You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: .agents/skills/ci-cd/SKILL.md
+22-4Lines changed: 22 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -623,18 +623,36 @@ When the main `README.MD` changes its tagline, logo URL, quick start commands, o
623
623
When a new platform is added to any release matrix (e.g. `linux-arm64`), update the platform support table in `npm/smbcloud-cli/README.md` and `pypi/README.md` in the same PR.
624
624
625
625
**Use workflow-level `env:` for compile-time secrets, not `$GITHUB_ENV` export steps**
626
-
Compile-time secrets like `CLI_CLIENT_SECRET` (read by `env!()`) must be available to every `cargo` invocation across all platforms — including maturin-action's internal Docker containers (manylinux) and Windows subprocesses. Writing to `$GITHUB_ENV` in a separate step is unreliable: it does not propagate into Docker containers, and on Windows runners the default PowerShell shell does not expand `"$GITHUB_ENV"` correctly.
626
+
Compile-time secrets like `CLI_CLIENT_SECRET` (read by `env!()`) must be available to every `cargo` invocation across all platforms. Writing to `$GITHUB_ENV` in a separate step is unreliable: it does not propagate into Docker containers, and on Windows runners the default PowerShell shell does not expand `"$GITHUB_ENV"` correctly.
627
627
628
-
The correct approach is to declare the secret in the workflow-level `env:` block, which GitHub Actions propagates to all jobs, all steps, and all subprocesses automatically:
628
+
Declare the secret in the workflow-level `env:` block:
Never add a dedicated "Export build secret" step for this purpose. One line in `env:` replaces it entirely and works on Linux (including Docker), macOS, and Windows without any shell workarounds.
636
+
Never add a dedicated "Export build secret" step for this purpose.
637
+
638
+
**manylinux Docker containers require `docker-options` to forward env vars**
639
+
Even with the secret in the workflow-level `env:` block, maturin-action's manylinux builds run inside a Docker container that does not automatically inherit the runner's environment. The secret is visible to the action process (shown as `CLI_CLIENT_SECRET: ***` in the step log) but is not forwarded into the container unless explicitly requested.
640
+
641
+
Fix: add `docker-options: -e CLI_CLIENT_SECRET` to the `Build wheel` step:
`-e CLI_CLIENT_SECRET`tells `docker run` to forward that variable from the runner process into the container. Windows and macOS legs are unaffected (they do not use Docker). Without this, `env!("CLI_CLIENT_SECRET")` fails only on Linux manylinux legs while all other platforms succeed — making the root cause easy to miss.
638
656
639
657
**PyPI blocks short and protocol-reserved package names**
640
658
PyPI maintains a blocklist of names that are too generic or conflict with well-known protocols and tools. `smb` is blocked because it is the name of the Windows SMB/CIFS file sharing protocol. Attempting to publish a package named `smb` returns `400 The name 'smb' isn't allowed`. There is no workaround — the name cannot be registered regardless of who owns it. If you need `uvx <name>` to work without `--from`, the package name and binary name must match AND the package name must not be on the blocklist. For this repo, `uvx --from smbcloud-cli smb` is the correct form.
0 commit comments