add eof newlines

pass secrets and env vars set minimum permissions move permissions to job level, switch to contents read change name to AWS_TEST_FARM_PEM for consistency move comments, remove azure pipelines on-pr file match permissions remove runs-on: self-hosted. why was that even there? add shell:bash the auto-converted decided python 3.1 == 3.10. come on. put python version in quotes move python version to matrix copy from matrix into env matrix must take a list update matrix syntax remove composite put composite back
2026-06-09 00:32:12 -04:00 · 2026-03-23 09:45:20 -07:00 · 2026-03-23 09:45:20 -07:00 · 0a0cdcc4a0
commit 0a0cdcc4a0
parent 9f753a74d8
5 changed files with 51 additions and 56 deletions
--- a/.azure-pipelines/main.yml
+++ b/.azure-pipelines/main.yml
@ -1,18 +0,0 @@
-# We run the test suite on commits to main so codecov gets coverage data
-# about the main branch and can use it to track coverage changes.
-trigger:
-  - main
-pr:
-  - main
-  - '*.x'
-
-variables:
-  # We set this here to avoid coverage data being uploaded from things like our
-  # nightly pipeline. This is done because codecov (helpfully) keeps track of
-  # the number of coverage uploads for a commit and displays a warning when
-  # comparing two commits with an unequal number of uploads. Only uploading
-  # coverage here should keep the number of uploads it sees consistent.
-  uploadCoverage: true
-
-jobs:
-  - template: templates/jobs/standard-tests-jobs.yml
--- a/.github/actions/sphinx_steps/action.yml
+++ b/.github/actions/sphinx_steps/action.yml
@ -25,4 +25,4 @@ runs:
        echo "##[error]The following builds failed: ${FAILED_BUILDS[*]}"
        exit 1
      fi
-    shell: bash
+    shell: bash
--- a/.github/actions/tox_steps/action.yml
+++ b/.github/actions/tox_steps/action.yml
@ -3,7 +3,7 @@ runs:
  using: composite
  steps:
  - name: Install MacOS dependencies
-    if: startsWith(env.IMAGE_NAME, 'macOS')
+    if: startsWith(matrix.IMAGE_NAME, 'macOS')
    run: |-
      set -e
      unset HOMEBREW_NO_INSTALL_FROM_API
@ -12,7 +12,7 @@ runs:
      brew install augeas
    shell: bash
  - name: Install Linux dependencies
-    if: startsWith(env.IMAGE_NAME, 'ubuntu')
+    if: startsWith(matrix.IMAGE_NAME, 'ubuntu')
    run: |-
      set -e
      sudo apt-get update
@ -30,17 +30,19 @@ runs:
      set -e
      python3 tools/pip_install.py tox
    shell: bash
-#   # This item has no matching transformer
-#   - task: DownloadSecureFile@1
-#     name: testFarmPem
-#     inputs:
-#       secureFile: azure-test-farm.pem
-#     condition: contains(variables['TOXENV'], 'test-farm')
+  - name: Create test farm pem file
+    if: contains(matrix.TOXENV, 'test-farm')
+    env:
+      PEM_CONTENTS: "${{ secrets.AWS_TEST_FARM_PEM }}"
+    run: 'echo ${PEM_CONTENTS} >> github-test-farm.pem'
+    shell: bash
  - name: Run tox
    env:
-      AWS_ACCESS_KEY_ID: "${{ env.AWS_ACCESS_KEY_ID }}"
-      AWS_SECRET_ACCESS_KEY: "${{ env.AWS_SECRET_ACCESS_KEY }}"
-      AWS_EC2_PEM_FILE: "${{ env.testFarmPem_secureFilePath }}"
+      AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}"
+      AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
+      AWS_EC2_PEM: "github-test-farm.pem"
+      PIP_USE_PEP517: "${{ matrix.PIP_USE_PEP517 }}"
+      TOXENV: "${{ matrix.TOXENV }}"
    run: |-
      set -e
      export TARGET_BRANCH="`echo "${BUILD_SOURCEBRANCH}" | sed -E 's!refs/(heads|tags)/!!g'`"
@ -49,7 +51,7 @@ runs:
      python3 -m tox run
    shell: bash
  - name: Upload coverage data
-    if: env.uploadCoverage == true && (startsWith(env.TOXENV, 'cover') || startsWith(env.TOXENV, 'integration'))
+    if: env.uploadCoverage == true && (startsWith(matrix.TOXENV, 'cover') || startsWith(matrix.TOXENV, 'integration'))
    run: |-
      python3 tools/pip_install.py -I coverage
      case "${{ runner.os }}" in
@ -70,4 +72,4 @@ runs:
      chmod +x codecov
      coverage xml
      ./codecov || echo "Uploading coverage data failed"
-    shell: bash
+    shell: bash
--- a/.github/workflows/pr-test-suite.yml
+++ b/.github/workflows/pr-test-suite.yml
@ -1,3 +1,5 @@
+# We run the test suite on commits to main so codecov gets coverage data
+# about the main branch and can use it to track coverage changes.
 name: certbot/pr-test-suite
 on:
  push:
@ -5,12 +7,18 @@ on:
    - main
  pull_request:
    branches:
-    - master
    - main
    - "*.x"
-env:
-  uploadCoverage: true
 jobs:
  standard_tests_jobs:
    name: standard_tests_jobs
    uses: "./.github/workflows/standard_tests_jobs.yml"
+    permissions:
+      contents: read
+    with:
+      # We set this here to avoid coverage data being uploaded from things like our
+      # nightly pipeline. This is done because codecov (helpfully) keeps track of
+      # the number of coverage uploads for a commit and displays a warning when
+      # comparing two commits with an unequal number of uploads. Only uploading
+      # coverage here should keep the number of uploads it sees consistent.
+      uploadCoverage: true
--- a/.github/workflows/standard_tests_jobs.yml
+++ b/.github/workflows/standard_tests_jobs.yml
@ -2,48 +2,51 @@
 name: standard_tests_jobs
 on:
  workflow_call:
+    inputs:
+      uploadCoverage:
+        description: 'Upload coverage to Codecov'
+        type: boolean
+        default: false
 jobs:
  test:
+    permissions:
+      contents: read
    runs-on:
-      - self-hosted
      - "${{ matrix.IMAGE_NAME }}"
    env:
-      PYTHON_VERSION: 3.14
+      uploadCoverage: ${{ inputs.uploadCoverage }}
    strategy:
      matrix:
+        PYTHON_VERSION: ['3.14']
+        IMAGE_NAME: ['ubuntu-22.04']
+        TOXENV:
+          - 'cover'
+          - 'lint-posix'
+          - 'mypy'
+          - 'integration'
+          - 'apache_compat'
+          - 'apacheconftest-with-pebble'
+          - 'nginxroundtrip'
+          - 'validate-changelog'
        include:
        - IMAGE_NAME: macOS-15
+          PYTHON_VERSION: '3.14'
          TOXENV: cover
          PIP_USE_PEP517: 'true'
        - IMAGE_NAME: ubuntu-22.04
-          PYTHON_VERSION: 3.1
+          PYTHON_VERSION: '3.10'
          TOXENV: oldest
        - IMAGE_NAME: ubuntu-22.04
-          PYTHON_VERSION: 3.1
+          PYTHON_VERSION: '3.10'
          TOXENV: py310
-        - IMAGE_NAME: ubuntu-22.04
-          TOXENV: cover
-        - IMAGE_NAME: ubuntu-22.04
-          TOXENV: lint-posix
-        - IMAGE_NAME: ubuntu-22.04
-          TOXENV: mypy
-        - IMAGE_NAME: ubuntu-22.04
-          TOXENV: integration
-        - IMAGE_NAME: ubuntu-22.04
-          TOXENV: apache_compat
-        - IMAGE_NAME: ubuntu-22.04
-          TOXENV: apacheconftest-with-pebble
-        - IMAGE_NAME: ubuntu-22.04
-          TOXENV: nginxroundtrip
-        - IMAGE_NAME: ubuntu-22.04
-          TOXENV: validate-changelog
    steps:
    - name: checkout
      uses: actions/checkout@v4.1.0
    - uses: "./.github/actions/tox_steps"
  test_sphinx_builds:
+    permissions:
+      contents: read
    runs-on:
-      - self-hosted
      - ubuntu-22.04
    steps:
    - name: checkout