Harden CD by adopting unxt's secure staged-publish model; unify Stage B into single workflow (#496)

* chore: start CD security hardening plan
* harden CD workflows to follow unxt staged publish model
* unify five cd-publish workflows into single cd-publish.yml

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nstarman <8949649+nstarman@users.noreply.github.com>

Author: Copilot

.github/actions/dispatch-package-cd/action.yml

@@ -0,0 +1,86 @@
+name: Dispatch package CD workflow
+description: >
+  Dispatch a package CD workflow for a tag, with an idempotency check so that
+  re-running the coordinator workflow does not trigger duplicate CD runs.
+
+inputs:
+  workflow_id:
+    description: The workflow file name to dispatch (for example cd-coordinax.yml).
+    required: true
+  workflow_name:
+    description: Human-readable workflow name for log messages.
+    required: true
+  tag_ref:
+    description: The tag ref to dispatch the workflow on (for example coordinax-v1.2.0).
+    required: true
+  tag_sha:
+    description: The commit SHA the tag points to.
+    required: true
+  trigger_cd:
+    description: >
+      Whether a new tag was just created ('true') or all tags pre-existed
+      ('false', i.e. a re-run). When 'false', an idempotency check is performed
+      before dispatching.
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      with:
+        script: |
+          const workflowId = "${{ inputs.workflow_id }}";
+          const workflowName = "${{ inputs.workflow_name }}";
+          const tagRef = "${{ inputs.tag_ref }}";
+          const tagSha = "${{ inputs.tag_sha }}";
+          const shouldDispatch = "${{ inputs.trigger_cd }}" === "true";
+
+          if (!shouldDispatch) {
+            const existingRuns = await github.paginate(
+              github.rest.actions.listWorkflowRuns,
+              {
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                workflow_id: workflowId,
+                branch: tagRef,
+                per_page: 100,
+              },
+            );
+
+            const hasMatchingRun = existingRuns.some(
+              (run) => {
+                const isMatchingTagSha =
+                  run.head_branch === tagRef && run.head_sha === tagSha;
+                const isBlockingRun =
+                  run.status !== "completed" ||
+                  (run.status === "completed" && run.conclusion === "success");
+
+                return isMatchingTagSha && isBlockingRun;
+              },
+            );
+
+            if (hasMatchingRun) {
+              core.info(
+                `Skipping CD dispatch for ${tagRef}: a queued/in-progress/successful ${workflowName} run already exists for ${tagSha}.`,
+              );
+              return;
+            }
+
+            core.info(
+              `No queued/in-progress/successful ${workflowName} run found for ${tagRef} at ${tagSha}; dispatching recovery run.`,
+            );
+          }
+
+          try {
+            await github.rest.actions.createWorkflowDispatch({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              workflow_id: workflowId,
+              ref: tagRef,
+            });
+            core.info(`Triggered ${workflowName} for tag ${tagRef}`);
+          } catch (error) {
+            core.setFailed(
+              `Failed to trigger ${workflowName} for tag ${tagRef}: ${error.message}`,
+            );
+          }

.github/workflows/cd-coordinax-api.yml

@@ -2,10 +2,6 @@ name: CD - coordinax.api
 
 on:
   workflow_dispatch:
-  pull_request:
-    paths:
-      - "packages/coordinax.api/**"
-      - ".github/workflows/cd-coordinax.api.yml"
   push:
     branches:
       - main
@@ -14,11 +10,6 @@ on:
     paths:
       - "packages/coordinax.api/**"
       - ".github/workflows/cd-coordinax-api.yml"
-  workflow_run:
-    workflows:
-      - "Create Package Tags"
-    types:
-      - completed
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -33,14 +24,9 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      id-token: write
-      attestations: write
-    # Build runs for direct tag pushes or via workflow_run from Create Package Tags
-    # (which handles coordinator tag releases)
+    # Build runs for manual dispatch, main pushes, and direct package tag pushes.
     if: |
       github.event_name == 'workflow_dispatch' ||
-      github.event_name == 'pull_request' ||
-      (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') ||
       (github.event_name == 'push' && github.ref == 'refs/heads/main') ||
       (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/'))
 
@@ -51,83 +37,52 @@ jobs:
           # Can be removed if switching to hardcoded versions.
           fetch-depth: 0
           persist-credentials: false
-          # For workflow_run events, checkout the exact commit from upstream workflow
-          ref: >-
-            ${{ github.event_name == 'workflow_run' &&
-            github.event.workflow_run.head_sha || github.ref }}
-
-      # For workflow_run events, find and export the package-specific tag
-      - name: Find package tag (workflow_run)
-        if: github.event_name == 'workflow_run'
-        uses: ./.github/actions/find-package-tag
-        with:
-          tag_glob: coordinax-api-v*
-          commit_sha: ${{ github.event.workflow_run.head_sha }}
-
-      - uses: astral-sh/setup-uv@v7
+          # This workflow only runs on trusted `push` and `workflow_dispatch` events.
+          ref: ${{ github.ref }}
 
       - name: Validate git tag (for tagged releases)
-        if: |
-          startsWith(github.ref, 'refs/tags/') || github.event_name ==
-          'workflow_run'
+        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+        env:
+          GITHUB_REF_VAR: ${{ github.ref }}
+        run: |
+          TAG="${GITHUB_REF_VAR#refs/tags/}"
+          python scripts/validate_tag.py "$TAG" "coordinax.api"
+        shell: bash
+
+      - name: Emit release metadata
+        env:
+          EVENT_NAME: ${{ github.event_name }}
         run: |
-          if [ "${{ github.event_name }}" = "workflow_run" ]; then
-            TAG="$PACKAGE_TAG"
+          HEAD_SHA=$(git rev-parse HEAD)
+
+          if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
+            TAG="${GITHUB_REF#refs/tags/}"
           else
-            TAG=${GITHUB_REF#refs/tags/}
+            TAG=""
           fi
-          uv run scripts/validate_tag.py "$TAG" "coordinax.api"
+          TRIGGER_EVENT="${EVENT_NAME}"
+
+          jq -n \
+            --arg package "coordinax.api" \
+            --arg package_tag "${TAG}" \
+            --arg head_sha "${HEAD_SHA}" \
+            --arg trigger_event "${TRIGGER_EVENT}" \
+            '{"package": $package, "package_tag": $package_tag, "head_sha": $head_sha, "trigger_event": $trigger_event}' \
+            > release-metadata.json
+
+          echo "Release metadata:"
+          cat release-metadata.json
         shell: bash
 
       - uses: hynek/build-and-inspect-python-package@fe0a0fb1925ca263d076ca4f2c13e93a6e92a33e # v2.17.0
         with:
           path: packages/coordinax.api
           upload-name-suffix: -coordinax.api
-          attest-build-provenance-github: ${{ github.event_name != 'pull_request' }}
+          attest-build-provenance-github: false
 
-  publish-testpypi:
-    name: Publish to TestPyPI
-    needs: [build]
-    runs-on: ubuntu-latest
-    environment:
-      name: testpypi
-      url: https://test.pypi.org/p/coordinax.api
-    permissions:
-      id-token: write
-    if: |
-      (github.event_name == 'push' && github.ref == 'refs/heads/main') ||
-      (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/coordinax-api-v')) ||
-      github.event_name == 'workflow_run'
-
-    steps:
-      - name: Download built artifact to dist/
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      - name: Upload release metadata artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
-          name: Packages-coordinax.api
-          path: dist
-
-      - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
-        with:
-          repository-url: https://test.pypi.org/legacy/
-
-  publish-pypi:
-    name: Publish to PyPI
-    needs: [build]
-    runs-on: ubuntu-latest
-    environment:
-      name: pypi
-      url: https://pypi.org/p/coordinax.api
-    permissions:
-      id-token: write
-    if: |
-      (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/coordinax-api-v')) ||
-      github.event_name == 'workflow_run'
-
-    steps:
-      - name: Download built artifact to dist/
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          name: Packages-coordinax.api
-          path: dist
-
-      - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+          name: release-metadata-coordinax-api
+          path: release-metadata.json
+          retention-days: 7