[llvm] [GitHub] Make release audit more strict for LLVM 19, 20 and beyond (PR #125841)
via llvm-commits
llvm-commits at lists.llvm.org
Wed Feb 5 07:56:54 PST 2025
llvmbot wrote:
<!--LLVM PR SUMMARY COMMENT-->
@llvm/pr-subscribers-github-workflow
Author: David Spickett (DavidSpickett)
<details>
<summary>Changes</summary>
Before 19, we had releases from release managers, the bot, and community members. 19 started to restrict this, with only select community members uploading releases. From 20, only release managers and the bot should be uploading releases.
The lists of users are written out each time to make modifying this easier.
If we cannot parse the release number, I've made it raise an issue saying so. Since this may also be a sign of a malicious action.
---
Full diff: https://github.com/llvm/llvm-project/pull/125841.diff
1 Files Affected:
- (modified) .github/workflows/release-asset-audit.py (+72-27)
``````````diff
diff --git a/.github/workflows/release-asset-audit.py b/.github/workflows/release-asset-audit.py
index cf6ad7fbbe1435..97442e6e7bd0aa 100644
--- a/.github/workflows/release-asset-audit.py
+++ b/.github/workflows/release-asset-audit.py
@@ -1,4 +1,5 @@
import github
+import re
import sys
_SPECIAL_CASE_BINARIES = {
@@ -16,38 +17,82 @@ def _is_valid(uploader_name, valid_uploaders, asset_name):
return False
+def _get_uploaders(release_version):
+ # Until llvm 18, assets were uploaded by community members, the release managers
+ # and the GitHub Actions bot.
+ if release_version <= 18:
+ return set(
+ [
+ "DimitryAndric",
+ "stefanp-ibm",
+ "lei137",
+ "omjavaid",
+ "nicolerabjohn",
+ "amy-kwan",
+ "mandlebug",
+ "zmodem",
+ "androm3da",
+ "tru",
+ "rovka",
+ "rorth",
+ "quinnlp",
+ "kamaub",
+ "abrisco",
+ "jakeegan",
+ "maryammo",
+ "tstellar",
+ "github-actions[bot]",
+ ]
+ )
+ # llvm 19 and beyond, only the release managers, bot and a much smaller
+ # number of community members.
+ elif release_version == 19:
+ return set(
+ [
+ "zmodem",
+ "omjavaid",
+ "tru",
+ "tstellar",
+ "github-actions[bot]",
+ ]
+ )
+ else:
+ return set(
+ [
+ "zmodem",
+ "tru",
+ "tstellar",
+ "github-actions[bot]",
+ ]
+ )
+
+
+def _get_major_release_version(release_title):
+ # All release titles are of the form "LLVM X.Y.Z(-rcN)".
+ match = re.match("LLVM ([0-9]+)\.", release_title)
+ if match is None:
+ _write_comment_and_exit_with_error(
+ f'Could not parse release version from release title "{release_title}".'
+ )
+ else:
+ return int(match.groups()[0])
+
+
+def _write_comment_and_exit_with_error(comment):
+ with open("comment", "w") as file:
+ file.write(comment)
+ sys.exit(1)
+
+
def main():
token = sys.argv[1]
gh = github.Github(login_or_token=token)
repo = gh.get_repo("llvm/llvm-project")
- uploaders = set(
- [
- "DimitryAndric",
- "stefanp-ibm",
- "lei137",
- "omjavaid",
- "nicolerabjohn",
- "amy-kwan",
- "mandlebug",
- "zmodem",
- "androm3da",
- "tru",
- "rovka",
- "rorth",
- "quinnlp",
- "kamaub",
- "abrisco",
- "jakeegan",
- "maryammo",
- "tstellar",
- "github-actions[bot]",
- ]
- )
-
for release in repo.get_releases():
print("Release:", release.title)
+ uploaders = _get_uploaders(_get_major_release_version(release.title))
for asset in release.get_assets():
created_at = asset.created_at
updated_at = (
@@ -57,9 +102,9 @@ def main():
f"{asset.name} : {asset.uploader.login} [{created_at} {updated_at}] ( {asset.download_count} )"
)
if not _is_valid(asset.uploader.login, uploaders, asset.name):
- with open('comment', 'w') as file:
- file.write(f'@{asset.uploader.login} is not a valid uploader.')
- sys.exit(1)
+ _write_comment_and_exit_with_error(
+ f"@{asset.uploader.login} is not a valid uploader."
+ )
if __name__ == "__main__":
``````````
</details>
https://github.com/llvm/llvm-project/pull/125841
More information about the llvm-commits
mailing list