[build] Harden CI/CD pipeline (#15387)

* NOTE: the release workflows' new handling of secrets may be a breaking change for forks that are using any secrets other than GPG_SIGNING_KEY or ARCHIVE_REPO_TOKEN. Previously, the release workflow would try to resolve a token secret name based on the `target` or `source` input, e.g. NIGHTLY_ARCHIVE_REPO_TOKEN or CUSTOM_ARCHIVE_REPO_TOKEN, and then fall back to using the ARCHIVE_REPO_TOKEN secret if the resolved token secret name was not found in the repository. This behavior has been replaced by the release workflow always using the ARCHIVE_REPO_TOKEN secret as the token for publishing releases to any external archive repository. * Add zizmor CI job for auditing workflows * Pin all actions to commit hashes instead of symbolic references * Explicitly set GITHUB_TOKEN permissions at the job level * Use actions/checkout with `persist-credentials: false` whenever possible * Remove/replace template expansions in workflow scripts * Remove all usage of actions/cache from build/release workflows * Remove the cache-warmer.yml workflow * Remove the unused download.yml workflow * Set concurrency limits for any workflows that are triggered by PRs * Avoid loading the entire secrets context * Replace usage of `secrets: inherit` with explicit `secrets:` blocks * Pin all external docker images to hash that are used by the build workflow * Explicitly set `shell: bash` for some steps to avoid pwsh or set pipefail * Ensure any pwsh steps will fail on non-zero exit codes Authored by: bashonly
2026-01-01 04:21:25 +00:00 · 2025-12-30 15:05:10 -06:00
parent 468aa6a9b4
commit ab3ff2d5dd
18 changed files with 182 additions and 239 deletions
--- a/devscripts/setup_variables.py
+++ b/devscripts/setup_variables.py
@@ -21,8 +21,6 @@ def setup_variables(environment):
        SOURCE_PYPI_PROJECT, SOURCE_PYPI_SUFFIX,
        TARGET_PYPI_PROJECT, TARGET_PYPI_SUFFIX,
        SOURCE_ARCHIVE_REPO, TARGET_ARCHIVE_REPO,
-        HAS_SOURCE_ARCHIVE_REPO_TOKEN,
-        HAS_TARGET_ARCHIVE_REPO_TOKEN,
        HAS_ARCHIVE_REPO_TOKEN

    `INPUTS` must contain these keys:
@@ -37,8 +35,6 @@ def setup_variables(environment):
    PROCESSED = json.loads(environment['PROCESSED'])

    source_channel = None
-    does_not_have_needed_token = False
-    target_repo_token = None
    pypi_project = None
    pypi_suffix = None

@@ -81,28 +77,19 @@ def setup_variables(environment):
                target_repo = REPOSITORY
        if target_repo != REPOSITORY:
            target_repo = environment['TARGET_ARCHIVE_REPO']
-            target_repo_token = f'{PROCESSED["target_repo"].upper()}_ARCHIVE_REPO_TOKEN'
-            if not json.loads(environment['HAS_TARGET_ARCHIVE_REPO_TOKEN']):
-                does_not_have_needed_token = True
            pypi_project = environment['TARGET_PYPI_PROJECT'] or None
            pypi_suffix = environment['TARGET_PYPI_SUFFIX'] or None
    else:
        target_tag = source_tag or version
        if source_channel:
            target_repo = source_channel
-            target_repo_token = f'{PROCESSED["source_repo"].upper()}_ARCHIVE_REPO_TOKEN'
-            if not json.loads(environment['HAS_SOURCE_ARCHIVE_REPO_TOKEN']):
-                does_not_have_needed_token = True
            pypi_project = environment['SOURCE_PYPI_PROJECT'] or None
            pypi_suffix = environment['SOURCE_PYPI_SUFFIX'] or None
        else:
            target_repo = REPOSITORY

-    if does_not_have_needed_token:
-        if not json.loads(environment['HAS_ARCHIVE_REPO_TOKEN']):
-            print(f'::error::Repository access secret {target_repo_token} not found')
-            return None
-        target_repo_token = 'ARCHIVE_REPO_TOKEN'
+    if target_repo != REPOSITORY and not json.loads(environment['HAS_ARCHIVE_REPO_TOKEN']):
+        return None

    if target_repo == REPOSITORY and not INPUTS['prerelease']:
        pypi_project = environment['PYPI_PROJECT'] or None
@@ -111,7 +98,6 @@ def setup_variables(environment):
        'channel': resolved_source,
        'version': version,
        'target_repo': target_repo,
-        'target_repo_token': target_repo_token,
        'target_tag': target_tag,
        'pypi_project': pypi_project,
        'pypi_suffix': pypi_suffix,
@@ -147,6 +133,7 @@ if __name__ == '__main__':

    outputs = setup_variables(dict(os.environ))
    if not outputs:
+        print('::error::Repository access secret ARCHIVE_REPO_TOKEN not found')
        sys.exit(1)

    print('::group::Output variables')