diff --git a/.github/workflows/ci3-external.yml b/.github/workflows/ci3-external.yml index afbcc7deb840..832d16d52181 100644 --- a/.github/workflows/ci3-external.yml +++ b/.github/workflows/ci3-external.yml @@ -41,7 +41,7 @@ jobs: PR_BASE_REF: ${{ github.event.pull_request.base.ref }} PR_NUMBER: ${{ github.event.pull_request.number }} HAS_CI_LABEL: ${{ contains(github.event.pull_request.labels.*.name, 'ci-external') || github.event.label.name == 'ci-external-once' }} - GH_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} run: | set -o pipefail git fetch origin "$PR_BASE_REF" --depth=1 &>/dev/null @@ -68,7 +68,7 @@ jobs: MERGE_GROUP_BASE_REF: ${{ github.event.merge_group.base_ref }} PR_BASE_REF: ${{ github.event.pull_request.base.ref }} GITHUB_REF_NAME: ${{ github.ref_name }} - GITHUB_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ github.token }} PR_LABELS_JSON: ${{ toJson(github.event.pull_request.labels.*.name) }} run: | # Parse labels from JSON env var to avoid shell injection via label names @@ -85,7 +85,7 @@ jobs: # creds for being able to upload to cache. AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - GITHUB_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ github.token }} BUILD_INSTANCE_SSH_KEY: ${{ secrets.BUILD_INSTANCE_SSH_KEY }} # DO NOT allow build instance key access to external jobs. CI_USE_BUILD_INSTANCE_KEY: "0" @@ -104,7 +104,7 @@ jobs: # For updating success cache. AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - GITHUB_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ github.token }} PR_NUMBER: ${{ github.event.pull_request.number }} PR_HEAD_REF: ${{ github.event.pull_request.head.ref }} PR_BASE_REF: ${{ github.event.pull_request.base.ref }} diff --git a/bootstrap.sh b/bootstrap.sh index 01918cd9def2..2bff7d039c22 100755 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -817,8 +817,24 @@ case "$cmd" in if ! semver check $REF_NAME; then exit 1 fi - build release - release + if [[ "$(semver prerelease $REF_NAME)" == private* ]]; then + echo_header "Private fork release: $REF_NAME" + echo "Creating GitHub release from public repo context (COMMIT_HASH=$COMMIT_HASH)..." + release_github + echo "Fetching private source from aztec-packages-private..." + git remote add private "https://x-access-token:${GITHUB_TOKEN}@github.com/AztecProtocol/aztec-packages-private.git" + git fetch --depth 1 private "refs/tags/$REF_NAME" + git worktree add aztec-private FETCH_HEAD + cd aztec-private + echo "Initializing submodules in private worktree..." + git submodule update --init --recursive + echo "Private worktree ready at $(pwd) (HEAD=$(git rev-parse --short HEAD)). Cache uploads disabled." + export NO_CACHE_UPLOAD=1 + # Unset so child bootstrap.sh re-derives these from the worktree. + unset COMMIT_HASH root + fi + ./bootstrap.sh build release + ./bootstrap.sh release ;; ########################## diff --git a/ci3/cache_upload b/ci3/cache_upload index 213fe4551f4b..21a206d7c934 100755 --- a/ci3/cache_upload +++ b/ci3/cache_upload @@ -22,6 +22,11 @@ if [[ -z "${S3_FORCE_UPLOAD:-}" && "${CI:-0}" -eq 0 ]]; then exit 0 fi +if [[ "${NO_CACHE_UPLOAD:-0}" -eq 1 ]]; then + echo_stderr "Skipping upload because NO_CACHE_UPLOAD=1." + exit 0 +fi + # In SSM/instance-profile mode, AWS CLI falls back to IMDS for credentials. if [[ "${CI_SSM_MODE:-0}" -eq 0 ]]; then if [[ -z "${AWS_ACCESS_KEY_ID:-}" || -z "${AWS_SECRET_ACCESS_KEY:-}" ]] && ! aws configure get aws_access_key_id &>/dev/null; then