[llvm] [workflows] Fix permissions check for creating new releases (PR #81163)

[Tom Stellard via llvm-commits]

https://github.com/tstellar updated https://github.com/llvm/llvm-project/pull/81163

>From e7eaed8d0b9145ec89e05863f2272932cbaf8ce5 Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Thu, 8 Feb 2024 09:40:23 -0800
Subject: [PATCH 1/3] [workflows] Fix permissions check for creating new
 releases

The default GitHub token does not have read permissions on the org, so
we need to use a custom token in order to read the members of the
llvm-release-managers team.
---
 .github/workflows/release-tasks.yml         |  4 +++-
 llvm/utils/release/github-upload-release.py | 11 +++++++----
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release-tasks.yml b/.github/workflows/release-tasks.yml
index f2a831ad3577ad..53da8662b0203a 100644
--- a/.github/workflows/release-tasks.yml
+++ b/.github/workflows/release-tasks.yml
@@ -28,6 +28,7 @@ jobs:
     name: Create a New Release
     runs-on: ubuntu-latest
     needs: validate-tag
+
     steps:
       - name: Install Dependencies
         run: |
@@ -40,8 +41,9 @@ jobs:
       - name: Create Release
         env:
           GITHUB_TOKEN: ${{ github.token }}
+          USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
         run: |
-          ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --release ${{ needs.validate-tag.outputs.release-version }} --user ${{ github.actor }} create
+          ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --release ${{ needs.validate-tag.outputs.release-version }} --user ${{ github.actor }} --user-token "$USER_TOKEN" create
   release-documentation:
     name: Build and Upload Release Documentation
     needs:
diff --git a/llvm/utils/release/github-upload-release.py b/llvm/utils/release/github-upload-release.py
index a8bb569d2fc999..5115e5082fb2c1 100755
--- a/llvm/utils/release/github-upload-release.py
+++ b/llvm/utils/release/github-upload-release.py
@@ -77,20 +77,23 @@ def upload_files(repo, release, files):
 parser.add_argument("--token", type=str)
 parser.add_argument("--release", type=str)
 parser.add_argument("--user", type=str)
+parser.add_argument("--user-token", type=str)
 
 # Upload args
 parser.add_argument("--files", nargs="+", type=str)
 
 args = parser.parse_args()
 
-github = github.Github(args.token)
-llvm_org = github.get_organization("llvm")
+gh = github.Github(args.token)
+llvm_org = gh.get_organization("llvm")
 llvm_repo = llvm_org.get_repo("llvm-project")
+if not args.user_token:
+    args.user_token = args.token
 
 if args.user:
     # Validate that this user is allowed to modify releases.
-    user = github.get_user(args.user)
-    team = llvm_org.get_team_by_slug("llvm-release-managers")
+    user = gh.get_user(args.user)
+    team = github.Github(args.user_token).get_organization("llvm").get_team_by_slug("llvm-release-managers")
     if not team.has_in_members(user):
         print("User {} is not a allowed to modify releases".format(args.user))
         sys.exit(1)

>From bf0b03c20c0de8130d8a0f7d907ae4e9d4b83c16 Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Fri, 16 Feb 2024 15:59:44 +0000
Subject: [PATCH 2/3] Require --user-token when --user is used

---
 llvm/utils/release/github-upload-release.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/llvm/utils/release/github-upload-release.py b/llvm/utils/release/github-upload-release.py
index 5115e5082fb2c1..41cfdaf11d6203 100755
--- a/llvm/utils/release/github-upload-release.py
+++ b/llvm/utils/release/github-upload-release.py
@@ -87,10 +87,11 @@ def upload_files(repo, release, files):
 gh = github.Github(args.token)
 llvm_org = gh.get_organization("llvm")
 llvm_repo = llvm_org.get_repo("llvm-project")
-if not args.user_token:
-    args.user_token = args.token
 
 if args.user:
+    if not args.user_token:
+        print("--user-token option required when --user is used")
+        sys.exit(1)
     # Validate that this user is allowed to modify releases.
     user = gh.get_user(args.user)
     team = github.Github(args.user_token).get_organization("llvm").get_team_by_slug("llvm-release-managers")

>From ac2360fbd5122a0377741cbc09057e0d89e355bd Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Fri, 16 Feb 2024 16:01:26 +0000
Subject: [PATCH 3/3] Fix formatting

---
 llvm/utils/release/github-upload-release.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/llvm/utils/release/github-upload-release.py b/llvm/utils/release/github-upload-release.py
index 41cfdaf11d6203..14ec05062d88c8 100755
--- a/llvm/utils/release/github-upload-release.py
+++ b/llvm/utils/release/github-upload-release.py
@@ -94,7 +94,11 @@ def upload_files(repo, release, files):
         sys.exit(1)
     # Validate that this user is allowed to modify releases.
     user = gh.get_user(args.user)
-    team = github.Github(args.user_token).get_organization("llvm").get_team_by_slug("llvm-release-managers")
+    team = (
+        github.Github(args.user_token)
+        .get_organization("llvm")
+        .get_team_by_slug("llvm-release-managers")
+    )
     if not team.has_in_members(user):
         print("User {} is not a allowed to modify releases".format(args.user))
         sys.exit(1)