release/19.x: workflows/release-tasks: Pass required secrets to all called workflows (#106286) #106491
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@tru What do you think about merging this PR to the release branch? |
|
@llvm/pr-subscribers-github-workflow Author: None (llvmbot) ChangesBackport 9d81e7e Requested by: @tstellar Full diff: https://github.com/llvm/llvm-project/pull/106491.diff 4 Files Affected:
diff --git a/.github/workflows/release-doxygen.yml b/.github/workflows/release-doxygen.yml
index ef00a438ce7ac4..ea95e5bb12b2b8 100644
--- a/.github/workflows/release-doxygen.yml
+++ b/.github/workflows/release-doxygen.yml
@@ -25,6 +25,10 @@ on:
description: 'Upload documentation'
required: false
type: boolean
+ secrets:
+ RELEASE_TASKS_USER_TOKEN:
+ description: "Secret used to check user permissions."
+ required: false
jobs:
release-doxygen:
@@ -63,5 +67,6 @@ jobs:
if: env.upload
env:
GITHUB_TOKEN: ${{ github.token }}
+ USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
run: |
- ./llvm/utils/release/github-upload-release.py --token "$GITHUB_TOKEN" --release "${{ inputs.release-version }}" --user "${{ github.actor }}" upload --files ./*doxygen*.tar.xz
+ ./llvm/utils/release/github-upload-release.py --token "$GITHUB_TOKEN" --release "${{ inputs.release-version }}" --user "${{ github.actor }}" --user-token "$USER_TOKEN" upload --files ./*doxygen*.tar.xz
diff --git a/.github/workflows/release-lit.yml b/.github/workflows/release-lit.yml
index 0316ba406041d6..9d6f3140e68830 100644
--- a/.github/workflows/release-lit.yml
+++ b/.github/workflows/release-lit.yml
@@ -17,6 +17,10 @@ on:
description: 'Release Version'
required: true
type: string
+ secrets:
+ RELEASE_TASKS_USER_TOKEN:
+ description: "Secret used to check user permissions."
+ required: false
jobs:
release-lit:
@@ -36,8 +40,9 @@ jobs:
- name: Check Permissions
env:
GITHUB_TOKEN: ${{ github.token }}
+ USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
run: |
- ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user ${{ github.actor }} check-permissions
+ ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user ${{ github.actor }} --user-token "$USER_TOKEN" check-permissions
- name: Setup Cpp
uses: aminya/setup-cpp@v1
diff --git a/.github/workflows/release-sources.yml b/.github/workflows/release-sources.yml
index 9c5b1a9f017092..edb0449ef7e2c2 100644
--- a/.github/workflows/release-sources.yml
+++ b/.github/workflows/release-sources.yml
@@ -16,6 +16,10 @@ on:
description: Release Version
required: true
type: string
+ secrets:
+ RELEASE_TASKS_USER_TOKEN:
+ description: "Secret used to check user permissions."
+ required: false
# Run on pull_requests for testing purposes.
pull_request:
paths:
diff --git a/.github/workflows/release-tasks.yml b/.github/workflows/release-tasks.yml
index cf42730aaf8170..780dd0ff6325c9 100644
--- a/.github/workflows/release-tasks.yml
+++ b/.github/workflows/release-tasks.yml
@@ -66,6 +66,9 @@ jobs:
with:
release-version: ${{ needs.validate-tag.outputs.release-version }}
upload: true
+ # Called workflows don't have access to secrets by default, so we need to explicitly pass secrets that we use.
+ secrets:
+ RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
release-lit:
name: Release Lit
@@ -73,6 +76,9 @@ jobs:
uses: ./.github/workflows/release-lit.yml
with:
release-version: ${{ needs.validate-tag.outputs.release-version }}
+ # Called workflows don't have access to secrets by default, so we need to explicitly pass secrets that we use.
+ secrets:
+ RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
release-binaries:
name: Build Release Binaries
@@ -97,6 +103,9 @@ jobs:
release-version: ${{ needs.validate-tag.outputs.release-version }}
upload: true
runs-on: ${{ matrix.runs-on }}
+ # Called workflows don't have access to secrets by default, so we need to explicitly pass secrets that we use.
+ secrets:
+ RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
release-sources:
name: Package Release Sources
@@ -109,3 +118,6 @@ jobs:
uses: ./.github/workflows/release-sources.yml
with:
release-version: ${{ needs.validate-tag.outputs.release-version }}
+ # Called workflows don't have access to secrets by default, so we need to explicitly pass secrets that we use.
+ secrets:
+ RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
|
tru
approved these changes
Aug 29, 2024
llvm#106286) Called workflows don't have access to secrets by default, so we need to explicitly pass secrets that we use. (cherry picked from commit 9d81e7e)
|
@tstellar (or anyone else). If you would like to add a note about this fix in the release notes (completely optional). Please reply to this comment with a one or two sentence description of the fix. When you are done, please add the release:note label to this PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport 9d81e7e
Requested by: @tstellar