Skip to content

feat: environment-scoped release secrets (dev/prod R2 isolation) #157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ethenotethan merged 3 commits into from
May 13, 2026
Merged

feat: environment-scoped release secrets (dev/prod R2 isolation) #157

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3ccb06d
feat: environment-scoped R2 + coordinator secrets for dev/prod releas…
ethenotethan May 13, 2026
125e6fd
feat: DEV_/PROD_ prefixed repo secrets for R2 + coordinator env isola…
ethenotethan May 13, 2026
9185aca
fix: RELEASE_KEY is shared, not env-prefixed
ethenotethan May 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 48 additions & 7 deletions .github/workflows/release-rust-bridge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,17 @@ name: Release Rust Bridge Provider Bundle
#
# The tag prefix is intentionally not `v...` so the Swift release workflow
# cannot accidentally publish a Swift bundle for the bridge tag.
#
# Repo secrets use DEV_/PROD_ prefixes so both environments live at repo
# level without needing GitHub environments:
# DEV_R2_ACCESS_KEY_ID / PROD_R2_ACCESS_KEY_ID
# DEV_R2_SECRET_ACCESS_KEY / PROD_R2_SECRET_ACCESS_KEY
# DEV_R2_ENDPOINT / PROD_R2_ENDPOINT
# DEV_R2_BUCKET / PROD_R2_BUCKET
# DEV_R2_PUBLIC_URL / PROD_R2_PUBLIC_URL
# DEV_COORDINATOR_URL / PROD_COORDINATOR_URL
# RELEASE_KEY — shared across environments (no prefix)
# Apple signing secrets are shared (same cert for both envs).

on:
push:
Expand Down Expand Up @@ -53,6 +64,12 @@ jobs:
outputs:
environment: ${{ steps.pick.outputs.environment }}
version: ${{ steps.pick.outputs.version }}
r2_access_key_id: ${{ steps.secrets.outputs.r2_access_key_id }}
r2_secret_access_key: ${{ steps.secrets.outputs.r2_secret_access_key }}
r2_endpoint: ${{ steps.secrets.outputs.r2_endpoint }}
r2_bucket: ${{ steps.secrets.outputs.r2_bucket }}
r2_public_url: ${{ steps.secrets.outputs.r2_public_url }}
coordinator_url: ${{ steps.secrets.outputs.coordinator_url }}
steps:
- id: pick
run: |
Expand All @@ -72,10 +89,34 @@ jobs:
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
echo "Resolved env=$ENV version=$VERSION"

- id: secrets
env:
ENV_PREFIX: ${{ steps.pick.outputs.environment }}
DEV_R2_ACCESS_KEY_ID: ${{ secrets.DEV_R2_ACCESS_KEY_ID }}
PROD_R2_ACCESS_KEY_ID: ${{ secrets.PROD_R2_ACCESS_KEY_ID }}
DEV_R2_SECRET_ACCESS_KEY: ${{ secrets.DEV_R2_SECRET_ACCESS_KEY }}
PROD_R2_SECRET_ACCESS_KEY: ${{ secrets.PROD_R2_SECRET_ACCESS_KEY }}
DEV_R2_ENDPOINT: ${{ secrets.DEV_R2_ENDPOINT }}
PROD_R2_ENDPOINT: ${{ secrets.PROD_R2_ENDPOINT }}
DEV_R2_BUCKET: ${{ secrets.DEV_R2_BUCKET }}
PROD_R2_BUCKET: ${{ secrets.PROD_R2_BUCKET }}
DEV_R2_PUBLIC_URL: ${{ secrets.DEV_R2_PUBLIC_URL }}
PROD_R2_PUBLIC_URL: ${{ secrets.PROD_R2_PUBLIC_URL }}
DEV_COORDINATOR_URL: ${{ secrets.DEV_COORDINATOR_URL }}
PROD_COORDINATOR_URL: ${{ secrets.PROD_COORDINATOR_URL }}
run: |
set -euo pipefail
PREFIX=$(echo "$ENV_PREFIX" | tr '[:lower:]' '[:upper:]')
for key in R2_ACCESS_KEY_ID R2_SECRET_ACCESS_KEY R2_ENDPOINT R2_BUCKET R2_PUBLIC_URL COORDINATOR_URL; do
varname="${PREFIX}_${key}"
val="${!varname}"
outkey=$(echo "$key" | tr '[:upper:]' '[:lower:]')
echo "${outkey}=${val}" >> "$GITHUB_OUTPUT"
done

build-and-release:
name: Build, sign, notarize, upload, register
needs: [resolve-env]
environment: ${{ needs.resolve-env.outputs.environment }}
runs-on: macos-26-xlarge

env:
Expand Down Expand Up @@ -306,10 +347,10 @@ jobs:

- name: Upload bridge artifacts to R2
env:
AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
R2_ENDPOINT: ${{ secrets.R2_ENDPOINT }}
R2_BUCKET: ${{ vars.R2_BUCKET }}
AWS_ACCESS_KEY_ID: ${{ needs.resolve-env.outputs.r2_access_key_id }}
AWS_SECRET_ACCESS_KEY: ${{ needs.resolve-env.outputs.r2_secret_access_key }}
R2_ENDPOINT: ${{ needs.resolve-env.outputs.r2_endpoint }}
R2_BUCKET: ${{ needs.resolve-env.outputs.r2_bucket }}
run: |
set -euo pipefail
PREFIX="s3://${R2_BUCKET}/releases/v${VERSION}"
Expand Down Expand Up @@ -339,9 +380,9 @@ jobs:

- name: Register bridge release with coordinator
env:
COORDINATOR_URL: ${{ secrets.COORDINATOR_URL }}
COORDINATOR_URL: ${{ needs.resolve-env.outputs.coordinator_url }}
RELEASE_KEY: ${{ secrets.RELEASE_KEY }}
R2_PUBLIC_URL: ${{ secrets.R2_PUBLIC_URL }}
R2_PUBLIC_URL: ${{ needs.resolve-env.outputs.r2_public_url }}
run: |
set -euo pipefail
BUNDLE_URL="${R2_PUBLIC_URL}/releases/v${VERSION}/eigeninference-bundle-macos-arm64.tar.gz"
Expand Down
58 changes: 50 additions & 8 deletions .github/workflows/release-swift.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,17 @@ name: Release Provider Bundle (Swift)
#
# The one-time Rust migration bridge intentionally uses `rust-bridge-vX.Y.Z`
# so it cannot be confused with the Swift cutover tags above.
#
# Repo secrets use DEV_/PROD_ prefixes so both environments live at repo
# level without needing GitHub environments:
# DEV_R2_ACCESS_KEY_ID / PROD_R2_ACCESS_KEY_ID
# DEV_R2_SECRET_ACCESS_KEY / PROD_R2_SECRET_ACCESS_KEY
# DEV_R2_ENDPOINT / PROD_R2_ENDPOINT
# DEV_R2_BUCKET / PROD_R2_BUCKET
# DEV_R2_PUBLIC_URL / PROD_R2_PUBLIC_URL
# DEV_COORDINATOR_URL / PROD_COORDINATOR_URL
# RELEASE_KEY — shared across environments (no prefix)
# Apple signing secrets are shared (same cert for both envs).

on:
push:
Expand Down Expand Up @@ -62,6 +73,12 @@ jobs:
outputs:
environment: ${{ steps.pick.outputs.environment }}
version: ${{ steps.pick.outputs.version }}
r2_access_key_id: ${{ steps.secrets.outputs.r2_access_key_id }}
r2_secret_access_key: ${{ steps.secrets.outputs.r2_secret_access_key }}
r2_endpoint: ${{ steps.secrets.outputs.r2_endpoint }}
r2_bucket: ${{ steps.secrets.outputs.r2_bucket }}
r2_public_url: ${{ steps.secrets.outputs.r2_public_url }}
coordinator_url: ${{ steps.secrets.outputs.coordinator_url }}
steps:
- id: pick
run: |
Expand All @@ -84,10 +101,34 @@ jobs:
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
echo "Resolved env=$ENV version=$VERSION"

- id: secrets
env:
ENV_PREFIX: ${{ steps.pick.outputs.environment }}
DEV_R2_ACCESS_KEY_ID: ${{ secrets.DEV_R2_ACCESS_KEY_ID }}
PROD_R2_ACCESS_KEY_ID: ${{ secrets.PROD_R2_ACCESS_KEY_ID }}
DEV_R2_SECRET_ACCESS_KEY: ${{ secrets.DEV_R2_SECRET_ACCESS_KEY }}
PROD_R2_SECRET_ACCESS_KEY: ${{ secrets.PROD_R2_SECRET_ACCESS_KEY }}
DEV_R2_ENDPOINT: ${{ secrets.DEV_R2_ENDPOINT }}
PROD_R2_ENDPOINT: ${{ secrets.PROD_R2_ENDPOINT }}
DEV_R2_BUCKET: ${{ secrets.DEV_R2_BUCKET }}
PROD_R2_BUCKET: ${{ secrets.PROD_R2_BUCKET }}
DEV_R2_PUBLIC_URL: ${{ secrets.DEV_R2_PUBLIC_URL }}
PROD_R2_PUBLIC_URL: ${{ secrets.PROD_R2_PUBLIC_URL }}
DEV_COORDINATOR_URL: ${{ secrets.DEV_COORDINATOR_URL }}
PROD_COORDINATOR_URL: ${{ secrets.PROD_COORDINATOR_URL }}
run: |
set -euo pipefail
PREFIX=$(echo "$ENV_PREFIX" | tr '[:lower:]' '[:upper:]')
for key in R2_ACCESS_KEY_ID R2_SECRET_ACCESS_KEY R2_ENDPOINT R2_BUCKET R2_PUBLIC_URL COORDINATOR_URL; do
varname="${PREFIX}_${key}"
val="${!varname}"
outkey=$(echo "$key" | tr '[:upper:]' '[:lower:]')
echo "${outkey}=${val}" >> "$GITHUB_OUTPUT"
done

build-and-release:
name: Build, sign, notarize, upload, register
needs: [resolve-env]
environment: ${{ needs.resolve-env.outputs.environment }}
runs-on: macos-26-xlarge

env:
Expand Down Expand Up @@ -295,10 +336,11 @@ jobs:

- name: Upload bundle to R2
env:
AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
R2_ENDPOINT: ${{ secrets.R2_ENDPOINT }}
R2_BUCKET: ${{ vars.R2_BUCKET }}
AWS_ACCESS_KEY_ID: ${{ needs.resolve-env.outputs.r2_access_key_id }}
AWS_SECRET_ACCESS_KEY: ${{ needs.resolve-env.outputs.r2_secret_access_key }}
R2_ENDPOINT: ${{ needs.resolve-env.outputs.r2_endpoint }}
R2_BUCKET: ${{ needs.resolve-env.outputs.r2_bucket }}
R2_PUBLIC_URL: ${{ needs.resolve-env.outputs.r2_public_url }}
run: |
set -euo pipefail
PREFIX="s3://${R2_BUCKET}/releases/v${VERSION}"
Expand Down Expand Up @@ -335,9 +377,9 @@ jobs:

- name: Register release with coordinator
env:
COORDINATOR_URL: ${{ secrets.COORDINATOR_URL }}
COORDINATOR_URL: ${{ needs.resolve-env.outputs.coordinator_url }}
RELEASE_KEY: ${{ secrets.RELEASE_KEY }}
R2_PUBLIC_URL: ${{ secrets.R2_PUBLIC_URL }}
R2_PUBLIC_URL: ${{ needs.resolve-env.outputs.r2_public_url }}
run: |
set -euo pipefail
BUNDLE_URL="${R2_PUBLIC_URL}/releases/v${VERSION}/darkbloom-bundle-macos-arm64.tar.gz"
Expand Down Expand Up @@ -390,7 +432,7 @@ jobs:
### Install

\`\`\`bash
curl -fsSL ${{ secrets.COORDINATOR_URL }}/install.sh | bash
curl -fsSL ${{ needs.resolve-env.outputs.coordinator_url }}/install.sh | bash
\`\`\`

NOTES
Expand Down
Loading