@@ -54,14 +54,22 @@ jobs:
5454 GH_TOKEN : ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
5555 run : gh pr edit ${{ github.event.pull_request.number }} --remove-label ci-wakeup-pr-after-merge --repo ${{ github.repository }} || true
5656
57+ # Do NOT bump actions/checkout to v6 here. v6 ("persist creds to a separate file", #2286)
58+ # stores the persisted github.token in a temp credentials file pulled in via includeIf, which
59+ # `git config --unset-all http....extraheader` cannot clear. Our runner-side pushes (ci3.sh
60+ # release-pr tag, ci3_success.sh squash-and-merge) rely on swapping that header for a bot-PAT
61+ # remote, so under v6 they push as github-actions[bot] (contents: read) and 403. v5.0.1 is still
62+ # node24 but keeps the credential as a removable local extraheader.
5763 - name : Checkout
58- uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 .0.2
64+ uses : actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 .0.1
5965 with :
6066 # The commit to checkout. We want our actual commit, and not the result of merging the PR to the target.
6167 ref : ${{ github.event.pull_request.head.sha || github.sha }}
6268 # Fetch PR commits depth (we'll deepen by 1 in squash script if needed)
6369 fetch-depth : ${{ github.event.pull_request.commits || 1 }}
64- persist-credentials : true # Required for bootstrap_ec2's git fetch
70+ # Persisted for authenticated reads (e.g. the aztec-packages-private mirror); pushes swap in
71+ # a bot-PAT remote at each push site.
72+ persist-credentials : true
6573
6674 - name : Configure AWS credentials (OIDC)
6775 uses : aws-actions/configure-aws-credentials@v4
@@ -114,6 +122,8 @@ jobs:
114122 PR_NUMBER : ${{ github.event.pull_request.number }}
115123 GITHUB_REF_NAME : ${{ github.ref_name }}
116124 GITHUB_ACTOR : ${{ github.actor }}
125+ # Forwarded to EC2 so release_compat_e2e's nightly-failure Slack alert can build a real run URL.
126+ RUN_ID : ${{ github.run_id }}
117127 CI3_INSTANCE_PROFILE_NAME : ${{ secrets.CI3_INSTANCE_PROFILE_NAME }}
118128 CI3_SECURITY_GROUP_ID : ${{ secrets.CI3_SECURITY_GROUP_ID }}
119129 AWS_OIDC_ROLE_ARN : ${{ secrets.AWS_OIDC_ROLE_ARN }}
@@ -199,11 +209,10 @@ jobs:
199209 matrix :
200210 test_set : ["1", "2"]
201211 # We run on current nightly tags only, or when the ci-network-scenario label is present in a PR.
202- needs : [ci, validate-nightly-tag, ci-release-publish ]
212+ needs : [ci, validate-nightly-tag]
203213 if : |
204214 always()
205215 && (needs.ci.result == 'success' || needs.ci.result == 'skipped')
206- && (needs.ci-release-publish.result == 'success' || needs.ci-release-publish.result == 'skipped')
207216 && github.event.pull_request.head.repo.fork != true
208217 && github.event.pull_request.draft == false
209218 && (
@@ -218,7 +227,7 @@ jobs:
218227 run : gh pr edit ${{ github.event.pull_request.number }} --remove-label ci-network-scenario --repo ${{ github.repository }} || true
219228
220229 - name : Checkout
221- uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 .0.2
230+ uses : actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 .0.1
222231 with :
223232 ref : ${{ github.event.pull_request.head.sha || github.sha }}
224233
@@ -341,7 +350,7 @@ jobs:
341350 run : gh pr edit ${{ github.event.pull_request.number }} --remove-label ci-network-bench --repo ${{ github.repository }} || true
342351
343352 - name : Checkout
344- uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 .0.2
353+ uses : actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 .0.1
345354 with :
346355 ref : ${{ github.event.pull_request.head.sha || github.sha }}
347356
@@ -423,7 +432,7 @@ jobs:
423432 run : gh pr edit ${{ github.event.pull_request.number }} --remove-label ci-network-kind --repo ${{ github.repository }}
424433
425434 - name : Checkout
426- uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 .0.2
435+ uses : actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 .0.1
427436 with :
428437 ref : ${{ github.event.pull_request.head.sha || github.sha }}
429438
@@ -449,99 +458,3 @@ jobs:
449458 AWS_SHUTDOWN_TIME : 180
450459 run : |
451460 ./.github/ci3.sh network-tests-kind
452-
453- # Backwards compatibility e2e tests.
454- # Runs e2e tests with contract artifacts from every prior stable release to validate
455- # that new client code works with old contract artifacts ("new pxe / old contracts").
456- # Blocking for stable/RC releases: ci-release-publish requires this job to pass before
457- # publishing. Observational for nightlies: runs, but continue-on-error keeps the workflow
458- # green and ci-release-publish's condition publishes nightlies regardless of the result.
459- # Escape hatch: ci-skip-compat-e2e label makes failures non-blocking on release PRs.
460- ci-compat-e2e :
461- runs-on : ubuntu-latest
462- needs : [ci]
463- if : |
464- always()
465- && (needs.ci.result == 'success' || needs.ci.result == 'skipped')
466- && github.event.pull_request.head.repo.fork != true
467- && github.event.pull_request.draft == false
468- && (
469- (startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-commit.'))
470- || contains(github.event.pull_request.labels.*.name, 'ci-compat-e2e')
471- || contains(github.event.pull_request.labels.*.name, 'ci-release-pr')
472- )
473- # Non-blocking for nightlies and when ci-skip-compat-e2e escape hatch is applied.
474- continue-on-error : ${{ contains(github.ref_name, '-nightly.') || contains(github.event.pull_request.labels.*.name, 'ci-skip-compat-e2e') }}
475- steps :
476- - name : Checkout
477- uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
478- with :
479- ref : ${{ github.event.pull_request.head.sha || github.sha }}
480-
481- - name : Run Backwards Compatibility E2E Tests
482- timeout-minutes : 60
483- env :
484- AWS_ACCESS_KEY_ID : ${{ secrets.AWS_ACCESS_KEY_ID }}
485- AWS_SECRET_ACCESS_KEY : ${{ secrets.AWS_SECRET_ACCESS_KEY }}
486- GITHUB_TOKEN : ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
487- BUILD_INSTANCE_SSH_KEY : ${{ secrets.BUILD_INSTANCE_SSH_KEY }}
488- GCP_SA_KEY : ${{ secrets.GCP_SA_KEY }}
489- DOCKERHUB_PASSWORD : ${{ secrets.DOCKERHUB_PASSWORD }}
490- DOCKERHUB_USERNAME : ${{ secrets.DOCKERHUB_USERNAME }}
491- SLACK_BOT_TOKEN : ${{ secrets.SLACK_BOT_TOKEN }}
492- CI3_INSTANCE_PROFILE_NAME : ${{ secrets.CI3_INSTANCE_PROFILE_NAME }}
493- CI3_SECURITY_GROUP_ID : ${{ secrets.CI3_SECURITY_GROUP_ID }}
494- RUN_ID : ${{ github.run_id }}
495- AWS_SHUTDOWN_TIME : 60
496- run : ./.github/ci3.sh compat-e2e
497-
498- # Publishes the release (npm, Docker, GitHub release, aztec-up scripts, etc.).
499- # Gated on ci-compat-e2e: a compat regression blocks stable/RC publishing. Nightlies
500- # publish regardless — compat-e2e runs there observationally. Dev `-commit.` tags from
501- # the ci-release-pr flow never reach this job (they are not real releases).
502- ci-release-publish :
503- runs-on : ubuntu-latest
504- environment : master
505- permissions :
506- id-token : write
507- contents : read
508- needs : [ci, ci-compat-e2e]
509- if : |
510- startsWith(github.ref, 'refs/tags/v')
511- && !contains(github.ref_name, '-commit.')
512- && needs.ci.result == 'success'
513- && (
514- contains(github.ref_name, '-nightly.')
515- || needs.ci-compat-e2e.result == 'success'
516- )
517- steps :
518- - name : Checkout
519- uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
520- with :
521- ref : ${{ github.sha }}
522-
523- - name : Configure AWS credentials (OIDC)
524- uses : aws-actions/configure-aws-credentials@v4
525- with :
526- role-to-assume : ${{ secrets.AWS_OIDC_ROLE_ARN }}
527- aws-region : us-east-2
528- role-session-name : ci3-release-publish-${{ github.run_id }}
529- role-duration-seconds : 21600
530-
531- - name : Run Release Publish
532- env :
533- GITHUB_TOKEN : ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
534- BUILD_INSTANCE_SSH_KEY : ${{ secrets.BUILD_INSTANCE_SSH_KEY }}
535- GCP_SA_KEY : ${{ secrets.GCP_SA_KEY }}
536- GCP_PROJECT_ID : ${{ secrets.GCP_PROJECT_ID }}
537- DOCKERHUB_PASSWORD : ${{ secrets.DOCKERHUB_PASSWORD }}
538- DOCKERHUB_USERNAME : ${{ secrets.DOCKERHUB_USERNAME }}
539- NPM_TOKEN : ${{ secrets.NPM_TOKEN }}
540- CARGO_REGISTRY_TOKEN : ${{ secrets.CARGO_REGISTRY_TOKEN }}
541- NETLIFY_SITE_ID : ${{ secrets.NETLIFY_SITE_ID }}
542- NETLIFY_AUTH_TOKEN : ${{ secrets.NETLIFY_AUTH_TOKEN }}
543- SLACK_BOT_TOKEN : ${{ secrets.SLACK_BOT_TOKEN }}
544- CI3_INSTANCE_PROFILE_NAME : ${{ secrets.CI3_INSTANCE_PROFILE_NAME }}
545- CI3_SECURITY_GROUP_ID : ${{ secrets.CI3_SECURITY_GROUP_ID }}
546- RUN_ID : ${{ github.run_id }}
547- run : ./.github/ci3.sh release-publish
0 commit comments