[llvm-branch-commits] [llvm] release/22.x: workflows/release-task: Use less privileged token for uploading release notes (#180299) (#180650) (PR #180653)

[via llvm-branch-commits]

https://github.com/llvmbot created https://github.com/llvm/llvm-project/pull/180653

Backport 48dffbc654f2a606025f4b14c9b789c99f8188ae

Requested by: @tstellar

>From 045f6c7417f924fff240579d056d99beabeb249f Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Mon, 9 Feb 2026 16:37:51 -0800
Subject: [PATCH] workflows/release-task: Use less privileged token for
 uploading release notes (#180299) (#180650)

We were using one token for both pushing to the llvmbot fork and for
creating a pull request against the www-releases repository, since the
fork and the repository have different owners, we were using a classic
access token which has very coarse-grained permissions. By using two
separate tokens, we limit the permissions to just what we need to do the
task.

This is a re-commit of b6ee085068972a41f3b2735a9f7e3ca48eab0f00 minus
the environment changes which were causing the workflow to fail.

(cherry picked from commit 48dffbc654f2a606025f4b14c9b789c99f8188ae)
---
 .github/workflows/release-documentation.yml | 6 +++++-
 .github/workflows/release-tasks.yml         | 1 +
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release-documentation.yml b/.github/workflows/release-documentation.yml
index 89edca334aa9d..1d5d1f6bc03fa 100644
--- a/.github/workflows/release-documentation.yml
+++ b/.github/workflows/release-documentation.yml
@@ -26,6 +26,9 @@ on:
         required: false
         type: boolean
     secrets:
+      LLVMBOT_WWW_RELEASES_PUSH:
+        description: "Secret used to push changes to llvmbot www-releases fork."
+        required: false
       WWW_RELEASES_TOKEN:
         description: "Secret used to create a PR with the documentation changes."
         required: false
@@ -81,6 +84,7 @@ jobs:
       - name: Upload Release Notes
         if: env.upload
         env:
+          PUSH_TOKEN: ${{ secrets.LLVMBOT_WWW_RELEASES_PUSH }}
           GH_TOKEN: ${{ secrets.WWW_RELEASES_TOKEN }}
         run: |
           mkdir -p www-releases/${{ inputs.release-version }}
@@ -91,5 +95,5 @@ jobs:
           git config user.email "llvmbot at llvm.org"
           git config user.name "llvmbot"
           git commit -a -m "Add ${{ inputs.release-version }} documentation"
-          git push --force  "https://$GH_TOKEN@github.com/llvmbot/www-releases.git" HEAD:refs/heads/${{ inputs.release-version }}
+          git push --force  "https://$PUSH_TOKEN@github.com/llvmbot/www-releases.git" HEAD:refs/heads/${{ inputs.release-version }}
           gh pr create -f -B main -H llvmbot:${{ inputs.release-version }}
diff --git a/.github/workflows/release-tasks.yml b/.github/workflows/release-tasks.yml
index 3648e1463e1e0..ce44311507a83 100644
--- a/.github/workflows/release-tasks.yml
+++ b/.github/workflows/release-tasks.yml
@@ -56,6 +56,7 @@ jobs:
       upload: true
     # Called workflows don't have access to secrets by default, so we need to explicitly pass secrets that we use.
     secrets:
+      LLVMBOT_WWW_RELEASES_PUSH: ${{ secrets.LLVMBOT_WWW_RELEASES_PUSH }}
       WWW_RELEASES_TOKEN: ${{ secrets.WWW_RELEASES_TOKEN }}
 
   release-doxygen: