From: Michał Kępień <michal@isc.org>
Date: Thu, 9 Apr 2026 11:23:57 +0000 (+0200)
Subject: Purge distros token in a separate CI job
X-Git-Tag: v9.21.22~75^2
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=36411e7c84384168ab3c0e3d107be459326c1647;p=thirdparty%2Fbind9.git

Purge distros token in a separate CI job

The "publish" job runs on a dedicated, locked-down runner that lacks the
Python modules necessary to execute the manage_distros_token.py script.
Instead of deleting the token within the "publish" job, purge it in a
separate job that automatically runs on the "base" image after the
"publish" job succeeds.  Define "rules" for the new job so that the
token is only deleted for security releases, as it should have been
initially.
---

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 3b8e02c465e..a05a098b858 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1941,9 +1941,6 @@ publish:
   variables:
     SSH_SCRIPT_CLIENT: |-
       ssh "${STAGING_USER_ACTIONS}@${STAGING_HOST}" "publish ${CI_COMMIT_TAG}"
-  after_script:
-    - *git_clone_bind9-qa
-    - if [ "${CI_JOB_STATUS}" = "success" ]; then "$CI_PROJECT_DIR"/bind9-qa/releng/manage_distros_token.py delete; fi
   artifacts:
     paths:
       - publish-${CI_COMMIT_TAG}.log
@@ -1954,6 +1951,21 @@ publish:
   rules:
     - *rule_tag_open_source
 
+publish-cleanup:
+  <<: *base_image
+  stage: release
+  script:
+    - *git_clone_bind9-qa
+    - >
+      "$CI_PROJECT_DIR"/bind9-qa/releng/manage_distros_token.py delete
+  needs:
+    - job: publish
+      artifacts: false
+  tags:
+    - smalljob
+  rules:
+    - *rule_tag_security
+
 .manual_release_job_qa: &manual_release_job_qa
   <<: *manual_release_job
   <<: *base_image