Unverified Commit 62418bee authored by Tom Stellard's avatar Tom Stellard Committed by GitHub
Browse files

workflows/release-doxygen: Use app generated token for user validation (#195315) 

We are trying to move a way from using secrets associated with the
llvmbot account, so this drops another one of its users.
parent 2ffa00fc

.github/workflows/release-doxygen.yml

+18 −4
Original line number Diff line number Diff line
@@ -26,14 +26,20 @@ on: 
        required: false

        type: boolean

    secrets:

      RELEASE_TASKS_USER_TOKEN:

        description: "Secret used to check user permissions."

        required: false

      LLVM_TOKEN_GENERATOR_CLIENT_ID:

        description: "Client ID for our GitHub App we use for generating access tokens."

        required: true

      LLVM_TOKEN_GENERATOR_PRIVATE_KEY:

        description: "Private key for our GitHub App we use for generating access tokens."

        required: true



jobs:

  release-doxygen:

    name: Build and Upload Release Doxygen

    runs-on: ubuntu-24.04

    environment:

      name: release

      deployment: false

    permissions:

      contents: write

    env:
@@ -65,10 +71,18 @@ jobs: 
        run: |

          ./llvm/utils/release/build-docs.sh -release "${{ inputs.release-version }}" -no-sphinx



      - id: app-token

        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3  # v3.1.1

        with:

          app-id: ${{ secrets.LLVM_TOKEN_GENERATOR_CLIENT_ID }}

          private-key: ${{ secrets.LLVM_TOKEN_GENERATOR_PRIVATE_KEY }}

          owner: ${{ github.repository_owner }}

          permission-members: read



      - name: Upload Doxygen

        if: env.upload

        env:

          GITHUB_TOKEN: ${{ github.token }}

          USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}

          USER_TOKEN: ${{ steps.app-token.outputs.token }}

        run: |

          ./llvm/utils/release/github-upload-release.py --token "$GITHUB_TOKEN" --release "${{ inputs.release-version }}" --user "${{ github.actor }}" --user-token "$USER_TOKEN" upload --files ./*doxygen*.tar.xz

.github/workflows/release-tasks.yml

+2 −1
Original line number Diff line number Diff line
@@ -81,7 +81,8 @@ jobs: 
      upload: true

    # Called workflows don't have access to secrets by default, so we need to explicitly pass secrets that we use.

    secrets:

      RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}

      LLVM_TOKEN_GENERATOR_CLIENT_ID: ${{ secrets.LLVM_TOKEN_GENERATOR_CLIENT_ID }}

      LLVM_TOKEN_GENERATOR_PRIVATE_KEY: ${{ secrets.LLVM_TOKEN_GENERATOR_PRIVATE_KEY }}



  # The pypi trusted publishing does not support called workflows, so we

  # can't use them here.