diff --git a/.github/workflows/common_deploy_jobs.yml b/.github/workflows/common_deploy_jobs.yml index 61e2c9aaf..eb492859e 100644 --- a/.github/workflows/common_deploy_jobs.yml +++ b/.github/workflows/common_deploy_jobs.yml @@ -10,9 +10,19 @@ on: description: 'snap channel to release to' required: true type: string + secrets: + SNAPCRAFTCFG: + required: true + DOCKERHUB_TOKEN: + required: true + permissions: contents: read +env: + DOCKER_TAG: "${{ inputs.dockerTag }}" + SNAP_RELEASE_CHANNEL: "${{ inputs.snapReleaseChannel }}" + jobs: # This job relies on credentials used to publish the Certbot snaps. This # credential file was created by running: @@ -68,7 +78,7 @@ jobs: run: |- export SNAPCRAFT_STORE_CREDENTIALS="${{ secrets.SNAPCRAFTCFG }}" for SNAP_FILE in snap/*.snap; do - tools/retry.sh eval snapcraft upload --release=${{ inputs.snapReleaseChannel }} "${SNAP_FILE}" + tools/retry.sh eval snapcraft upload --release="${SNAP_RELEASE_CHANNEL}" "${SNAP_FILE}" done shell: bash publish_snap_invalid: @@ -123,7 +133,7 @@ jobs: username: "${{ vars.DOCKERHUB_USERNAME }}" password: "${{ secrets.DOCKERHUB_TOKEN }}" - name: Deploy the Docker images by architecture - run: tools/docker/deploy_images.sh ${{ inputs.dockerTag }} ${{ matrix.DOCKER_ARCH }} + run: tools/docker/deploy_images.sh "$DOCKER_TAG" ${{ matrix.DOCKER_ARCH }} shell: bash publish_docker_multiarch: name: Publish docker multiarch @@ -141,5 +151,5 @@ jobs: username: "${{ vars.DOCKERHUB_USERNAME }}" password: "${{ secrets.DOCKERHUB_TOKEN }}" - name: Deploy the Docker multiarch manifests - run: tools/docker/deploy_manifests.sh ${{ inputs.dockerTag }} all + run: tools/docker/deploy_manifests.sh "$DOCKER_TAG" all shell: bash diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 2fb54c3a4..780ec0076 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -10,23 +10,34 @@ jobs: # is much nicer if they are instead listed explicitly here. standard_tests_jobs: name: Standard tests + permissions: + contents: read uses: "./.github/workflows/standard_tests_jobs.yml" extended_tests_jobs: name: Extended tests + permissions: + contents: read uses: "./.github/workflows/extended_tests_jobs.yml" - secrets: inherit + secrets: + AWS_TEST_FARM_PEM: "${{ secrets.AWS_TEST_FARM_PEM }}" + AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}" + AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}" docker_packaging_jobs: name: Docker packaging + permissions: + contents: read uses: "./.github/workflows/docker_packaging_jobs.yml" with: dockerTag: nightly - secrets: inherit snap_packaging_jobs: name: Snap packaging + permissions: + contents: read uses: "./.github/workflows/snap_packaging_jobs.yml" with: snapBuildTimeout: 19800 - secrets: inherit + secrets: + LAUNCHPAD_CREDENTIALS: "${{ secrets.LAUNCHPAD_CREDENTIALS }}" changelog_stage: name: Create changelog permissions: @@ -42,7 +53,9 @@ jobs: - docker_packaging_jobs - snap_packaging_jobs uses: "./.github/workflows/common_deploy_jobs.yml" - secrets: inherit + secrets: + SNAPCRAFTCFG: "${{ secrets.SNAPCRAFTCFG }}" + DOCKERHUB_TOKEN: "${{ secrets.DOCKERHUB_TOKEN }}" with: dockerTag: nightly snapReleaseChannel: edge diff --git a/.github/workflows/rerun.yml b/.github/workflows/rerun.yml index daa8b9233..7a9458733 100644 --- a/.github/workflows/rerun.yml +++ b/.github/workflows/rerun.yml @@ -8,15 +8,18 @@ permissions: actions: write checks: write +env: + RUN_ID: "${{ inputs.run_id }}" + jobs: rerun: runs-on: ubuntu-latest steps: - - name: rerun ${{ inputs.run_id }} + - name: rerun "$RUN_ID" env: GH_REPO: ${{ github.repository }} GH_TOKEN: ${{ github.token }} GH_DEBUG: api run: | - gh run watch ${{ inputs.run_id }} > /dev/null 2>&1 - gh run rerun ${{ inputs.run_id }} --failed + gh run watch "$RUN_ID" > /dev/null 2>&1 + gh run rerun "$RUN_ID" --failed