[llvm-branch-commits] [llvm] release/19.x: workflows/release-tasks: Pass required secrets to all called workflows (#106286) (PR #106491)

via llvm-branch-commits llvm-branch-commits at lists.llvm.org
Wed Aug 28 22:23:35 PDT 2024 

https://github.com/llvmbot created https://github.com/llvm/llvm-project/pull/106491

Backport 9d81e7e36e33aecdee05fef551c0652abafaa052

Requested by: @tstellar

>From c3beefa91b9e50c97a4ab7c32b40771d9fd0f97e Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Wed, 28 Aug 2024 22:18:08 -0700
Subject: [PATCH] workflows/release-tasks: Pass required secrets to all called
 workflows (#106286)

Called workflows don't have access to secrets by default, so we need to
explicitly pass secrets that we use.

(cherry picked from commit 9d81e7e36e33aecdee05fef551c0652abafaa052)
---
 .github/workflows/release-doxygen.yml |  7 ++++++-
 .github/workflows/release-lit.yml     |  7 ++++++-
 .github/workflows/release-sources.yml |  4 ++++
 .github/workflows/release-tasks.yml   | 12 ++++++++++++
 4 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release-doxygen.yml b/.github/workflows/release-doxygen.yml
index ef00a438ce7ac4..ea95e5bb12b2b8 100644
--- a/.github/workflows/release-doxygen.yml
+++ b/.github/workflows/release-doxygen.yml
@@ -25,6 +25,10 @@ on:
         description: 'Upload documentation'
         required: false
         type: boolean
+    secrets:
+      RELEASE_TASKS_USER_TOKEN:
+        description: "Secret used to check user permissions."
+        required: false
 
 jobs:
   release-doxygen:
@@ -63,5 +67,6 @@ jobs:
         if: env.upload
         env:
           GITHUB_TOKEN: ${{ github.token }}
+          USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
         run: |
-          ./llvm/utils/release/github-upload-release.py --token "$GITHUB_TOKEN" --release "${{ inputs.release-version }}" --user "${{ github.actor }}" upload --files ./*doxygen*.tar.xz
+          ./llvm/utils/release/github-upload-release.py --token "$GITHUB_TOKEN" --release "${{ inputs.release-version }}" --user "${{ github.actor }}" --user-token "$USER_TOKEN" upload --files ./*doxygen*.tar.xz
diff --git a/.github/workflows/release-lit.yml b/.github/workflows/release-lit.yml
index 0316ba406041d6..9d6f3140e68830 100644
--- a/.github/workflows/release-lit.yml
+++ b/.github/workflows/release-lit.yml
@@ -17,6 +17,10 @@ on:
         description: 'Release Version'
         required: true
         type: string
+    secrets:
+      RELEASE_TASKS_USER_TOKEN:
+        description: "Secret used to check user permissions."
+        required: false
 
 jobs:
   release-lit:
@@ -36,8 +40,9 @@ jobs:
       - name: Check Permissions
         env:
           GITHUB_TOKEN: ${{ github.token }}
+          USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
         run: |
-          ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user ${{ github.actor }} check-permissions
+          ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user ${{ github.actor }} --user-token "$USER_TOKEN" check-permissions
 
       - name: Setup Cpp
         uses: aminya/setup-cpp at v1
diff --git a/.github/workflows/release-sources.yml b/.github/workflows/release-sources.yml
index 9c5b1a9f017092..edb0449ef7e2c2 100644
--- a/.github/workflows/release-sources.yml
+++ b/.github/workflows/release-sources.yml
@@ -16,6 +16,10 @@ on:
         description: Release Version
         required: true
         type: string
+    secrets:
+      RELEASE_TASKS_USER_TOKEN:
+        description: "Secret used to check user permissions."
+        required: false
   # Run on pull_requests for testing purposes.
   pull_request:
     paths:
diff --git a/.github/workflows/release-tasks.yml b/.github/workflows/release-tasks.yml
index cf42730aaf8170..780dd0ff6325c9 100644
--- a/.github/workflows/release-tasks.yml
+++ b/.github/workflows/release-tasks.yml
@@ -66,6 +66,9 @@ jobs:
     with:
       release-version: ${{ needs.validate-tag.outputs.release-version }}
       upload: true
+    # Called workflows don't have access to secrets by default, so we need to explicitly pass secrets that we use.
+    secrets:
+      RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
 
   release-lit:
     name: Release Lit
@@ -73,6 +76,9 @@ jobs:
     uses: ./.github/workflows/release-lit.yml
     with:
       release-version: ${{ needs.validate-tag.outputs.release-version }}
+    # Called workflows don't have access to secrets by default, so we need to explicitly pass secrets that we use.
+    secrets:
+      RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
 
   release-binaries:
     name: Build Release Binaries
@@ -97,6 +103,9 @@ jobs:
       release-version: ${{ needs.validate-tag.outputs.release-version }}
       upload: true
       runs-on: ${{ matrix.runs-on }}
+    # Called workflows don't have access to secrets by default, so we need to explicitly pass secrets that we use.
+    secrets:
+      RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
 
   release-sources:
     name: Package Release Sources
@@ -109,3 +118,6 @@ jobs:
     uses: ./.github/workflows/release-sources.yml
     with:
       release-version: ${{ needs.validate-tag.outputs.release-version }}
+    # Called workflows don't have access to secrets by default, so we need to explicitly pass secrets that we use.
+    secrets:
+      RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}

More information about the llvm-branch-commits mailing list