From fe0eb473a6df590967c1ff4ad0c237dcfbf5469f Mon Sep 17 00:00:00 2001
From: =?utf8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
Date: Thu, 9 Apr 2026 13:23:57 +0200
Subject: [PATCH] Purge distros token in a separate CI job

The "publish" job runs on a dedicated, locked-down runner that lacks the
Python modules necessary to execute the manage_distros_token.py script.
Instead of deleting the token within the "publish" job, purge it in a
separate job that automatically runs on the "base" image after the
"publish" job succeeds.  Define "rules" for the new job so that the
token is only deleted for security releases, as it should have been
initially.

(cherry picked from commit 36411e7c84384168ab3c0e3d107be459326c1647)
---
 .gitlab-ci.yml | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 04876401df8..4bc80c4f6ed 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1849,9 +1849,6 @@ publish:
   variables:
     SSH_SCRIPT_CLIENT: |-
       ssh "${STAGING_USER_ACTIONS}@${STAGING_HOST}" "publish ${CI_COMMIT_TAG}"
-  after_script:
-    - *git_clone_bind9-qa
-    - if [ "${CI_JOB_STATUS}" = "success" ]; then "$CI_PROJECT_DIR"/bind9-qa/releng/manage_distros_token.py delete; fi
   artifacts:
     paths:
       - publish-${CI_COMMIT_TAG}.log
@@ -1862,6 +1859,21 @@ publish:
   rules:
     - *rule_tag_open_source
 
+publish-cleanup:
+  <<: *base_image
+  stage: release
+  script:
+    - *git_clone_bind9-qa
+    - >
+      "$CI_PROJECT_DIR"/bind9-qa/releng/manage_distros_token.py delete
+  needs:
+    - job: publish
+      artifacts: false
+  tags:
+    - smalljob
+  rules:
+    - *rule_tag_security
+
 .manual_release_job_qa: &manual_release_job_qa
   <<: *manual_release_job
   <<: *base_image
-- 
2.47.3