From 28565ff3ca8bddd51d85bf0c393a3500581bde3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
Date: Tue, 10 Mar 2026 18:04:51 +0100
Subject: [PATCH] Delete early access token when code is published

Technically this is not necessary because the token expires in one week
after creation, and new code would have got there only one week before
the next public release, but better be safe than sorry.

Catch is, after_script gets executed even if a job fails or is
canceled. Delete distros token only if publication succeeded.

(cherry picked from commit 98cbde5233c788936f8aeb6231c65db74d9f7fbc)
---
 .gitlab-ci.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 732c57eae8..8c60147089 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1842,6 +1842,8 @@ publish:
   variables:
     SSH_SCRIPT_CLIENT: |-
       ssh "${STAGING_USER_ACTIONS}@${STAGING_HOST}" "publish ${CI_COMMIT_TAG}"
+  after_script:
+    - if [ "${CI_JOB_STATUS}" = "success" ]; then "$CI_PROJECT_DIR"/bind9-qa/releng/manage_distros_token.py delete; fi
   artifacts:
     paths:
       - publish-${CI_COMMIT_TAG}.log