Skip to content

Commit 1e85229

Browse files
committed
ci: simplify staging smoke publication
1 parent be90145 commit 1e85229

4 files changed

Lines changed: 6 additions & 9 deletions

File tree

.github/workflows/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ This directory contains the repository's CI, release, dependency, and supply-cha
2424

2525
- [`pre-release-validation.yml`](pre-release-validation.yml) is a manual, non-publishing validation pass for candidate refs. It builds the template from the candidate source, runs template smoke checks, runs generated-template consumer e2e against the same candidate action runtime, dry-runs template publication, and uploads the generated template for inspection.
2626

27-
- [`staging-smoke.yml`](staging-smoke.yml) validates and optionally publishes the one copied-repository staging smoke scenario described in [`../../docs/STAGING_SMOKE.md`](../../docs/STAGING_SMOKE.md). Pull requests and pushes that touch the staging/template surface run `make staging-smoke` in dry-run mode and upload evidence. Manual dispatch can publish `reponomics/reponomics-dashboard-staging` only after the `staging-smoke-publication` environment approves the job, using a scoped GitHub App token for the staging repository.
27+
- [`staging-smoke.yml`](staging-smoke.yml) validates and optionally publishes the one copied-repository staging smoke scenario described in [`../../docs/STAGING_SMOKE.md`](../../docs/STAGING_SMOKE.md). Pull requests and pushes that touch the staging/template surface run `make staging-smoke` in dry-run mode and upload evidence. Manual dispatch can publish `reponomics/reponomics-dashboard-staging` using a scoped GitHub App token for the staging repository.
2828

2929
- [`sbom-provenance.yml`](sbom-provenance.yml) generates a repository SPDX SBOM and creates release source/SBOM attestations for release and manual runs. Release asset upload is explicitly disabled because immutable releases cannot be mutated after publication, and dependency snapshot upload is disabled so the third-party SBOM action runs with a read-only job token.
3030

.github/workflows/staging-smoke.yml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -113,7 +113,6 @@ jobs:
113113
name: Publish staging smoke repository
114114
if: ${{ github.event_name == 'workflow_dispatch' && inputs.publish }}
115115
runs-on: ubuntu-24.04
116-
environment: staging-smoke-publication
117116
permissions:
118117
contents: read
119118
steps:

docs/STAGING_SMOKE.md

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -60,15 +60,13 @@ The source repository workflow
6060
dry-run mode and upload the evidence files;
6161
- manual dispatch with `publish: false` runs the same dry-run against a selected
6262
source ref;
63-
- manual dispatch with `publish: true` publishes the copied staging repository
64-
after the `staging-smoke-publication` environment allows the job to proceed.
63+
- manual dispatch with `publish: true` publishes the copied staging repository.
6564

6665
The publication job uses a scoped GitHub App token. Configure these source
6766
repository settings before manual publication:
6867

6968
- repository variable `STAGING_SMOKE_APP_CLIENT_ID`;
70-
- repository secret `STAGING_SMOKE_APP_PRIVATE_KEY`;
71-
- environment `staging-smoke-publication` with the desired reviewer policy.
69+
- repository secret `STAGING_SMOKE_APP_PRIVATE_KEY`.
7270

7371
The GitHub App installation needs write access only to
7472
`reponomics/reponomics-dashboard-staging`, including repository contents and
@@ -82,8 +80,8 @@ Before publishing, configure the staging repository out of band:
8280

8381
- repository visibility is public;
8482
- Settings -> Pages -> Build and deployment -> Source is set to GitHub Actions;
85-
- repository secret `COLLECTION_TOKEN` exists and can read the selected public
86-
repositories;
83+
- repository secret `COLLECTION_TOKEN` exists and can read
84+
`reponomics/reponomics-dashboard-action`;
8785
- repository secret `DASHBOARD_SECRET_DO_NOT_REPLACE` exists and is retained
8886
across runs.
8987

tests/test_action_metadata.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -269,7 +269,7 @@ def test_staging_smoke_workflow_dry_runs_and_publishes_manually() -> None:
269269
assert "tests/test_staging_smoke.py" in validate_commands
270270
assert "--push" not in validate_commands
271271
assert publish_job["if"] == "${{ github.event_name == 'workflow_dispatch' && inputs.publish }}"
272-
assert publish_job["environment"] == "staging-smoke-publication"
272+
assert "environment" not in publish_job
273273
assert publish_job["permissions"] == {"contents": "read"}
274274
assert "Staging smoke publication is restricted to main or release tags" in publish_commands
275275
assert "scripts/staging_smoke.py" in publish_commands

0 commit comments

Comments
 (0)