ci: Remove environments

[ko3n1g]

What does this PR do ?

This simplifies secrets management, and avoid polluting the PR history with deployment updates.

Issues

List issues that this PR closes (syntax):

Usage

• You can potentially add a usage example below

# Add a code snippet demonstrating how to use this

Before your PR is "Ready for review"

Pre checks:

• Make sure you read and followed Contributor guidelines
• Did you write any new necessary tests?
• Did you run the unit tests and functional tests locally? Visit our Testing Guide for how to run tests
• Did you add or update any necessary documentation? Visit our Document Development Guide for how to write, build and test the docs.

Additional Information

• ...

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow configurations across multiple CI/CD pipelines to streamline operations and improve consistency in job definitions.
  • Enhanced the package publishing and release process with refined credentials management, implementing branch-aware token routing that automatically selects appropriate authentication for different deployment environments.
  • Removed unnecessary environment specifications from job-level configurations and standardized formatting throughout workflow files for improved clarity and long-term maintainability.

[coderabbitai]

📝 Walkthrough

Walkthrough

GitHub Actions workflows are updated by removing environment specifications from several job definitions and reconfiguring PyPI authentication credentials. TWINE_USERNAME is set to a static "token" value, and TWINE_PASSWORD uses branch-aware conditional logic to select between production and test PyPI tokens.

Changes

Cohort / File(s)	Summary
Environment removal from workflow jobs .github/workflows/_healthcheck_vm.yml, .github/workflows/cicd-main.yml, .github/workflows/healthcheck_vms.yml	Removed environment: main and environment: nemo-ci specifications from job definitions. Minor quote style adjustments from single to double quotes for consistency.
PyPI authentication updates .github/workflows/build-test-publish-wheel.yml, .github/workflows/release.yaml	Changed TWINE_USERNAME to static "token" string. Modified TWINE_PASSWORD to conditionally use SVC_PYPI_TOKEN on main or release branches; uses SVC_PYPI_TEST_TOKEN for other branches.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: Remove environments' accurately summarizes the main change across all modified files, which consistently removes 'environment:' specifications from GitHub Actions workflow jobs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Test Results For Major Changes	✅ Passed	The PR contains CI/CD infrastructure changes (environment removal, secrets reference updates) that are operational/configuration updates, not major changes affecting application functionality or performance.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ko3n1g/ci/remove-environments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/cicd-main.yml (1)

226-298: Ensure previously environment-scoped secrets are promoted to repo/org level.

Removing environment: nemo-ci from cicd-doc-tests, cicd-unit-tests, and cicd-functional-tests, and environment: main from notify-nightly-failure means GitHub Actions will no longer resolve environment-scoped secrets for these jobs. HF_TOKEN (used in cicd-unit-tests and cicd-functional-tests) and SLACK_TEAM_CHANNEL_WEBHOOK (used in notify-nightly-failure) must be present as repository-level or organization-level secrets, otherwise those steps will silently receive an empty string.

Additionally, if the nemo-ci or main environments had protection rules configured (required reviewers, deployment branch policies, wait timers), those controls are now bypassed for these jobs. Confirm this is acceptable before merging.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cicd-main.yml around lines 226 - 298, The jobs
cicd-doc-tests, cicd-unit-tests, cicd-functional-tests and
notify-nightly-failure no longer reference environment: nemo-ci/main so
environment-scoped secrets and protection rules will not be applied; ensure
HF_TOKEN and SLACK_TEAM_CHANNEL_WEBHOOK are created at repository or
organization secret scope (and update any other environment-scoped secrets
referenced by these jobs), and verify that removing environment: nemo-ci/main
does not bypass required environment protections (review required reviewers,
branch/deployment policies, and wait timers) before merging; update
documentation or CI setup notes to record the promotion of secrets and the
acceptance of lost environment protections if intentional.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yaml:
- Line 51: The TWINE_PASSWORD expression in release.yaml uses the &&/|| pattern
which silently falls back to SVC_PYPI_TEST_TOKEN if SVC_PYPI_TOKEN is empty;
change the workflow to ensure a non-empty production token is selected by either
adding a pre-publish assertion step that fails when SVC_PYPI_TOKEN is
unset/empty (check secrets.SVC_PYPI_TOKEN and fail the job) or replace the
expression with the fromJSON array-index ternary pattern so TWINE_PASSWORD
deterministically picks secrets.SVC_PYPI_TOKEN for refs/heads/main or release
branches and only uses secrets.SVC_PYPI_TEST_TOKEN for non-release refs,
referencing the TWINE_PASSWORD variable and the SVC_PYPI_TOKEN /
SVC_PYPI_TEST_TOKEN secret names when making the change.

---

Nitpick comments:
In @.github/workflows/cicd-main.yml:
- Around line 226-298: The jobs cicd-doc-tests, cicd-unit-tests,
cicd-functional-tests and notify-nightly-failure no longer reference
environment: nemo-ci/main so environment-scoped secrets and protection rules
will not be applied; ensure HF_TOKEN and SLACK_TEAM_CHANNEL_WEBHOOK are created
at repository or organization secret scope (and update any other
environment-scoped secrets referenced by these jobs), and verify that removing
environment: nemo-ci/main does not bypass required environment protections
(review required reviewers, branch/deployment policies, and wait timers) before
merging; update documentation or CI setup notes to record the promotion of
secrets and the acceptance of lost environment protections if intentional.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Silent SVC_PYPI_TEST_TOKEN fallback if SVC_PYPI_TOKEN is empty.

A known limitation of the &&/|| ternary pattern is that the value after && must not be falsy; otherwise, the || branch is taken incorrectly. In GitHub Actions, falsy values include false, 0, -0, "", '', and null — which covers an unset or empty secret.

If SVC_PYPI_TOKEN is ever missing or accidentally revoked, the expression on main/release branches silently resolves to SVC_PYPI_TEST_TOKEN and the release is published to TestPyPI instead of production PyPI — with no error or warning. Since dry-run can be false in this workflow, this is a real risk.

Consider asserting the secret is non-empty in a pre-publish step, or using fromJSON indexing to avoid the silent fallback:

💡 Alternative ternary pattern that avoids the silent fallback

-      TWINE_PASSWORD: ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/r')) && secrets.SVC_PYPI_TOKEN || secrets.SVC_PYPI_TEST_TOKEN }}
+      TWINE_PASSWORD: ${{ fromJSON(format('["{0}","{1}"]', secrets.SVC_PYPI_TEST_TOKEN, secrets.SVC_PYPI_TOKEN))[github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/r')] }}

The fromJSON array-index approach uses true→1 / false→0 coercion, so it unconditionally selects the correct token without the "falsy middle operand" pitfall.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yaml at line 51, The TWINE_PASSWORD expression in
release.yaml uses the &&/|| pattern which silently falls back to
SVC_PYPI_TEST_TOKEN if SVC_PYPI_TOKEN is empty; change the workflow to ensure a
non-empty production token is selected by either adding a pre-publish assertion
step that fails when SVC_PYPI_TOKEN is unset/empty (check secrets.SVC_PYPI_TOKEN
and fail the job) or replace the expression with the fromJSON array-index
ternary pattern so TWINE_PASSWORD deterministically picks secrets.SVC_PYPI_TOKEN
for refs/heads/main or release branches and only uses
secrets.SVC_PYPI_TEST_TOKEN for non-release refs, referencing the TWINE_PASSWORD
variable and the SVC_PYPI_TOKEN / SVC_PYPI_TEST_TOKEN secret names when making
the change.