[llvm-branch-commits] [llvm] release/18.x: [workflows] Fix permissions check for creating new releases (#81163) (PR #82453)
via llvm-branch-commits
llvm-branch-commits at lists.llvm.org
Tue Feb 20 17:58:11 PST 2024
https://github.com/llvmbot created https://github.com/llvm/llvm-project/pull/82453
Backport 2836d8edbfbcd461b25101ed58f93c862d65903a
Requested by: @tstellar
>From 9d2fa790ac7ea4bb239d0de50c878f6f5bcec6a0 Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Tue, 20 Feb 2024 17:52:38 -0800
Subject: [PATCH] [workflows] Fix permissions check for creating new releases
(#81163)
The default GitHub token does not have read permissions on the org, so
we need to use a custom token in order to read the members of the
llvm-release-managers team.
(cherry picked from commit 2836d8edbfbcd461b25101ed58f93c862d65903a)
---
.github/workflows/release-tasks.yml | 4 +++-
llvm/utils/release/github-upload-release.py | 16 ++++++++++++----
2 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/.github/workflows/release-tasks.yml b/.github/workflows/release-tasks.yml
index f2a831ad3577ad..53da8662b0203a 100644
--- a/.github/workflows/release-tasks.yml
+++ b/.github/workflows/release-tasks.yml
@@ -28,6 +28,7 @@ jobs:
name: Create a New Release
runs-on: ubuntu-latest
needs: validate-tag
+
steps:
- name: Install Dependencies
run: |
@@ -40,8 +41,9 @@ jobs:
- name: Create Release
env:
GITHUB_TOKEN: ${{ github.token }}
+ USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
run: |
- ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --release ${{ needs.validate-tag.outputs.release-version }} --user ${{ github.actor }} create
+ ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --release ${{ needs.validate-tag.outputs.release-version }} --user ${{ github.actor }} --user-token "$USER_TOKEN" create
release-documentation:
name: Build and Upload Release Documentation
needs:
diff --git a/llvm/utils/release/github-upload-release.py b/llvm/utils/release/github-upload-release.py
index a8bb569d2fc999..14ec05062d88c8 100755
--- a/llvm/utils/release/github-upload-release.py
+++ b/llvm/utils/release/github-upload-release.py
@@ -77,20 +77,28 @@ def upload_files(repo, release, files):
parser.add_argument("--token", type=str)
parser.add_argument("--release", type=str)
parser.add_argument("--user", type=str)
+parser.add_argument("--user-token", type=str)
# Upload args
parser.add_argument("--files", nargs="+", type=str)
args = parser.parse_args()
-github = github.Github(args.token)
-llvm_org = github.get_organization("llvm")
+gh = github.Github(args.token)
+llvm_org = gh.get_organization("llvm")
llvm_repo = llvm_org.get_repo("llvm-project")
if args.user:
+ if not args.user_token:
+ print("--user-token option required when --user is used")
+ sys.exit(1)
# Validate that this user is allowed to modify releases.
- user = github.get_user(args.user)
- team = llvm_org.get_team_by_slug("llvm-release-managers")
+ user = gh.get_user(args.user)
+ team = (
+ github.Github(args.user_token)
+ .get_organization("llvm")
+ .get_team_by_slug("llvm-release-managers")
+ )
if not team.has_in_members(user):
print("User {} is not a allowed to modify releases".format(args.user))
sys.exit(1)
More information about the llvm-branch-commits
mailing list