Add release keys

Author: Zac-HD

.github/workflows/main.yml

@@ -189,4 +189,6 @@ jobs:
       env:
         GH_TOKEN: ${{ secrets.GH_TOKEN }}
         TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
+        GEM_HOST_API_KEY: ${{ secrets.RUBYGEMS_TOKEN }}
+        CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
       run: TASK=${{ matrix.task }} ./build.sh

tooling/src/hypothesistooling/projects/conjecturerust.py

@@ -18,7 +18,7 @@
 
 import hypothesistooling as tools
 from hypothesistooling import installers as install, releasemanagement as rm
-from hypothesistooling.junkdrawer import in_dir, unlink_if_present, unquote_string
+from hypothesistooling.junkdrawer import in_dir, unquote_string
 
 PACKAGE_NAME = "conjecture-rust"
 
@@ -98,16 +98,6 @@ def current_version():
 def upload_distribution():
     """Upload the built package to crates.io."""
     tools.assert_can_release()
-
-    # Yes, cargo really will only look in this file. Yes this is terrible.
-    # This only runs in CI, so we may be assumed to own it, but still.
-    unlink_if_present(CARGO_CREDENTIALS)
-
-    # symlink so that the actual secret credentials can't be leaked via the
-    # cache.
-    os.symlink(tools.CARGO_API_KEY, CARGO_CREDENTIALS)
-
-    # Give the key the right permissions.
-    os.chmod(CARGO_CREDENTIALS, int("0600", 8))
-
+    # Credentials are supplied by the CARGO_REGISTRY_TOKEN envvar, which in turn
+    # is set from the repository secrets by GitHub Actions.
     cargo("publish")

tooling/src/hypothesistooling/projects/hypothesisruby.py

@@ -21,7 +21,7 @@
 import hypothesistooling.installers as install
 import hypothesistooling.projects.conjecturerust as cr
 import hypothesistooling.releasemanagement as rm
-from hypothesistooling.junkdrawer import in_dir, once, unlink_if_present
+from hypothesistooling.junkdrawer import in_dir, once
 
 PACKAGE_NAME = "hypothesis-ruby"
 
@@ -157,18 +157,8 @@ def ensure_bundler():
 def upload_distribution():
     """Upload the built package to rubygems."""
     tools.assert_can_release()
-
-    # Yes, rubygems really will only look in this file. Yes this is terrible.
-    # This only runs on Travis, so we may be assumed to own it, but still.
-    unlink_if_present(RUBYGEMS_CREDENTIALS)
-
-    # symlink so that the actual secret credentials can't be leaked via the
-    # cache.
-    os.symlink(tools.RUBYGEMS_API_KEY, RUBYGEMS_CREDENTIALS)
-
-    # Give the key the right permissions.
-    os.chmod(RUBYGEMS_CREDENTIALS, int("0600", 8))
-
+    # Credentials are supplied by the GEM_HOST_API_KEY envvar, which in turn
+    # is set from the repository secrets by GitHub Actions.
     subprocess.check_call(
         [install.GEM_EXECUTABLE, "push", *glob("hypothesis-specs-*.gem")]
     )