[llvm] [GitHub] Make release audit more strict for LLVM 19, 20 and beyond (PR #125841)
David Spickett via llvm-commits
llvm-commits at lists.llvm.org
Thu Feb 13 03:58:44 PST 2025
https://github.com/DavidSpickett updated https://github.com/llvm/llvm-project/pull/125841
>From 3ae7da5a33c530bce4d32e6dae1b3e5b163df8e5 Mon Sep 17 00:00:00 2001
From: David Spickett <david.spickett at linaro.org>
Date: Wed, 5 Feb 2025 11:17:26 +0000
Subject: [PATCH] [GitHub] Make release aduit more strict for LLVM 19 and
beyond
Before 19, we had releases from release managers, the bot,
and community members.
19 started to restrict this, with only select community members
uploading releases.
>From 20, only release managers and the bot should be uploading
releases.
The lists of users are written out each time to make modifying
this easier.
If we cannot parse the release number, I've made it raise an issue
saying so. Since this may also be a sign of a malicious action.
---
.github/workflows/release-asset-audit.py | 99 +++++++++++++++++-------
1 file changed, 72 insertions(+), 27 deletions(-)
diff --git a/.github/workflows/release-asset-audit.py b/.github/workflows/release-asset-audit.py
index cf6ad7fbbe143..97442e6e7bd0a 100644
--- a/.github/workflows/release-asset-audit.py
+++ b/.github/workflows/release-asset-audit.py
@@ -1,4 +1,5 @@
import github
+import re
import sys
_SPECIAL_CASE_BINARIES = {
@@ -16,38 +17,82 @@ def _is_valid(uploader_name, valid_uploaders, asset_name):
return False
+def _get_uploaders(release_version):
+ # Until llvm 18, assets were uploaded by community members, the release managers
+ # and the GitHub Actions bot.
+ if release_version <= 18:
+ return set(
+ [
+ "DimitryAndric",
+ "stefanp-ibm",
+ "lei137",
+ "omjavaid",
+ "nicolerabjohn",
+ "amy-kwan",
+ "mandlebug",
+ "zmodem",
+ "androm3da",
+ "tru",
+ "rovka",
+ "rorth",
+ "quinnlp",
+ "kamaub",
+ "abrisco",
+ "jakeegan",
+ "maryammo",
+ "tstellar",
+ "github-actions[bot]",
+ ]
+ )
+ # llvm 19 and beyond, only the release managers, bot and a much smaller
+ # number of community members.
+ elif release_version == 19:
+ return set(
+ [
+ "zmodem",
+ "omjavaid",
+ "tru",
+ "tstellar",
+ "github-actions[bot]",
+ ]
+ )
+ else:
+ return set(
+ [
+ "zmodem",
+ "tru",
+ "tstellar",
+ "github-actions[bot]",
+ ]
+ )
+
+
+def _get_major_release_version(release_title):
+ # All release titles are of the form "LLVM X.Y.Z(-rcN)".
+ match = re.match("LLVM ([0-9]+)\.", release_title)
+ if match is None:
+ _write_comment_and_exit_with_error(
+ f'Could not parse release version from release title "{release_title}".'
+ )
+ else:
+ return int(match.groups()[0])
+
+
+def _write_comment_and_exit_with_error(comment):
+ with open("comment", "w") as file:
+ file.write(comment)
+ sys.exit(1)
+
+
def main():
token = sys.argv[1]
gh = github.Github(login_or_token=token)
repo = gh.get_repo("llvm/llvm-project")
- uploaders = set(
- [
- "DimitryAndric",
- "stefanp-ibm",
- "lei137",
- "omjavaid",
- "nicolerabjohn",
- "amy-kwan",
- "mandlebug",
- "zmodem",
- "androm3da",
- "tru",
- "rovka",
- "rorth",
- "quinnlp",
- "kamaub",
- "abrisco",
- "jakeegan",
- "maryammo",
- "tstellar",
- "github-actions[bot]",
- ]
- )
-
for release in repo.get_releases():
print("Release:", release.title)
+ uploaders = _get_uploaders(_get_major_release_version(release.title))
for asset in release.get_assets():
created_at = asset.created_at
updated_at = (
@@ -57,9 +102,9 @@ def main():
f"{asset.name} : {asset.uploader.login} [{created_at} {updated_at}] ( {asset.download_count} )"
)
if not _is_valid(asset.uploader.login, uploaders, asset.name):
- with open('comment', 'w') as file:
- file.write(f'@{asset.uploader.login} is not a valid uploader.')
- sys.exit(1)
+ _write_comment_and_exit_with_error(
+ f"@{asset.uploader.login} is not a valid uploader."
+ )
if __name__ == "__main__":
More information about the llvm-commits
mailing list