From c3fcb0e7457dc53aa4422ae4356e1fcc2a206ce6 Mon Sep 17 00:00:00 2001 From: Shijie Rao Date: Thu, 4 Jun 2026 12:24:26 -0700 Subject: [PATCH] Use Azure artifact signing environment secrets (#25945) ## Why Windows release signing should read Azure signing credentials from the `azure-artifact-signing` environment instead of the old repo-level `AZURE_TRUSTED_SIGNING_*` names. The smoke runs confirmed the environment secrets resolve with the new `AZURE_ARTIFACT_SIGNING_*` names once the Windows signing job is attached to that environment. ## What Changed - Put the real Windows signing job in the `azure-artifact-signing` environment. - Switch the Windows signing action inputs from `AZURE_TRUSTED_SIGNING_*` to `AZURE_ARTIFACT_SIGNING_*`. - Drop the obsolete `workflow_call.secrets` declarations for the old repo-level secret names; the caller continues to use `secrets: inherit`. - Remove the temporary branch-trigger and Windows-only smoke-test workflow changes before finalizing this PR. ## Validation - `git diff --check -- .github/workflows/rust-release.yml .github/workflows/rust-release-windows.yml` - `ruby -e 'require "yaml"; ARGV.each { |f| YAML.load_file(f); puts "yaml ok: #{f}" }' .github/workflows/rust-release.yml .github/workflows/rust-release-windows.yml` --- .github/workflows/rust-release-windows.yml | 28 +++++++--------------- 1 file changed, 9 insertions(+), 19 deletions(-) diff --git a/.github/workflows/rust-release-windows.yml b/.github/workflows/rust-release-windows.yml index 89bcd33ea..b4c2b84c0 100644 --- a/.github/workflows/rust-release-windows.yml +++ b/.github/workflows/rust-release-windows.yml @@ -6,19 +6,6 @@ on: release-lto: required: true type: string - secrets: - AZURE_TRUSTED_SIGNING_CLIENT_ID: - required: true - AZURE_TRUSTED_SIGNING_TENANT_ID: - required: true - AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID: - required: true - AZURE_TRUSTED_SIGNING_ENDPOINT: - required: true - AZURE_TRUSTED_SIGNING_ACCOUNT_NAME: - required: true - AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME: - required: true # Cargo's libgit2 transport has been flaky when fetching git dependencies with # nested submodules. Prefer the system git CLI across every Cargo invocation. @@ -150,6 +137,9 @@ jobs: - build-windows-binaries name: Build - ${{ matrix.runner }} - ${{ matrix.target }} runs-on: ${{ matrix.runs_on }} + environment: + name: azure-artifact-signing + deployment: false timeout-minutes: 90 permissions: contents: read @@ -211,12 +201,12 @@ jobs: with: target: ${{ matrix.target }} binaries: ${{ env.WINDOWS_BINARIES }} - client-id: ${{ secrets.AZURE_TRUSTED_SIGNING_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TRUSTED_SIGNING_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID }} - endpoint: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }} - account-name: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }} - certificate-profile-name: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME }} + client-id: ${{ secrets.AZURE_ARTIFACT_SIGNING_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_ARTIFACT_SIGNING_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_ARTIFACT_SIGNING_SUBSCRIPTION_ID }} + endpoint: ${{ secrets.AZURE_ARTIFACT_SIGNING_ENDPOINT }} + account-name: ${{ secrets.AZURE_ARTIFACT_SIGNING_ACCOUNT_NAME }} + certificate-profile-name: ${{ secrets.AZURE_ARTIFACT_SIGNING_CERTIFICATE_PROFILE_NAME }} - name: Stage artifacts shell: bash