[llvm] workflows/release-binaries: Replace some workflow interpolations with env vars (PR #120860)
Tom Stellard via llvm-commits
llvm-commits at lists.llvm.org
Sat Dec 21 15:42:32 PST 2024
https://github.com/tstellar created https://github.com/llvm/llvm-project/pull/120860
This is recommended by the GitHub Actions security hardening guide: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
>From b8c364c9fbcd2f76fb43ca0ba4e1ba1b2accda05 Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Sat, 21 Dec 2024 15:40:01 -0800
Subject: [PATCH] workflows/release-binaries: Replace some workflow
interpolations with env vars
This is recommended by the GitHub Actions security hardening guide:
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
---
.github/workflows/release-binaries.yml | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml
index 1cde628d3f66c3..fc5431c96bbf0b 100644
--- a/.github/workflows/release-binaries.yml
+++ b/.github/workflows/release-binaries.yml
@@ -83,7 +83,7 @@ jobs:
USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
shell: bash
run: |
- ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user ${{ github.actor }} --user-token "$USER_TOKEN" check-permissions
+ ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user "$GITHUB_ACTOR" --user-token "$USER_TOKEN" check-permissions
- name: Collect Variables
id: vars
@@ -102,8 +102,8 @@ jobs:
release_version="$trimmed"
ref="llvmorg-$release_version"
else
- release_version="${{ (github.event_name == 'pull_request' && format('PR{0}', github.event.pull_request.number)) || 'CI'}}-${{ github.sha }}"
- ref=${{ github.sha }}
+ release_version="${{ (github.event_name == 'pull_request' && format('PR{0}', github.event.pull_request.number)) || 'CI'}}-$GITHUB_SHA"
+ ref="$GITHUB_SHA"
fi
if [ -n "${{ inputs.upload }}" ]; then
upload="${{ inputs.upload }}"
@@ -114,20 +114,20 @@ jobs:
echo "ref=$ref" >> $GITHUB_OUTPUT
echo "upload=$upload" >> $GITHUB_OUTPUT
- release_binary_basename="LLVM-$release_version-${{ runner.os }}-${{ runner.arch }}"
+ release_binary_basename="LLVM-$release_version-$RUNNER_OS-$RUNNER_ARCH"
echo "release-binary-basename=$release_binary_basename" >> $GITHUB_OUTPUT
echo "release-binary-filename=$release_binary_basename.tar.xz" >> $GITHUB_OUTPUT
# Detect necessary CMake flags
- target="${{ runner.os }}-${{ runner.arch }}"
+ target="$RUNNER_OS-$RUNNER_ARCH"
echo "enable-pgo=false" >> $GITHUB_OUTPUT
target_cmake_flags="-DLLVM_RELEASE_ENABLE_PGO=OFF"
# The macOS builds try to cross compile some libraries so we need to
# add extra CMake args to disable them.
# See https://github.com/llvm/llvm-project/issues/99767
- if [ "${{ runner.os }}" = "macOS" ]; then
+ if [ "$RUNNER_OS" = "macOS" ]; then
target_cmake_flags="$target_cmake_flags -DBOOTSTRAP_COMPILER_RT_ENABLE_IOS=OFF"
- if [ "${{ runner.arch }}" = "ARM64" ]; then
+ if [ "$RUNNER_ARCH" = "ARM64" ]; then
arches=arm64
else
arches=x86_64
@@ -137,7 +137,7 @@ jobs:
build_flang="true"
- if [ "${{ runner.os }}" = "Windows" ]; then
+ if [ "$RUNNER_OS" = "Windows" ]; then
# The build times out on Windows, so we need to disable LTO.
target_cmake_flags="$target_cmake_flags -DLLVM_RELEASE_ENABLE_LTO=OFF"
fi
More information about the llvm-commits
mailing list