fix: Cl/release fixes 2 (#12595)

Please read [contributing guidelines](CONTRIBUTING.md) and remove this
line.

Author: charlielye

.github/workflows/ci3.yml

@@ -27,6 +27,7 @@ jobs:
     runs-on: ubuntu-latest
     # exclusive with ci3-external.yml: if it is a pull request target only run if it is NOT a fork.
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+    environment: ${{ startsWith(github.ref, 'refs/tags/v') && 'master' || '' }}
     strategy:
       fail-fast: false
       matrix:

ci3/aws/ami_update.sh

@@ -48,9 +48,6 @@ ssh $ssh_args -F build_instance_ssh_config ubuntu@$ip '
   mkdir .aws
 '
 
-# Copy aws credentials onto machine.
-scp -F build_instance_ssh_config $HOME/.aws/build_instance_credentials ubuntu@$ip:.aws/credentials
-
 # Download crs onto machine.
 ssh $ssh_args -F build_instance_ssh_config ubuntu@$ip < ../../barretenberg/scripts/download_bb_crs.sh
 

ci3/aws_request_instance

@@ -53,7 +53,7 @@ PRICE=$(jq -n "$BID_PER_CPU_HOUR*$CPUS*100000 | round / 100000")
 launch_spec=$(cat <<EOF
 {
   "ImageId": "$AMI",
-  "KeyName": "build-instance",
+  "KeyName": "${KEY_NAME:-build-instance}",
   "SecurityGroupIds": ["sg-0ccd4e5df0dcca0c9"],
   "InstanceType": "$INSTANCE_TYPE",
   "BlockDeviceMappings": [

ci3/bootstrap_ec2

@@ -45,6 +45,14 @@ else
   instance_name=$(echo -n "$REF_NAME" | head -c 50 | tr -c 'a-zA-Z0-9-' '_')_$arch
 fi
 
+if semver check $REF_NAME; then
+  # Override the public key that aws will load into ~/.ssh/authorized_keys on the launched instance.
+  # This requires the restricted key only available in release environments.
+  key_name="super-build-instance"
+else
+  key_name="build-instance"
+fi
+
 [ -n "${INSTANCE_POSTFIX:-}" ] && instance_name+="_$INSTANCE_POSTFIX"
 
 echo_header "request build instance"
@@ -60,13 +68,24 @@ if [ -n "$existing_instance" ]; then
 fi
 
 # Request new instance.
-ip_sir=$(aws_request_instance $instance_name $cores $arch)
+ip_sir=$(KEY_NAME=$key_name aws_request_instance $instance_name $cores $arch)
 IFS=':' read -r -a parts <<< "$ip_sir"
 ip="${parts[0]}"
 sir="${parts[1]}"
 iid="${parts[2]}"
 trap on_exit EXIT
 
+# If AWS credentials are not set, try to load them from ~/.aws/build_instance_credentials.
+if [ -z "${AWS_ACCESS_KEY_ID:-}" ] || [ -z "${AWS_SECRET_ACCESS_KEY:-}" ]; then
+  if [ ! -f ~/.aws/build_instance_credentials ]; then
+    echo "No aws credentials found in env or ~/.aws/build_instance_credentials."
+    exit 1
+  fi
+  echo "AWS credentials are being set from ~/.aws/build_instance_credentials."
+  export AWS_ACCESS_KEY_ID=$(grep aws_access_key_id ~/.aws/build_instance_credentials | awk '{print $3}')
+  export AWS_SECRET_ACCESS_KEY=$(grep aws_secret_access_key ~/.aws/build_instance_credentials | awk '{print $3}')
+fi
+
 # If we're asking to not terminate the instance automatically, we also don't want to remove the container.
 [ "$NO_TERMINATE" -eq 0 ] && docker_args+=" --rm"
 

ci3/clean_remote_tags

@@ -0,0 +1,36 @@
+#!/bin/bash
+# Set your GitHub repository info and token if needed
+GH_OWNER="aztecprotocol"
+GH_REPO="aztec-packages"
+
+# Fetch all releases with pagination
+page=1
+per_page=100
+all_releases=""
+
+while true; do
+  page_releases=$(curl -s "https://api.github.com/repos/$GH_OWNER/$GH_REPO/releases?per_page=$per_page&page=$page" | jq -r '.[].tag_name')
+
+  # Break if no more releases are found
+  if [ -z "$page_releases" ]; then
+    break
+  fi
+
+  all_releases="$all_releases $page_releases"
+  page=$((page + 1))
+done
+# echo "${all_releases[@]}"
+
+# Create an associative array for fast lookup
+declare -A release_tags
+for tag in $all_releases; do
+  release_tags["$tag"]=1
+done
+
+# List remote tags and delete those not found in releases
+for tag in $(git ls-remote --tags origin | awk '{print $2}' | sed 's|refs/tags/||'); do
+  if [ -z "${release_tags[$tag]}" ]; then
+    echo "Deleting remote tag: $tag"
+    git push --delete origin tag "$tag"
+  fi
+done