[llvm-branch-commits] [llvm] release/22.x: workflows/release-task: Use less privileged token for uploading release notes (#180299) (#180650) (PR #180653)

via llvm-branch-commits llvm-branch-commits at lists.llvm.org
Mon Feb 9 16:54:52 PST 2026 

llvmbot wrote:


<!--LLVM PR SUMMARY COMMENT-->

@llvm/pr-subscribers-github-workflow

Author: None (llvmbot)

<details>
<summary>Changes</summary>

Backport 48dffbc654f2a606025f4b14c9b789c99f8188ae

Requested by: @<!-- -->tstellar

---
Full diff: https://github.com/llvm/llvm-project/pull/180653.diff


2 Files Affected:

- (modified) .github/workflows/release-documentation.yml (+5-1) 
- (modified) .github/workflows/release-tasks.yml (+1) 


``````````diff
diff --git a/.github/workflows/release-documentation.yml b/.github/workflows/release-documentation.yml
index 89edca334aa9d..1d5d1f6bc03fa 100644
--- a/.github/workflows/release-documentation.yml
+++ b/.github/workflows/release-documentation.yml
@@ -26,6 +26,9 @@ on:
         required: false
         type: boolean
     secrets:
+      LLVMBOT_WWW_RELEASES_PUSH:
+        description: "Secret used to push changes to llvmbot www-releases fork."
+        required: false
       WWW_RELEASES_TOKEN:
         description: "Secret used to create a PR with the documentation changes."
         required: false
@@ -81,6 +84,7 @@ jobs:
       - name: Upload Release Notes
         if: env.upload
         env:
+          PUSH_TOKEN: ${{ secrets.LLVMBOT_WWW_RELEASES_PUSH }}
           GH_TOKEN: ${{ secrets.WWW_RELEASES_TOKEN }}
         run: |
           mkdir -p www-releases/${{ inputs.release-version }}
@@ -91,5 +95,5 @@ jobs:
           git config user.email "llvmbot at llvm.org"
           git config user.name "llvmbot"
           git commit -a -m "Add ${{ inputs.release-version }} documentation"
-          git push --force  "https://$GH_TOKEN@github.com/llvmbot/www-releases.git" HEAD:refs/heads/${{ inputs.release-version }}
+          git push --force  "https://$PUSH_TOKEN@github.com/llvmbot/www-releases.git" HEAD:refs/heads/${{ inputs.release-version }}
           gh pr create -f -B main -H llvmbot:${{ inputs.release-version }}
diff --git a/.github/workflows/release-tasks.yml b/.github/workflows/release-tasks.yml
index 3648e1463e1e0..ce44311507a83 100644
--- a/.github/workflows/release-tasks.yml
+++ b/.github/workflows/release-tasks.yml
@@ -56,6 +56,7 @@ jobs:
       upload: true
     # Called workflows don't have access to secrets by default, so we need to explicitly pass secrets that we use.
     secrets:
+      LLVMBOT_WWW_RELEASES_PUSH: ${{ secrets.LLVMBOT_WWW_RELEASES_PUSH }}
       WWW_RELEASES_TOKEN: ${{ secrets.WWW_RELEASES_TOKEN }}
 
   release-doxygen:

``````````

</details>


https://github.com/llvm/llvm-project/pull/180653

More information about the llvm-branch-commits mailing list