Merge branch 'test-convert-full-pipeline' into convert-all-pipelines

.github/workflows/docker_packaging_jobs.yml

@@ -3,22 +3,19 @@ on:
   workflow_call:
     inputs:
       dockerTag:
-        description: 'docker tag to push to'
+        description: 'tag to assign docker images'
         type: string
 permissions:
   contents: read
 
 env:
-  dockerTag: ${{ inputs.dockerTag }}
+  DOCKER_TAG: ${{ inputs.dockerTag }}
 
 jobs:
   docker_build:
     name: Build ${{ matrix.DOCKER_ARCH }}
     runs-on:
       - ${{ matrix.run-on }}
-    # The default timeout of 60 minutes is a little low for compiling
-    # cryptography on ARM architectures.
-    timeout-minutes: 180
     strategy:
       fail-fast: false
       matrix:
@@ -37,7 +34,7 @@ jobs:
     - name: Build the Docker images
       # We don't filter for the Docker Hub organization to continue to allow
       # easy testing of these scripts on forks.
-      run: tools/docker/build.sh ${{ env.dockerTag }} ${{ matrix.DOCKER_ARCH }}
+      run: tools/docker/build.sh "$DOCKER_TAG" ${{ matrix.DOCKER_ARCH }}
       shell: bash
     - name: Save the Docker images
       run: |-
@@ -46,14 +43,11 @@ jobs:
       shell: bash
     # If the name of the tar file or artifact changes, the deploy stage will
     # also need to be updated.
-    - name: Prepare Docker artifact
-      run: mv images.tar ${{ runner.temp }}
-      shell: bash
     - name: Store Docker artifact
       uses: actions/upload-artifact@v7.0.0
       with:
         name: docker_${{ matrix.DOCKER_ARCH }}
-        path: "${{ runner.temp }}"
+        path: "${{ github.workspace }}/images.tar"
   docker_test:
     name: Test ${{ matrix.DOCKER_ARCH }}
     needs:
@@ -73,6 +67,8 @@ jobs:
     steps:
     - name: checkout
       uses: actions/checkout@v6.0.2
+      with:
+        persist-credentials: false
     - name: Retrieve Docker images
       uses: actions/download-artifact@v8.0.1
       with:
@@ -82,5 +78,5 @@ jobs:
       run: docker load --input ${{ github.workspace }}/images.tar
       shell: bash
     - name: Run integration tests for Docker images
-      run: tools/docker/test.sh ${{ env.dockerTag }} ${{ matrix.DOCKER_ARCH }}
+      run: tools/docker/test.sh "$DOCKER_TAG" ${{ matrix.DOCKER_ARCH }}
       shell: bash

.github/workflows/extended_tests_jobs.yml

@@ -1,6 +1,13 @@
 name: Extended tests jobs
 on:
   workflow_call:
+    secrets:
+      AWS_TEST_FARM_PEM:
+        required: false
+      AWS_ACCESS_KEY_ID:
+        required: false
+      AWS_SECRET_ACCESS_KEY:
+        required: false
 permissions:
   contents: read
 
@@ -45,4 +52,7 @@ jobs:
       PYTHON_VERSION: "${{ matrix.PYTHON_VERSION }}"
       TOXENV: "${{ matrix.TOXENV }}"
       IMAGE_NAME: ubuntu-22.04
-    secrets: inherit
+    secrets:
+      AWS_TEST_FARM_PEM: "${{ secrets.AWS_TEST_FARM_PEM }}"
+      AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}"
+      AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"

.github/workflows/full_test_suite.yml

@@ -19,7 +19,10 @@ jobs:
   extended_tests_jobs:
     name: Extended tests
     uses: "./.github/workflows/extended_tests_jobs.yml"
-    secrets: inherit
+    secrets:
+      AWS_TEST_FARM_PEM: "${{ secrets.AWS_TEST_FARM_PEM }}"
+      AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}"
+      AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
   docker_packaging_jobs:
     name: Docker packaging
     uses: "./.github/workflows/docker_packaging_jobs.yml"
@@ -27,11 +30,10 @@ jobs:
       # We don't publish our Docker images in this pipeline, but when building them
       # for testing, let's use the nightly tag.
       dockerTag: nightly
-    secrets: inherit
   snap_packaging_jobs:
     name: Snap packaging
     uses: "./.github/workflows/snap_packaging_jobs.yml"
     with:
       snapBuildTimeout: 5400
-    secrets: inherit
-
+    secrets:
+      LAUNCHPAD_CREDENTIALS: "${{ secrets.LAUNCHPAD_CREDENTIALS }}"

.github/workflows/snap_packaging_jobs.yml

@@ -3,13 +3,17 @@ on:
   workflow_call:
     inputs:
       snapBuildTimeout:
-        description: 'timeout for snap builds'
+        description: 'timeout for snap builds in seconds'
         type: number
+    secrets:
+      LAUNCHPAD_CREDENTIALS:
+        required: true
+
 permissions:
   contents: read
 
 env:
-  snapBuildTimeout: ${{ inputs.snapBuildTimeout }}
+  SNAP_BUILD_TIMEOUT: ${{ inputs.snapBuildTimeout }}
 
 jobs:
   gha_build_snap:
@@ -24,7 +28,10 @@ jobs:
         - build-for: amd64
           build-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v6.0.2
+      - name: checkout
+        uses: actions/checkout@v6.0.2
+        with:
+          persist-credentials: false
       - uses: snapcore/action-build@v1.3.0
         id: build
         with:
@@ -42,6 +49,8 @@ jobs:
     steps:
     - name: checkout
       uses: actions/checkout@v6.0.2
+      with:
+        persist-credentials: false
     - id: set-dns-dirs
       run: |
         DNS_NAMES="$(echo certbot-dns-* | jq -R -s -c 'split(" ")[:-1]')"
@@ -61,7 +70,10 @@ jobs:
         - build-for: amd64
           build-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v6.0.2
+      - name: checkout
+        uses: actions/checkout@v6.0.2
+        with:
+          persist-credentials: false
       - name: generate dns snapcraft.yamls
         run: |
           tools/snap/generate_dnsplugins_all.sh # unnecessarily doing every file
@@ -86,6 +98,7 @@ jobs:
       uses: actions/checkout@v6.0.2
       with:
         fetch-depth: 0 # need a non-shallow clone for launchpad
+        persist-credentials: false
     - name: Install dependencies
       run: |-
         sudo apt-get update
@@ -98,11 +111,11 @@ jobs:
       env:
         LAUNCHPAD_CREDS: "${{ secrets.LAUNCHPAD_CREDENTIALS }}"
       run: |-
-        git config --global user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
-        git config --global user.name "${{ github.actor }}"
+        git config --global user.email "github-actions[bot]"
+        git config --global user.name ""41898282+github-actions[bot]@users.noreply.github.com"
         mkdir -p ~/.local/share/snapcraft/
         echo "$LAUNCHPAD_CREDS" > ~/.local/share/snapcraft/launchpad-credentials
-        python3 tools/snap/build_remote.py ALL --archs "$SNAP_ARCH" --timeout ${{ env.snapBuildTimeout }}
+        python3 tools/snap/build_remote.py ALL --archs "$SNAP_ARCH" --timeout "$SNAP_BUILD_TIMEOUT"
     - name: Flatten snaps layout
       run: |-
         mv *.snap ${{ runner.temp }}
@@ -111,7 +124,7 @@ jobs:
       uses: actions/upload-artifact@v7.0.0
       with:
         name: snaps_${{ env.SNAP_ARCH }}
-        path: "${{ runner.temp }}"
+        path: "${{ runner.temp }}/*.snap"
   snap_run:
     name: Test certbot ${{ matrix.arch-name }}
     needs:
@@ -132,6 +145,8 @@ jobs:
     steps:
     - name: checkout
       uses: actions/checkout@v6.0.2
+      with:
+        persist-credentials: false
     - uses: actions/setup-python@v5.0.0
       with:
         python-version: '3.12'
@@ -191,6 +206,8 @@ jobs:
     steps:
     - name: checkout
       uses: actions/checkout@v6.0.2
+      with:
+        persist-credentials: false
     - name: Install armhf dependencies
       if: ${{ matrix.arch-name == 'armhf' }}
       run: |-

.github/workflows/tox_steps.yml

@@ -10,6 +10,14 @@ on:
         type: string
       PIP_USE_PEP517:
         type: string
+    secrets:
+      AWS_TEST_FARM_PEM:
+        required: false
+      AWS_ACCESS_KEY_ID:
+        required: false
+      AWS_SECRET_ACCESS_KEY:
+        required: false
+
 permissions:
   contents: read