From 1d88db4d631b12f33b2062490bca90f93626d6fa Mon Sep 17 00:00:00 2001
From: Andoni Duarte Pintado <andoni@isc.org>
Date: Fri, 17 Oct 2025 09:52:45 +0200
Subject: [PATCH] Add the "publish-private" job

Add a new SSH-confirmed GitLab CI job that publishes a previously staged
release to a destination that is not a well-known URL.  The details of
what specifically this entails are controlled by the staging
environment.
---
 .gitlab-ci.yml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d67e8da3c7..2db0c47ab0 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1714,6 +1714,26 @@ staging:
   rules:
     - if: '$CI_COMMIT_TAG != null'
 
+# Job copying a staged release to a secret location
+
+publish-private:
+  <<: *signer_ssh_job
+  variables:
+    SSH_SCRIPT_CLIENT: |-
+      ssh "${STAGING_USER_ACTIONS}@${STAGING_HOST}" "publish-private ${CI_COMMIT_TAG}"
+    SSH_SCRIPT_RUNNER_POST: |-
+      awk '/^Public Use URL:/ {print $$NF}' "/tmp/${CI_JOB_NAME}.log" > "url-${CI_COMMIT_TAG}.txt"
+  artifacts:
+    paths:
+      - publish-private-${CI_COMMIT_TAG}.log
+      - url-${CI_COMMIT_TAG}.txt
+    expire_in: "1 month"
+  needs:
+    - job: staging
+      artifacts: false
+  rules:
+    - if: '$CI_COMMIT_TAG != null && ($CI_COMMIT_TAG =~ /-S/ || $RELEASE_TYPE == "security")'
+
 # Job creating the release announcement MR in Printing Press
 
 prepare-release-announcement: