feat: support private fork releases via ci-release

.github/workflows/ci3-external.yml

@@ -41,7 +41,7 @@ jobs:
           PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
           HAS_CI_LABEL: ${{ contains(github.event.pull_request.labels.*.name, 'ci-external') || github.event.label.name == 'ci-external-once' }}
-          GH_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
+          GH_TOKEN: ${{ github.token }}
         run: |
           set -o pipefail
           git fetch origin "$PR_BASE_REF" --depth=1 &>/dev/null
@@ -68,7 +68,7 @@ jobs:
           MERGE_GROUP_BASE_REF: ${{ github.event.merge_group.base_ref }}
           PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
           GITHUB_REF_NAME: ${{ github.ref_name }}
-          GITHUB_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
           PR_LABELS_JSON: ${{ toJson(github.event.pull_request.labels.*.name) }}
         run: |
           # Parse labels from JSON env var to avoid shell injection via label names
@@ -85,7 +85,7 @@ jobs:
           # creds for being able to upload to cache.
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          GITHUB_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
           BUILD_INSTANCE_SSH_KEY: ${{ secrets.BUILD_INSTANCE_SSH_KEY }}
           # DO NOT allow build instance key access to external jobs.
           CI_USE_BUILD_INSTANCE_KEY: "0"
@@ -104,7 +104,7 @@ jobs:
           # For updating success cache.
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          GITHUB_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
           PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
           PR_BASE_REF: ${{ github.event.pull_request.base.ref }}

bootstrap.sh

@@ -817,8 +817,24 @@ case "$cmd" in
     if ! semver check $REF_NAME; then
       exit 1
     fi
-    build release
-    release
+    if [[ "$(semver prerelease $REF_NAME)" == private* ]]; then
+      echo_header "Private fork release: $REF_NAME"
+      echo "Creating GitHub release from public repo context (COMMIT_HASH=$COMMIT_HASH)..."
+      release_github
+      echo "Fetching private source from aztec-packages-private..."
+      git remote add private "https://x-access-token:${GITHUB_TOKEN}@github.com/AztecProtocol/aztec-packages-private.git"
+      git fetch --depth 1 private "refs/tags/$REF_NAME"
+      git worktree add aztec-private FETCH_HEAD
+      cd aztec-private
+      echo "Initializing submodules in private worktree..."
+      git submodule update --init --recursive
+      echo "Private worktree ready at $(pwd) (HEAD=$(git rev-parse --short HEAD)). Cache uploads disabled."
+      export NO_CACHE_UPLOAD=1
+      # Unset so child bootstrap.sh re-derives these from the worktree.
+      unset COMMIT_HASH root
+    fi
+    ./bootstrap.sh build release
+    ./bootstrap.sh release
     ;;
 
   ##########################

ci3/cache_upload

@@ -22,6 +22,11 @@ if [[ -z "${S3_FORCE_UPLOAD:-}" && "${CI:-0}" -eq 0 ]]; then
   exit 0
 fi
 
+if [[ "${NO_CACHE_UPLOAD:-0}" -eq 1 ]]; then
+  echo_stderr "Skipping upload because NO_CACHE_UPLOAD=1."
+  exit 0
+fi
+
 # In SSM/instance-profile mode, AWS CLI falls back to IMDS for credentials.
 if [[ "${CI_SSM_MODE:-0}" -eq 0 ]]; then
   if [[ -z "${AWS_ACCESS_KEY_ID:-}" || -z "${AWS_SECRET_ACCESS_KEY:-}" ]] && ! aws configure get aws_access_key_id &>/dev/null; then