Purge distros token in a separate CI job

The "publish" job runs on a dedicated, locked-down runner that lacks the Python modules necessary to execute the manage_distros_token.py script. Instead of deleting the token within the "publish" job, purge it in a separate job that automatically runs on the "base" image after the "publish" job succeeds. Define "rules" for the new job so that the token is only deleted for security releases, as it should have been initially. (cherry picked from commit 36411e7c84)
2026-06-10 15:50:00 -04:00 · 2026-04-09 13:23:57 +02:00 · 2026-04-09 13:23:57 +02:00 · fe0eb473a6
commit fe0eb473a6
parent 95afb0f5b5
1 changed files with 15 additions and 3 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -1849,9 +1849,6 @@ publish:
  variables:
    SSH_SCRIPT_CLIENT: |-
      ssh "${STAGING_USER_ACTIONS}@${STAGING_HOST}" "publish ${CI_COMMIT_TAG}"
-  after_script:
-    - *git_clone_bind9-qa
-    - if [ "${CI_JOB_STATUS}" = "success" ]; then "$CI_PROJECT_DIR"/bind9-qa/releng/manage_distros_token.py delete; fi
  artifacts:
    paths:
      - publish-${CI_COMMIT_TAG}.log
@ -1862,6 +1859,21 @@ publish:
  rules:
    - *rule_tag_open_source

+publish-cleanup:
+  <<: *base_image
+  stage: release
+  script:
+    - *git_clone_bind9-qa
+    - >
+      "$CI_PROJECT_DIR"/bind9-qa/releng/manage_distros_token.py delete
+  needs:
+    - job: publish
+      artifacts: false
+  tags:
+    - smalljob
+  rules:
+    - *rule_tag_security
+
 .manual_release_job_qa: &manual_release_job_qa
  <<: *manual_release_job
  <<: *base_image