[llvm-branch-commits] [llvm] release/19.x: workflows/release-tasks: Pass required secrets to all called workflows (#106286) (PR #106491)
via llvm-branch-commits
llvm-branch-commits at lists.llvm.org
Wed Aug 28 22:24:05 PDT 2024
llvmbot wrote:
<!--LLVM PR SUMMARY COMMENT-->
@llvm/pr-subscribers-github-workflow
Author: None (llvmbot)
<details>
<summary>Changes</summary>
Backport 9d81e7e36e33aecdee05fef551c0652abafaa052
Requested by: @<!-- -->tstellar
---
Full diff: https://github.com/llvm/llvm-project/pull/106491.diff
4 Files Affected:
- (modified) .github/workflows/release-doxygen.yml (+6-1)
- (modified) .github/workflows/release-lit.yml (+6-1)
- (modified) .github/workflows/release-sources.yml (+4)
- (modified) .github/workflows/release-tasks.yml (+12)
``````````diff
diff --git a/.github/workflows/release-doxygen.yml b/.github/workflows/release-doxygen.yml
index ef00a438ce7ac4..ea95e5bb12b2b8 100644
--- a/.github/workflows/release-doxygen.yml
+++ b/.github/workflows/release-doxygen.yml
@@ -25,6 +25,10 @@ on:
description: 'Upload documentation'
required: false
type: boolean
+ secrets:
+ RELEASE_TASKS_USER_TOKEN:
+ description: "Secret used to check user permissions."
+ required: false
jobs:
release-doxygen:
@@ -63,5 +67,6 @@ jobs:
if: env.upload
env:
GITHUB_TOKEN: ${{ github.token }}
+ USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
run: |
- ./llvm/utils/release/github-upload-release.py --token "$GITHUB_TOKEN" --release "${{ inputs.release-version }}" --user "${{ github.actor }}" upload --files ./*doxygen*.tar.xz
+ ./llvm/utils/release/github-upload-release.py --token "$GITHUB_TOKEN" --release "${{ inputs.release-version }}" --user "${{ github.actor }}" --user-token "$USER_TOKEN" upload --files ./*doxygen*.tar.xz
diff --git a/.github/workflows/release-lit.yml b/.github/workflows/release-lit.yml
index 0316ba406041d6..9d6f3140e68830 100644
--- a/.github/workflows/release-lit.yml
+++ b/.github/workflows/release-lit.yml
@@ -17,6 +17,10 @@ on:
description: 'Release Version'
required: true
type: string
+ secrets:
+ RELEASE_TASKS_USER_TOKEN:
+ description: "Secret used to check user permissions."
+ required: false
jobs:
release-lit:
@@ -36,8 +40,9 @@ jobs:
- name: Check Permissions
env:
GITHUB_TOKEN: ${{ github.token }}
+ USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
run: |
- ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user ${{ github.actor }} check-permissions
+ ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user ${{ github.actor }} --user-token "$USER_TOKEN" check-permissions
- name: Setup Cpp
uses: aminya/setup-cpp at v1
diff --git a/.github/workflows/release-sources.yml b/.github/workflows/release-sources.yml
index 9c5b1a9f017092..edb0449ef7e2c2 100644
--- a/.github/workflows/release-sources.yml
+++ b/.github/workflows/release-sources.yml
@@ -16,6 +16,10 @@ on:
description: Release Version
required: true
type: string
+ secrets:
+ RELEASE_TASKS_USER_TOKEN:
+ description: "Secret used to check user permissions."
+ required: false
# Run on pull_requests for testing purposes.
pull_request:
paths:
diff --git a/.github/workflows/release-tasks.yml b/.github/workflows/release-tasks.yml
index cf42730aaf8170..780dd0ff6325c9 100644
--- a/.github/workflows/release-tasks.yml
+++ b/.github/workflows/release-tasks.yml
@@ -66,6 +66,9 @@ jobs:
with:
release-version: ${{ needs.validate-tag.outputs.release-version }}
upload: true
+ # Called workflows don't have access to secrets by default, so we need to explicitly pass secrets that we use.
+ secrets:
+ RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
release-lit:
name: Release Lit
@@ -73,6 +76,9 @@ jobs:
uses: ./.github/workflows/release-lit.yml
with:
release-version: ${{ needs.validate-tag.outputs.release-version }}
+ # Called workflows don't have access to secrets by default, so we need to explicitly pass secrets that we use.
+ secrets:
+ RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
release-binaries:
name: Build Release Binaries
@@ -97,6 +103,9 @@ jobs:
release-version: ${{ needs.validate-tag.outputs.release-version }}
upload: true
runs-on: ${{ matrix.runs-on }}
+ # Called workflows don't have access to secrets by default, so we need to explicitly pass secrets that we use.
+ secrets:
+ RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
release-sources:
name: Package Release Sources
@@ -109,3 +118,6 @@ jobs:
uses: ./.github/workflows/release-sources.yml
with:
release-version: ${{ needs.validate-tag.outputs.release-version }}
+ # Called workflows don't have access to secrets by default, so we need to explicitly pass secrets that we use.
+ secrets:
+ RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
``````````
</details>
https://github.com/llvm/llvm-project/pull/106491
More information about the llvm-branch-commits
mailing list