From 1b6527b2c8adc7b9581afa09402a90f664e5b2ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
Date: Wed, 25 Mar 2026 18:09:02 +0100
Subject: [PATCH] Prevent unscheduled release publication

The "publish" job has no dependencies on other jobs, so nothing prevents
it from being accidentally started before the scheduled publication
date.  Although publication still requires confirmation via an SSH
connection to a dedicated, locked-down runner, performing that action
prematurely may have drastic consequences.  Therefore, it is worth
implementing additional safeguards.

Add an extra check to the "publish" job to ensure it can only be run on
the scheduled publication day.  In exceptional circumstances, this check
can be overridden by setting the FORCE_PUBLICATION CI variable to any
non-empty value.

(cherry picked from commit ce977f53b923072759a09f389d75de103e70c7e5)
---
 .gitlab-ci.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d107606df7..64303b050e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1842,6 +1842,10 @@ publish-private:
 
 publish:
   <<: *signer_ssh_job
+  before_script:
+    - TODAY="$(date +%Y-%m-%d)"
+    - SCHEDULED_PUBLICATION="$(curl -m 5 -s "https://gitlab.isc.org/isc-projects/bind9-qa/-/raw/main/releng/metadata.json" | jq -r ".schedule.public")"
+    - if [ -z "${FORCE_PUBLICATION}" ] && [ "${TODAY}" != "${SCHEDULED_PUBLICATION}" ]; then echo "Unscheduled publication denied; publication is scheduled for ${SCHEDULED_PUBLICATION}"; exit 1; fi
   variables:
     SSH_SCRIPT_CLIENT: |-
       ssh "${STAGING_USER_ACTIONS}@${STAGING_HOST}" "publish ${CI_COMMIT_TAG}"