From 98cbde5233c788936f8aeb6231c65db74d9f7fbc Mon Sep 17 00:00:00 2001
From: =?utf8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
Date: Tue, 10 Mar 2026 18:04:51 +0100
Subject: [PATCH] Delete early access token when code is published

Technically this is not necessary because the token expires in one week
after creation, and new code would have got there only one week before
the next public release, but better be safe than sorry.

Catch is, after_script gets executed even if a job fails or is
canceled. Delete distros token only if publication succeeded.
---
 .gitlab-ci.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index dc1bc57efd4..43c3c82f027 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1947,6 +1947,8 @@ publish:
   variables:
     SSH_SCRIPT_CLIENT: |-
       ssh "${STAGING_USER_ACTIONS}@${STAGING_HOST}" "publish ${CI_COMMIT_TAG}"
+  after_script:
+    - if [ "${CI_JOB_STATUS}" = "success" ]; then "$CI_PROJECT_DIR"/bind9-qa/releng/manage_distros_token.py delete; fi
   artifacts:
     paths:
       - publish-${CI_COMMIT_TAG}.log
-- 
2.47.3