diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index 88b0342cd..0cd2f8b9c 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -21,6 +21,11 @@ on: plan: required: true type: string + secrets: + DOCKERHUB_TOKEN_RW: + required: false + DOCKERHUB_TOKEN_RO: + required: false pull_request: paths: # We want to ensure that the maturin builds still work when we change diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml index c4e8b3c0e..293c384e3 100644 --- a/.github/workflows/publish-docs.yml +++ b/.github/workflows/publish-docs.yml @@ -16,6 +16,11 @@ on: plan: required: true type: string + secrets: + ASTRAL_DOCS_PAT: + required: true + MKDOCS_INSIDERS_SSH_KEY: + required: false permissions: {} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1fae60ff3..09aa2fd31 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,8 +15,7 @@ # title/body based on your changelogs. name: Release -permissions: - "contents": "write" +permissions: {} # This task will run whenever you workflow_dispatch with a tag that looks like a version # like "1.0.0", "v0.1.0-prerelease.1", "my-app/0.1.0", "releases/v1.0.0", etc. @@ -82,10 +81,12 @@ jobs: # but also really annoying to build CI around when it needs secrets to work right.) - id: plan run: | - dist ${{ (inputs.tag && inputs.tag != 'dry-run' && format('host --steps=create --tag={0}', inputs.tag)) || 'plan' }} --output-format=json > plan-dist-manifest.json + dist ${PLAN_FLAGS} --output-format=json > plan-dist-manifest.json echo "dist ran successfully" cat plan-dist-manifest.json echo "manifest=$(jq -c "." plan-dist-manifest.json)" >> "$GITHUB_OUTPUT" + env: + PLAN_FLAGS: ${{ (inputs.tag && inputs.tag != 'dry-run' && format('host --steps=create --tag={0}', inputs.tag)) || 'plan' }} - name: "Upload dist-manifest.json" uses: actions/upload-artifact@6027e3dd177782cd8ab9af838c04fd81a07f1d47 with: @@ -99,7 +100,6 @@ jobs: uses: ./.github/workflows/build-binaries.yml with: plan: ${{ needs.plan.outputs.val }} - secrets: inherit custom-build-docker: needs: @@ -108,7 +108,9 @@ jobs: uses: ./.github/workflows/build-docker.yml with: plan: ${{ needs.plan.outputs.val }} - secrets: inherit + secrets: + DOCKERHUB_TOKEN_RW: ${{ secrets.DOCKERHUB_TOKEN_RW }} + DOCKERHUB_TOKEN_RO: ${{ secrets.DOCKERHUB_TOKEN_RO }} permissions: "attestations": "write" "contents": "read" @@ -146,7 +148,7 @@ jobs: - id: cargo-dist shell: bash run: | - dist build ${{ needs.plan.outputs.tag-flag }} --output-format=json "--artifacts=global" > dist-manifest.json + dist build "${PLAN_TAG_FLAG}" --output-format=json "--artifacts=global" > dist-manifest.json echo "dist ran successfully" # Parse out what we just built and upload it to scratch storage @@ -155,6 +157,8 @@ jobs: echo "EOF" >> "$GITHUB_OUTPUT" cp dist-manifest.json "$BUILD_MANIFEST_NAME" + env: + PLAN_TAG_FLAG: ${{ needs.plan.outputs.tag-flag }} - name: "Upload artifacts" uses: actions/upload-artifact@6027e3dd177782cd8ab9af838c04fd81a07f1d47 with: @@ -198,10 +202,12 @@ jobs: - id: host shell: bash run: | - dist host ${{ needs.plan.outputs.tag-flag }} --steps=upload --steps=release --output-format=json > dist-manifest.json + dist host "${PLAN_TAG_FLAG}" --steps=upload --steps=release --output-format=json > dist-manifest.json echo "artifacts uploaded and released successfully" cat dist-manifest.json echo "manifest=$(jq -c "." dist-manifest.json)" >> "$GITHUB_OUTPUT" + env: + PLAN_TAG_FLAG: ${{ needs.plan.outputs.tag-flag }} - name: "Upload dist-manifest.json" uses: actions/upload-artifact@6027e3dd177782cd8ab9af838c04fd81a07f1d47 with: @@ -217,7 +223,6 @@ jobs: uses: ./.github/workflows/publish-pypi.yml with: plan: ${{ needs.plan.outputs.val }} - secrets: inherit # publish jobs get escalated permissions permissions: "id-token": "write" @@ -254,15 +259,16 @@ jobs: rm -f artifacts/*-dist-manifest.json - name: Create GitHub Release env: - PRERELEASE_FLAG: "${{ fromJson(needs.host.outputs.val).announcement_is_prerelease && '--prerelease' || '' }}" - ANNOUNCEMENT_TITLE: "${{ fromJson(needs.host.outputs.val).announcement_title }}" - ANNOUNCEMENT_BODY: "${{ fromJson(needs.host.outputs.val).announcement_github_body }}" - RELEASE_COMMIT: "${{ github.sha }}" + PRERELEASE_FLAG: ${{ fromJson(needs.host.outputs.val).announcement_is_prerelease && '--prerelease' || '' }} + ANNOUNCEMENT_TITLE: ${{ fromJson(needs.host.outputs.val).announcement_title }} + ANNOUNCEMENT_BODY: ${{ fromJson(needs.host.outputs.val).announcement_github_body }} + RELEASE_COMMIT: ${{ github.sha }} + PLAN_TAG: ${{ needs.plan.outputs.tag }} run: | # Write and read notes from a file to avoid quoting breaking things echo "$ANNOUNCEMENT_BODY" > $RUNNER_TEMP/notes.txt - gh release create "${{ needs.plan.outputs.tag }}" --target "$RELEASE_COMMIT" $PRERELEASE_FLAG --title "$ANNOUNCEMENT_TITLE" --notes-file "$RUNNER_TEMP/notes.txt" artifacts/* + gh release create "${PLAN_TAG}" --target "$RELEASE_COMMIT" $PRERELEASE_FLAG --title "$ANNOUNCEMENT_TITLE" --notes-file "$RUNNER_TEMP/notes.txt" artifacts/* custom-publish-docs: needs: @@ -271,4 +277,6 @@ jobs: uses: ./.github/workflows/publish-docs.yml with: plan: ${{ needs.plan.outputs.val }} - secrets: inherit + secrets: + ASTRAL_DOCS_PAT: ${{ secrets.ASTRAL_DOCS_PAT }} + MKDOCS_INSIDERS_SSH_KEY: ${{ secrets.MKDOCS_INSIDERS_SSH_KEY }}