From 8032867a0d5ffc319320ab45ad5b071155aeed48 Mon Sep 17 00:00:00 2001
From: Jonathan Schwender <55576758+jschwe@users.noreply.github.com>
Date: Sat, 11 Apr 2026 14:08:22 +0200
Subject: [PATCH] backport: ci: Secure release workflow using environment
 (#44108) (#44118)

This applies changes from #44108 to the release/v0.1 branch. To secure
our workflow secrets, we will be removing the global secrets, hence
backporting this is required in order to support future release workflow
usage.

-------------------------------

The publish environment enforces additional restrictions, mainly that
the workflow can only be run from protected branches and additional
prevents access of the publish secrets from workflows which do not use
this environment.

Signed-off-by: Jonathan Schwender <schwenderjonathan@gmail.com>
---
 .github/workflows/release.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ceeb6e57d78..b12d6d22136 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -32,6 +32,9 @@ jobs:
     if: github.repository == 'servo/servo' || github.event_name == 'workflow_dispatch'
     name: Create Draft GH Release
     runs-on: ubuntu-latest
+    environment: &publish-environment
+      name: publish
+      deployment: false
     steps:
       - id: create-release
         run: |
@@ -70,6 +73,7 @@ jobs:
         && (inputs.regular_release || false) == false
     name: Publish GH Release
     runs-on: ubuntu-latest
+    environment: *publish-environment
     steps:
       - name: Publish as latest (success)
         if: ${{ !contains(needs.*.result, 'failure') && (!contains(needs.*.result, 'cancelled') && !cancelled()) }}
@@ -138,6 +142,7 @@ jobs:
     if: github.repository == 'servo/servo' || github.event_name == 'workflow_dispatch'
     name: Upload vendored source archive
     runs-on: ubuntu-latest
+    environment: *publish-environment
     permissions:
       contents: write
       id-token: write
@@ -175,6 +180,7 @@ jobs:
     permissions:
       id-token: write
       attestations: write
+    environment: *publish-environment
     needs: &upload-artifacts-needs
       - create-draft-release
       - build-win
@@ -243,6 +249,7 @@ jobs:
   upload-artifacts-release:
     if: github.event_name == 'workflow_dispatch' && inputs.regular_release
     runs-on: ubuntu-latest
+    environment: *publish-environment
     permissions:
       id-token: write
       attestations: write