From af18e92140f875f042325114108b8720d6836e96 Mon Sep 17 00:00:00 2001 From: Shijie Rao Date: Tue, 2 Jun 2026 12:41:13 -0700 Subject: [PATCH] Use environment secrets for Azure signing (#24859) ## Summary - Move Azure Trusted Signing values out of reusable workflow-call secrets and into the `azure-artifact-signing` environment scope - Attach the Windows signing job to the `azure-artifact-signing` environment so it can resolve the signing secrets directly - Stop inheriting caller secrets for the Windows release reusable workflow ## Validation - `git diff --check -- .github/workflows/rust-release.yml .github/workflows/rust-release-windows.yml` - `ruby -e 'require "yaml"; ARGV.each { |path| YAML.load_file(path); puts "ok #{path}" }' .github/workflows/rust-release.yml .github/workflows/rust-release-windows.yml` --- .github/workflows/rust-release-windows.yml | 16 +++------------- .github/workflows/rust-release.yml | 1 - 2 files changed, 3 insertions(+), 14 deletions(-) diff --git a/.github/workflows/rust-release-windows.yml b/.github/workflows/rust-release-windows.yml index fc14088ef..0d8cc2969 100644 --- a/.github/workflows/rust-release-windows.yml +++ b/.github/workflows/rust-release-windows.yml @@ -6,19 +6,6 @@ on: release-lto: required: true type: string - secrets: - AZURE_TRUSTED_SIGNING_CLIENT_ID: - required: true - AZURE_TRUSTED_SIGNING_TENANT_ID: - required: true - AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID: - required: true - AZURE_TRUSTED_SIGNING_ENDPOINT: - required: true - AZURE_TRUSTED_SIGNING_ACCOUNT_NAME: - required: true - AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME: - required: true # Cargo's libgit2 transport has been flaky when fetching git dependencies with # nested submodules. Prefer the system git CLI across every Cargo invocation. @@ -164,6 +151,9 @@ jobs: - build-windows-binaries name: Build - ${{ matrix.runner }} - ${{ matrix.target }} runs-on: ${{ matrix.runs_on }} + environment: + name: azure-artifact-signing + deployment: false timeout-minutes: 90 permissions: contents: read diff --git a/.github/workflows/rust-release.yml b/.github/workflows/rust-release.yml index 364fe7890..6b0814dae 100644 --- a/.github/workflows/rust-release.yml +++ b/.github/workflows/rust-release.yml @@ -865,7 +865,6 @@ jobs: uses: ./.github/workflows/rust-release-windows.yml with: release-lto: ${{ contains(github.ref_name, '-alpha') && 'thin' || 'fat' }} - secrets: inherit argument-comment-lint-release-assets: if: ${{ github.event_name != 'workflow_dispatch' || inputs.release_mode != 'promote_signed' }}