN (automatic), so no secrets are forwarded to it

Test plan

• Verify the next release workflow run succeeds (explicit secret names must exactly match repo secret names)
• Confirm each platform workflow only receives its own secrets by reviewing the secrets: blocks

---

Note

Medium Risk
Changes release pipeline secret scoping; main risk is misnamed/missing secrets causing release workflows to fail at runtime, but logic is otherwise straightforward.

Overview
Tightens secret exposure in the release pipeline by removing secrets: inherit from release.yml and explicitly forwarding only the per-platform secrets needed by desktop-release.yml, ios-release.yml, and android-release.yml.

Each called workflow now declares its required secrets under on.workflow_call.secrets, so GitHub validates secret presence and prevents other platform jobs from accessing unrelated signing/upload credentials.

^{Reviewed by Cursor Bugbot for commit 795b6d0. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Semgrep Security Scan

No security issues found.

[greptile-apps]

cjroth has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.

[greptile-apps]

cjroth has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.

[github-actions]

PR Metrics

Metric	Value
Lines changed (prod code)	+69 / -4
JS bundle size (gzipped)	🟢 1.00 MB → 1023.1 KB (-5.1 KB, -0.5%)
Test coverage	🟢 70.27% → 70.27% (+0.0%)
Load time (preview)	🟡 50/100 · First Contentful Paint 5.1 s · Largest Contentful Paint 5.9 s · Total Blocking Time 500 ms

Updated Tue, 14 Apr 2026 21:40:59 GMT · run #807

[claude]

Clean security improvement. Replacing secrets: inherit with explicit secret declarations follows least-privilege — each reusable workflow now receives only the secrets it needs. The callee declarations and caller passing are fully consistent across all three platform workflows. Removing secrets: inherit from version_bump is safe because version-bump.yml only uses GITHUB_TOKEN, which GitHub provides automatically to reusable workflows without explicit passing.

[claude]

LGTM — no issues found.