Testing secrets and reusable workflows

evertlammerts · evertlammerts · commit f90dc1c5e5cc · 2025-08-21T16:26:24.000+02:00
diff --git a/.github/workflows/cleanup_pypi.yml b/.github/workflows/cleanup_pypi.yml
@@ -6,6 +6,13 @@ on:
         description: CI environment to run in (pypi-test or pypi-prod-nightly)
         type: string
         required: true
+    secrets:
+      PYPI_CLEANUP_OTP:
+        description: PyPI OTP
+        required: true
+      PYPI_CLEANUP_PASSWORD:
+        description: PyPI password
+        required: true
   workflow_dispatch:
     inputs:
       dry-run:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -28,55 +28,55 @@ defaults:
     shell: bash
 
 jobs:
-  build_and_test:
-    name: Build and test releases
-    uses:  ./.github/workflows/packaging.yml
-    with:
-      minimal: true
-      testsuite: none
-      git-ref: ${{ github.ref }}
-      duckdb-git-ref: ${{ inputs.duckdb-sha }}
-      set-version: ${{ inputs.stable-version }}
-
-  upload_s3:
-    name: Upload Artifacts to S3
-    runs-on: ubuntu-latest
-    needs: [build_and_test]
-    if: ${{ github.repository_owner == 'duckdb' && ( inputs.pypi-index == 'prod' || inputs.store-s3 ) }}
-    steps:
-      - name: Fetch artifacts
-        uses: actions/download-artifact@v4
-        with:
-          pattern: '{sdist,wheel}*'
-          path: artifacts/
-          merge-multiple: true
-
-      - name: Authenticate with AWS
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-region: 'us-east-2'
-          aws-access-key-id: ${{ secrets.S3_DUCKDB_STAGING_ID }}
-          aws-secret-access-key: ${{ secrets.S3_DUCKDB_STAGING_KEY }}
-
-      - name: Upload Artifacts
-        id: s3_upload
-        run: |
-          sha=${{ github.ref }}
-          aws s3 cp artifacts s3://duckdb-staging/${{ github.repository }}/${sha:0:10}/ --recursive
-
-      - name: S3 Upload Summary
-        run : |
-          sha=${{ github.ref }}
-          version=$(basename artifacts/*.tar.gz | sed 's/duckdb-\(.*\).tar.gz/\1/g')
-          echo "## S3 Upload Summary" >> $GITHUB_STEP_SUMMARY
-          echo "* Version: ${version}" >> $GITHUB_STEP_SUMMARY
-          echo "* SHA: ${sha:0:10}" >> $GITHUB_STEP_SUMMARY
-          echo "* S3 URL: s3://duckdb-staging/${{ github.repository }}/${sha:0:10}/" >> $GITHUB_STEP_SUMMARY
+#  build_and_test:
+#    name: Build and test releases
+#    uses:  ./.github/workflows/packaging.yml
+#    with:
+#      minimal: true
+#      testsuite: none
+#      git-ref: ${{ github.ref }}
+#      duckdb-git-ref: ${{ inputs.duckdb-sha }}
+#      set-version: ${{ inputs.stable-version }}
+#
+#  upload_s3:
+#    name: Upload Artifacts to S3
+#    runs-on: ubuntu-latest
+#    needs: [build_and_test]
+#    if: ${{ github.repository_owner == 'duckdb' && ( inputs.pypi-index == 'prod' || inputs.store-s3 ) }}
+#    steps:
+#      - name: Fetch artifacts
+#        uses: actions/download-artifact@v4
+#        with:
+#          pattern: '{sdist,wheel}*'
+#          path: artifacts/
+#          merge-multiple: true
+#
+#      - name: Authenticate with AWS
+#        uses: aws-actions/configure-aws-credentials@v4
+#        with:
+#          aws-region: 'us-east-2'
+#          aws-access-key-id: ${{ secrets.S3_DUCKDB_STAGING_ID }}
+#          aws-secret-access-key: ${{ secrets.S3_DUCKDB_STAGING_KEY }}
+#
+#      - name: Upload Artifacts
+#        id: s3_upload
+#        run: |
+#          sha=${{ github.ref }}
+#          aws s3 cp artifacts s3://duckdb-staging/${{ github.repository }}/${sha:0:10}/ --recursive
+#
+#      - name: S3 Upload Summary
+#        run : |
+#          sha=${{ github.ref }}
+#          version=$(basename artifacts/*.tar.gz | sed 's/duckdb-\(.*\).tar.gz/\1/g')
+#          echo "## S3 Upload Summary" >> $GITHUB_STEP_SUMMARY
+#          echo "* Version: ${version}" >> $GITHUB_STEP_SUMMARY
+#          echo "* SHA: ${sha:0:10}" >> $GITHUB_STEP_SUMMARY
+#          echo "* S3 URL: s3://duckdb-staging/${{ github.repository }}/${sha:0:10}/" >> $GITHUB_STEP_SUMMARY
 
   determine_environment:
     name: Determine the Github Actions environment to use
     runs-on: ubuntu-latest
-    needs: build_and_test
+#    needs: build_and_test
     outputs:
       env_name: ${{ steps.set-env.outputs.env_name }}
     steps:
@@ -101,47 +101,52 @@ jobs:
               ;;
           esac
 
-  publish_pypi:
-    name: Publish Artifacts to PyPI
-    runs-on: ubuntu-latest
-    needs: determine_environment
-    environment:
-      name: ${{ needs.determine_environment.outputs.env_name }}
-    permissions:
-      # this is needed for the OIDC flow that is used with trusted publishing on PyPI
-      id-token: write
-    steps:
-      - if: ${{ vars.PYPI_HOST == '' }}
-        run: |
-          echo "Error: PYPI_HOST is not set in CI environment '${{ needs.determine_environment.outputs.env_name }}'"
-          exit 1
-
-      - name: Fetch artifacts
-        uses: actions/download-artifact@v4
-        with:
-          pattern: '{sdist,wheel}*'
-          path: packages/
-          merge-multiple: true
-
-      - name: Upload artifacts to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          repository-url: 'https://${{ vars.PYPI_HOST }}/legacy/'
-          packages-dir: packages
-          verbose: 'true'
-
-      - name: PyPI Upload Summary
-        run : |
-          version=$(basename packages/*.tar.gz | sed 's/duckdb-\(.*\).tar.gz/\1/g')
-          echo "## PyPI Upload Summary" >> $GITHUB_STEP_SUMMARY
-          echo "* Version: ${version}" >> $GITHUB_STEP_SUMMARY
-          echo "* PyPI Host: ${{ vars.PYPI_HOST }}" >> $GITHUB_STEP_SUMMARY
-          echo "* CI Environment: ${{ needs.determine_environment.outputs.env_name }}" >> $GITHUB_STEP_SUMMARY
+#  publish_pypi:
+#    name: Publish Artifacts to PyPI
+#    runs-on: ubuntu-latest
+#    needs: determine_environment
+#    environment:
+#      name: ${{ needs.determine_environment.outputs.env_name }}
+#    permissions:
+#      # this is needed for the OIDC flow that is used with trusted publishing on PyPI
+#      id-token: write
+#    steps:
+#      - if: ${{ vars.PYPI_HOST == '' }}
+#        run: |
+#          echo "Error: PYPI_HOST is not set in CI environment '${{ needs.determine_environment.outputs.env_name }}'"
+#          exit 1
+#
+#      - name: Fetch artifacts
+#        uses: actions/download-artifact@v4
+#        with:
+#          pattern: '{sdist,wheel}*'
+#          path: packages/
+#          merge-multiple: true
+#
+#      - name: Upload artifacts to PyPI
+#        uses: pypa/gh-action-pypi-publish@release/v1
+#        with:
+#          repository-url: 'https://${{ vars.PYPI_HOST }}/legacy/'
+#          packages-dir: packages
+#          verbose: 'true'
+#
+#      - name: PyPI Upload Summary
+#        run : |
+#          version=$(basename packages/*.tar.gz | sed 's/duckdb-\(.*\).tar.gz/\1/g')
+#          echo "## PyPI Upload Summary" >> $GITHUB_STEP_SUMMARY
+#          echo "* Version: ${version}" >> $GITHUB_STEP_SUMMARY
+#          echo "* PyPI Host: ${{ vars.PYPI_HOST }}" >> $GITHUB_STEP_SUMMARY
+#          echo "* CI Environment: ${{ needs.determine_environment.outputs.env_name }}" >> $GITHUB_STEP_SUMMARY
 
   cleanup_nightlies:
     name: Remove Nightlies from PyPI
-    needs: [determine_environment, publish_pypi]
+#    needs: [determine_environment, publish_pypi]
+    needs: determine_environment
     if: ${{ inputs.stable-version == '' }}
     uses: ./.github/workflows/cleanup_pypi.yml
     with:
       environment: ${{ needs.determine_environment.outputs.env_name }}
+    secrets:
+      # reusable workflows and secrets are not great: https://github.com/actions/runner/issues/3206
+      PYPI_CLEANUP_OTP: ${{secrets.PYPI_CLEANUP_OTP}}
+      PYPI_CLEANUP_PASSWORD: ${{secrets.PYPI_CLEANUP_PASSWORD}}
