[llvm] workflows/release-tasks: Pass required secrets to all called workflows (PR #106286)
Tom Stellard via llvm-commits
llvm-commits at lists.llvm.org
Tue Aug 27 14:30:53 PDT 2024
https://github.com/tstellar updated https://github.com/llvm/llvm-project/pull/106286
>From 6c7675d17ae86b1d86d6c2a360b75787d9d32db1 Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Tue, 27 Aug 2024 13:49:04 -0700
Subject: [PATCH 1/3] workflows/release-tasks: Pass required secrets to
release-binaries workflow
Called workflows don't have access to secrets by default, so we need
to explicitly pass secrets that we need to use.
---
.github/workflows/release-tasks.yml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/.github/workflows/release-tasks.yml b/.github/workflows/release-tasks.yml
index cf42730aaf8170..a6c21193a86df9 100644
--- a/.github/workflows/release-tasks.yml
+++ b/.github/workflows/release-tasks.yml
@@ -97,6 +97,11 @@ jobs:
release-version: ${{ needs.validate-tag.outputs.release-version }}
upload: true
runs-on: ${{ matrix.runs-on }}
+ secrets:
+ # This will be empty for pull_request events, but that's fine, because
+ # the release-binaries workflow does not use this secret for the
+ # pull_request event.
+ RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
release-sources:
name: Package Release Sources
>From ad666aac5bfb5d756907f72ea7549e6e2913d00b Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Tue, 27 Aug 2024 14:25:54 -0700
Subject: [PATCH 2/3] Fix secret passing for other jobs
---
.github/workflows/release-doxygen.yml | 7 ++++++-
.github/workflows/release-lit.yml | 7 ++++++-
.github/workflows/release-sources.yml | 4 ++++
.github/workflows/release-tasks.yml | 9 ++++++---
4 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/.github/workflows/release-doxygen.yml b/.github/workflows/release-doxygen.yml
index ef00a438ce7ac4..ea95e5bb12b2b8 100644
--- a/.github/workflows/release-doxygen.yml
+++ b/.github/workflows/release-doxygen.yml
@@ -25,6 +25,10 @@ on:
description: 'Upload documentation'
required: false
type: boolean
+ secrets:
+ RELEASE_TASKS_USER_TOKEN:
+ description: "Secret used to check user permissions."
+ required: false
jobs:
release-doxygen:
@@ -63,5 +67,6 @@ jobs:
if: env.upload
env:
GITHUB_TOKEN: ${{ github.token }}
+ USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
run: |
- ./llvm/utils/release/github-upload-release.py --token "$GITHUB_TOKEN" --release "${{ inputs.release-version }}" --user "${{ github.actor }}" upload --files ./*doxygen*.tar.xz
+ ./llvm/utils/release/github-upload-release.py --token "$GITHUB_TOKEN" --release "${{ inputs.release-version }}" --user "${{ github.actor }}" --user-token "$USER_TOKEN" upload --files ./*doxygen*.tar.xz
diff --git a/.github/workflows/release-lit.yml b/.github/workflows/release-lit.yml
index 0316ba406041d6..9d6f3140e68830 100644
--- a/.github/workflows/release-lit.yml
+++ b/.github/workflows/release-lit.yml
@@ -17,6 +17,10 @@ on:
description: 'Release Version'
required: true
type: string
+ secrets:
+ RELEASE_TASKS_USER_TOKEN:
+ description: "Secret used to check user permissions."
+ required: false
jobs:
release-lit:
@@ -36,8 +40,9 @@ jobs:
- name: Check Permissions
env:
GITHUB_TOKEN: ${{ github.token }}
+ USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
run: |
- ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user ${{ github.actor }} check-permissions
+ ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user ${{ github.actor }} --user-token "$USER_TOKEN" check-permissions
- name: Setup Cpp
uses: aminya/setup-cpp at v1
diff --git a/.github/workflows/release-sources.yml b/.github/workflows/release-sources.yml
index b0c0b652f37585..a6c86823f99df5 100644
--- a/.github/workflows/release-sources.yml
+++ b/.github/workflows/release-sources.yml
@@ -16,6 +16,10 @@ on:
description: Release Version
required: true
type: string
+ secrets:
+ RELEASE_TASKS_USER_TOKEN:
+ description: "Secret used to check user permissions."
+ required: false
# Run on pull_requests for testing purposes.
pull_request:
paths:
diff --git a/.github/workflows/release-tasks.yml b/.github/workflows/release-tasks.yml
index a6c21193a86df9..50f3d6740aaecf 100644
--- a/.github/workflows/release-tasks.yml
+++ b/.github/workflows/release-tasks.yml
@@ -66,6 +66,8 @@ jobs:
with:
release-version: ${{ needs.validate-tag.outputs.release-version }}
upload: true
+ secrets:
+ RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
release-lit:
name: Release Lit
@@ -73,6 +75,8 @@ jobs:
uses: ./.github/workflows/release-lit.yml
with:
release-version: ${{ needs.validate-tag.outputs.release-version }}
+ secrets:
+ RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
release-binaries:
name: Build Release Binaries
@@ -98,9 +102,6 @@ jobs:
upload: true
runs-on: ${{ matrix.runs-on }}
secrets:
- # This will be empty for pull_request events, but that's fine, because
- # the release-binaries workflow does not use this secret for the
- # pull_request event.
RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
release-sources:
@@ -114,3 +115,5 @@ jobs:
uses: ./.github/workflows/release-sources.yml
with:
release-version: ${{ needs.validate-tag.outputs.release-version }}
+ secrets:
+ RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
>From a817e0b8ef1a59950b8f7cf6f189b23595ffd3dd Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Tue, 27 Aug 2024 14:30:03 -0700
Subject: [PATCH 3/3] Add comments
---
.github/workflows/release-tasks.yml | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/.github/workflows/release-tasks.yml b/.github/workflows/release-tasks.yml
index 50f3d6740aaecf..780dd0ff6325c9 100644
--- a/.github/workflows/release-tasks.yml
+++ b/.github/workflows/release-tasks.yml
@@ -66,6 +66,7 @@ jobs:
with:
release-version: ${{ needs.validate-tag.outputs.release-version }}
upload: true
+ # Called workflows don't have access to secrets by default, so we need to explicitly pass secrets that we use.
secrets:
RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
@@ -75,6 +76,7 @@ jobs:
uses: ./.github/workflows/release-lit.yml
with:
release-version: ${{ needs.validate-tag.outputs.release-version }}
+ # Called workflows don't have access to secrets by default, so we need to explicitly pass secrets that we use.
secrets:
RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
@@ -101,6 +103,7 @@ jobs:
release-version: ${{ needs.validate-tag.outputs.release-version }}
upload: true
runs-on: ${{ matrix.runs-on }}
+ # Called workflows don't have access to secrets by default, so we need to explicitly pass secrets that we use.
secrets:
RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
@@ -115,5 +118,6 @@ jobs:
uses: ./.github/workflows/release-sources.yml
with:
release-version: ${{ needs.validate-tag.outputs.release-version }}
+ # Called workflows don't have access to secrets by default, so we need to explicitly pass secrets that we use.
secrets:
RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
More information about the llvm-commits
mailing list