Skip to content

Commit 64e10be

Browse files
committed
Merge branch 'feature/cicd' into development
2 parents d304f96 + 59f8afa commit 64e10be

2 files changed

Lines changed: 23 additions & 4 deletions

File tree

.agents/skills/ci-cd/SKILL.md

Lines changed: 22 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -623,18 +623,36 @@ When the main `README.MD` changes its tagline, logo URL, quick start commands, o
623623
When a new platform is added to any release matrix (e.g. `linux-arm64`), update the platform support table in `npm/smbcloud-cli/README.md` and `pypi/README.md` in the same PR.
624624

625625
**Use workflow-level `env:` for compile-time secrets, not `$GITHUB_ENV` export steps**
626-
Compile-time secrets like `CLI_CLIENT_SECRET` (read by `env!()`) must be available to every `cargo` invocation across all platforms — including maturin-action's internal Docker containers (manylinux) and Windows subprocesses. Writing to `$GITHUB_ENV` in a separate step is unreliable: it does not propagate into Docker containers, and on Windows runners the default PowerShell shell does not expand `"$GITHUB_ENV"` correctly.
626+
Compile-time secrets like `CLI_CLIENT_SECRET` (read by `env!()`) must be available to every `cargo` invocation across all platforms. Writing to `$GITHUB_ENV` in a separate step is unreliable: it does not propagate into Docker containers, and on Windows runners the default PowerShell shell does not expand `"$GITHUB_ENV"` correctly.
627627

628-
The correct approach is to declare the secret in the workflow-level `env:` block, which GitHub Actions propagates to all jobs, all steps, and all subprocesses automatically:
628+
Declare the secret in the workflow-level `env:` block:
629629

630630
```yaml
631631
env:
632632
CLI_CLIENT_SECRET: ${{ secrets.CLI_CLIENT_SECRET }}
633633
CARGO_TERM_COLOR: always
634-
# ... other env vars
635634
```
636635

637-
Never add a dedicated "Export build secret" step for this purpose. One line in `env:` replaces it entirely and works on Linux (including Docker), macOS, and Windows without any shell workarounds.
636+
Never add a dedicated "Export build secret" step for this purpose.
637+
638+
**manylinux Docker containers require `docker-options` to forward env vars**
639+
Even with the secret in the workflow-level `env:` block, maturin-action's manylinux builds run inside a Docker container that does not automatically inherit the runner's environment. The secret is visible to the action process (shown as `CLI_CLIENT_SECRET: ***` in the step log) but is not forwarded into the container unless explicitly requested.
640+
641+
Fix: add `docker-options: -e CLI_CLIENT_SECRET` to the `Build wheel` step:
642+
643+
```yaml
644+
- name: Build wheel
645+
uses: PyO3/maturin-action@v1
646+
with:
647+
target: ${{ matrix.build.TARGET }}
648+
manylinux: ${{ matrix.build.MANYLINUX || 'off' }}
649+
working-directory: pypi
650+
args: --release --locked --compatibility pypi --out dist
651+
before-script-linux: yum install -y perl-core
652+
docker-options: -e CLI_CLIENT_SECRET
653+
```
654+
655+
`-e CLI_CLIENT_SECRET` tells `docker run` to forward that variable from the runner process into the container. Windows and macOS legs are unaffected (they do not use Docker). Without this, `env!("CLI_CLIENT_SECRET")` fails only on Linux manylinux legs while all other platforms succeed — making the root cause easy to miss.
638656

639657
**PyPI blocks short and protocol-reserved package names**
640658
PyPI maintains a blocklist of names that are too generic or conflict with well-known protocols and tools. `smb` is blocked because it is the name of the Windows SMB/CIFS file sharing protocol. Attempting to publish a package named `smb` returns `400 The name 'smb' isn't allowed`. There is no workaround — the name cannot be registered regardless of who owns it. If you need `uvx <name>` to work without `--from`, the package name and binary name must match AND the package name must not be on the blocklist. For this repo, `uvx --from smbcloud-cli smb` is the correct form.

.github/workflows/release-pypi.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -98,6 +98,7 @@ jobs:
9898
working-directory: pypi
9999
args: --release --locked --compatibility pypi --out dist
100100
before-script-linux: yum install -y perl-core
101+
docker-options: -e CLI_CLIENT_SECRET
101102

102103
- name: Upload wheel artifact
103104
uses: actions/upload-artifact@v7

0 commit comments

Comments
 (0)