[llvm] Reapply [workflows] Split pr-code-format into two parts to make it more secure (#78215) (PR #80495)
Alexey Bader via llvm-commits
llvm-commits at lists.llvm.org
Thu May 30 11:28:18 PDT 2024
================
@@ -0,0 +1,128 @@
+name: Comment on an issue
+
+on:
+ workflow_run:
+ workflows: ["Check code formatting"]
+ types:
+ - completed
+
+permissions:
+ contents: read
+
+jobs:
+ pr-comment:
+ runs-on: ubuntu-latest
+ permissions:
+ pull-requests: write
+ if: >
+ github.event.workflow_run.event == 'pull_request'
+ steps:
+ - name: 'Download artifact'
+ uses: actions/download-artifact at 6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
+ with:
+ github-token: ${{ secrets.ISSUE_WRITE_DOWNLOAD_ARTIFACT }}
----------------
bader wrote:
@tstellar, we use clang-format check in downstream repository and this split "breaks" some functionality. According to my understanding, we should have `ISSUE_WRITE_DOWNLOAD_ARTIFACT` secret available to GitHub Actions in our repository in order to have comment from clang-format action. Could you clarify what permissions should be granted to `ISSUE_WRITE_DOWNLOAD_ARTIFACT` secret, please?
BTW, why can't we use `GITHUB_TOKEN` secret?
https://github.com/llvm/llvm-project/pull/80495
More information about the llvm-commits
mailing list