chore(ci): address lint findings in release workflow

Signed-off-by: William Woodruff <william@astral.sh>

.github/workflows/build-docker.yml

@@ -21,6 +21,11 @@ on:
       plan:
         required: true
         type: string
+    secrets:
+      DOCKERHUB_TOKEN_RW:
+        required: false
+      DOCKERHUB_TOKEN_RO:
+        required: false
   pull_request:
     paths:
       # We want to ensure that the maturin builds still work when we change

.github/workflows/publish-docs.yml

@@ -16,6 +16,11 @@ on:
       plan:
         required: true
         type: string
+    secrets:
+      ASTRAL_DOCS_PAT:
+        required: true
+      MKDOCS_INSIDERS_SSH_KEY:
+        required: false
 
 permissions: {}
 

.github/workflows/release.yml

@@ -15,8 +15,7 @@
 # title/body based on your changelogs.
 
 name: Release
-permissions:
+permissions: {}
-  "contents": "write"
 
 # This task will run whenever you workflow_dispatch with a tag that looks like a version
 # like "1.0.0", "v0.1.0-prerelease.1", "my-app/0.1.0", "releases/v1.0.0", etc.
@@ -82,10 +81,12 @@ jobs:
       # but also really annoying to build CI around when it needs secrets to work right.)
       - id: plan
         run: |
-          dist ${{ (inputs.tag && inputs.tag != 'dry-run' && format('host --steps=create --tag={0}', inputs.tag)) || 'plan' }} --output-format=json > plan-dist-manifest.json
+          dist ${PLAN_FLAGS} --output-format=json > plan-dist-manifest.json
           echo "dist ran successfully"
           cat plan-dist-manifest.json
           echo "manifest=$(jq -c "." plan-dist-manifest.json)" >> "$GITHUB_OUTPUT"
+        env:
+          PLAN_FLAGS: ${{ (inputs.tag && inputs.tag != 'dry-run' && format('host --steps=create --tag={0}', inputs.tag)) || 'plan' }}
       - name: "Upload dist-manifest.json"
         uses: actions/upload-artifact@6027e3dd177782cd8ab9af838c04fd81a07f1d47
         with:
@@ -99,7 +100,6 @@ jobs:
     uses: ./.github/workflows/build-binaries.yml
     with:
       plan: ${{ needs.plan.outputs.val }}
-    secrets: inherit
 
   custom-build-docker:
     needs:
@@ -108,7 +108,9 @@ jobs:
     uses: ./.github/workflows/build-docker.yml
     with:
       plan: ${{ needs.plan.outputs.val }}
-    secrets: inherit
+    secrets:
+      DOCKERHUB_TOKEN_RW: ${{ secrets.DOCKERHUB_TOKEN_RW }}
+      DOCKERHUB_TOKEN_RO: ${{ secrets.DOCKERHUB_TOKEN_RO }}
     permissions:
       "attestations": "write"
       "contents": "read"
@@ -146,7 +148,7 @@ jobs:
       - id: cargo-dist
         shell: bash
         run: |
-          dist build ${{ needs.plan.outputs.tag-flag }} --output-format=json "--artifacts=global" > dist-manifest.json
+          dist build "${PLAN_TAG_FLAG}" --output-format=json "--artifacts=global" > dist-manifest.json
           echo "dist ran successfully"
 
           # Parse out what we just built and upload it to scratch storage
@@ -155,6 +157,8 @@ jobs:
           echo "EOF" >> "$GITHUB_OUTPUT"
 
           cp dist-manifest.json "$BUILD_MANIFEST_NAME"
+        env:
+          PLAN_TAG_FLAG: ${{ needs.plan.outputs.tag-flag }}
       - name: "Upload artifacts"
         uses: actions/upload-artifact@6027e3dd177782cd8ab9af838c04fd81a07f1d47
         with:
@@ -198,10 +202,12 @@ jobs:
       - id: host
         shell: bash
         run: |
-          dist host ${{ needs.plan.outputs.tag-flag }} --steps=upload --steps=release --output-format=json > dist-manifest.json
+          dist host "${PLAN_TAG_FLAG}" --steps=upload --steps=release --output-format=json > dist-manifest.json
           echo "artifacts uploaded and released successfully"
           cat dist-manifest.json
           echo "manifest=$(jq -c "." dist-manifest.json)" >> "$GITHUB_OUTPUT"
+        env:
+          PLAN_TAG_FLAG: ${{ needs.plan.outputs.tag-flag }}
       - name: "Upload dist-manifest.json"
         uses: actions/upload-artifact@6027e3dd177782cd8ab9af838c04fd81a07f1d47
         with:
@@ -217,7 +223,6 @@ jobs:
     uses: ./.github/workflows/publish-pypi.yml
     with:
       plan: ${{ needs.plan.outputs.val }}
-    secrets: inherit
     # publish jobs get escalated permissions
     permissions:
       "id-token": "write"
@@ -254,15 +259,16 @@ jobs:
           rm -f artifacts/*-dist-manifest.json
       - name: Create GitHub Release
         env:
-          PRERELEASE_FLAG: "${{ fromJson(needs.host.outputs.val).announcement_is_prerelease && '--prerelease' || '' }}"
+          PRERELEASE_FLAG: ${{ fromJson(needs.host.outputs.val).announcement_is_prerelease && '--prerelease' || '' }}
-          ANNOUNCEMENT_TITLE: "${{ fromJson(needs.host.outputs.val).announcement_title }}"
+          ANNOUNCEMENT_TITLE: ${{ fromJson(needs.host.outputs.val).announcement_title }}
-          ANNOUNCEMENT_BODY: "${{ fromJson(needs.host.outputs.val).announcement_github_body }}"
+          ANNOUNCEMENT_BODY: ${{ fromJson(needs.host.outputs.val).announcement_github_body }}
-          RELEASE_COMMIT: "${{ github.sha }}"
+          RELEASE_COMMIT: ${{ github.sha }}
+          PLAN_TAG: ${{ needs.plan.outputs.tag }}
         run: |
           # Write and read notes from a file to avoid quoting breaking things
           echo "$ANNOUNCEMENT_BODY" > $RUNNER_TEMP/notes.txt
 
-          gh release create "${{ needs.plan.outputs.tag }}" --target "$RELEASE_COMMIT" $PRERELEASE_FLAG --title "$ANNOUNCEMENT_TITLE" --notes-file "$RUNNER_TEMP/notes.txt" artifacts/*
+          gh release create "${PLAN_TAG}" --target "$RELEASE_COMMIT" $PRERELEASE_FLAG --title "$ANNOUNCEMENT_TITLE" --notes-file "$RUNNER_TEMP/notes.txt" artifacts/*
 
   custom-publish-docs:
     needs:
@@ -271,4 +277,6 @@ jobs:
     uses: ./.github/workflows/publish-docs.yml
     with:
       plan: ${{ needs.plan.outputs.val }}
-    secrets: inherit
+    secrets:
+      ASTRAL_DOCS_PAT: ${{ secrets.ASTRAL_DOCS_PAT }}
+      MKDOCS_INSIDERS_SSH_KEY: ${{ secrets.MKDOCS_INSIDERS_SSH_KEY }}