PYTHON-4388 Fix dist handling in SSDLC workflow (mongodb#1705)

blink1073 · web-flow · commit 1c2f1f5c3d58 · 2024-06-26T11:26:37.000-05:00
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -26,9 +26,6 @@ jobs:
       # required for all workflows
       security-events: write
 
-      # required to fetch internal or private CodeQL packs
-      packages: read
-
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/dist.yml b/.github/workflows/dist.yml
@@ -10,6 +10,10 @@ on:
   workflow_dispatch:
   pull_request:
   workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
 
 concurrency:
   group: dist-${{ github.ref }}
@@ -44,6 +48,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          ref: ${{ inputs.ref }}
 
       - uses: actions/setup-python@v5
         with:
@@ -99,6 +104,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          ref: ${{ inputs.ref }}
 
       - uses: actions/setup-python@v5
         with:
diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml
@@ -19,7 +19,7 @@ env:
   PRODUCT_NAME: PyMongo
   # Changes per branch
   SILK_ASSET_GROUP: mongodb-python-driver
-  EVERGREEN_PROJECT: mongodb-python-driver
+  EVERGREEN_PROJECT: mongo-python-driver
 
 defaults:
   run:
@@ -32,6 +32,8 @@ jobs:
     permissions:
       id-token: write
       contents: write
+    outputs:
+      version: ${{ steps.pre-publish.outputs.version }}
     steps:
       - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
         with:
@@ -44,19 +46,24 @@ jobs:
           aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
           artifactory_username: ${{ vars.ARTIFACTORY_USERNAME }}
       - uses: mongodb-labs/drivers-github-tools/python/pre-publish@v2
+        id: pre-publish
         with:
           version: ${{ inputs.version }}
           dry_run: ${{ inputs.dry_run }}
 
   build-dist:
     needs: [pre-publish]
     uses: ./.github/workflows/dist.yml
+    with:
+      ref: ${{ needs.pre-publish.outputs.version }}
 
   static-scan:
     needs: [pre-publish]
     uses: ./.github/workflows/codeql.yml
+    permissions:
+      security-events: write
     with:
-      ref: ${{ github.ref }}
+      ref: ${{ needs.pre-publish.outputs.version }}
 
   publish:
     needs: [build-dist, static-scan]
