PYTHON-4388 Fix dist handling in SSDLC workflow (#1705)

.github/workflows/codeql.yml

@@ -26,9 +26,6 @@ jobs:
  # required for all workflows
  security-events: write
 
- # required to fetch internal or private CodeQL packs
- packages: read
-
  strategy:
  fail-fast: false
  matrix:

.github/workflows/dist.yml

@@ -10,6 +10,10 @@ on:
  workflow_dispatch:
  pull_request:
  workflow_call:
+ inputs:
+ ref:
+ required: true
+ type: string
 
 concurrency:
  group: dist-${{ github.ref }}
@@ -44,6 +48,7 @@ jobs:
  uses: actions/checkout@v4
  with:
  fetch-depth: 0
+ ref: ${{ inputs.ref }}
 
  - uses: actions/setup-python@v5
  with:
@@ -99,6 +104,7 @@ jobs:
  - uses: actions/checkout@v4
  with:
  fetch-depth: 0
+ ref: ${{ inputs.ref }}
 
  - uses: actions/setup-python@v5
  with:

.github/workflows/release-python.yml

@@ -19,7 +19,7 @@ env:
  PRODUCT_NAME: PyMongo
  # Changes per branch
  SILK_ASSET_GROUP: mongodb-python-driver
- EVERGREEN_PROJECT: mongodb-python-driver
+ EVERGREEN_PROJECT: mongo-python-driver
 
 defaults:
  run:
@@ -32,6 +32,8 @@ jobs:
  permissions:
  id-token: write
  contents: write
+ outputs:
+ version: ${{ steps.pre-publish.outputs.version }}
  steps:
  - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
  with:
@@ -44,19 +46,24 @@ jobs:
  aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
  artifactory_username: ${{ vars.ARTIFACTORY_USERNAME }}
  - uses: mongodb-labs/drivers-github-tools/python/pre-publish@v2
+ id: pre-publish
  with:
  version: ${{ inputs.version }}
  dry_run: ${{ inputs.dry_run }}
 
  build-dist:
  needs: [pre-publish]
  uses: ./.github/workflows/dist.yml
+ with:
+ ref: ${{ needs.pre-publish.outputs.version }}
 
  static-scan:
  needs: [pre-publish]
  uses: ./.github/workflows/codeql.yml
+ permissions:
+ security-events: write
  with:
- ref: ${{ github.ref }}
+ ref: ${{ needs.pre-publish.outputs.version }}
 
  publish:
  needs: [build-dist, static-scan]