chore: update GitHub Actions workflows to enforce required secrets for release process

- Explicitly defined RELEASE_TOKEN, GPG_PRIVATE_KEY, and PASSPHRASE as required secrets in both auto-tag.yml and release.yml to enhance security.
- Updated the release.yml to require a tag input for the release process, ensuring clarity in workflow execution.
- Adjusted the GPG key import step to utilize the defined secrets, improving the reliability of the signing process.

.github/workflows/auto-tag.yml

@@ -51,6 +51,9 @@ jobs:
     needs: auto-tag
     if: success()
     uses: ./.github/workflows/release.yml
-    secrets: inherit
     with:
-      gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+      tag: ${{ needs.auto-tag.outputs.new_tag }}
+    secrets:
+      RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+      GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+      PASSPHRASE: ${{ secrets.PASSPHRASE }}

.github/workflows/release.yml

@@ -3,17 +3,17 @@ name: Release
 on:
   workflow_call:
     inputs:
-      gpg_private_key:
-        description: "GPG private key to sign releases"
-        required: false
+      tag:
+        description: "The tag to release"
+        required: true
         type: string
     secrets:
       RELEASE_TOKEN:
         required: true
       GPG_PRIVATE_KEY:
-        required: false
+        required: true
       PASSPHRASE:
-        required: false
+        required: true
   push:
     tags:
       - "v*"
@@ -40,9 +40,8 @@ jobs:
       - name: Import GPG key
         id: import_gpg
         uses: crazy-max/ghaction-import-gpg@v5
-        if: inputs.gpg_private_key != ''
         with:
-          gpg_private_key: ${{ inputs.gpg_private_key }}
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.PASSPHRASE }}
 
       - name: Run GoReleaser