https://github.com/llvmbot created https://github.com/llvm/llvm-project/pull/180653
Backport 48dffbc654f2a606025f4b14c9b789c99f8188ae Requested by: @tstellar >From 045f6c7417f924fff240579d056d99beabeb249f Mon Sep 17 00:00:00 2001 From: Tom Stellard <[email protected]> Date: Mon, 9 Feb 2026 16:37:51 -0800 Subject: [PATCH] workflows/release-task: Use less privileged token for uploading release notes (#180299) (#180650) We were using one token for both pushing to the llvmbot fork and for creating a pull request against the www-releases repository, since the fork and the repository have different owners, we were using a classic access token which has very coarse-grained permissions. By using two separate tokens, we limit the permissions to just what we need to do the task. This is a re-commit of b6ee085068972a41f3b2735a9f7e3ca48eab0f00 minus the environment changes which were causing the workflow to fail. (cherry picked from commit 48dffbc654f2a606025f4b14c9b789c99f8188ae) --- .github/workflows/release-documentation.yml | 6 +++++- .github/workflows/release-tasks.yml | 1 + 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-documentation.yml b/.github/workflows/release-documentation.yml index 89edca334aa9d..1d5d1f6bc03fa 100644 --- a/.github/workflows/release-documentation.yml +++ b/.github/workflows/release-documentation.yml @@ -26,6 +26,9 @@ on: required: false type: boolean secrets: + LLVMBOT_WWW_RELEASES_PUSH: + description: "Secret used to push changes to llvmbot www-releases fork." + required: false WWW_RELEASES_TOKEN: description: "Secret used to create a PR with the documentation changes." required: false @@ -81,6 +84,7 @@ jobs: - name: Upload Release Notes if: env.upload env: + PUSH_TOKEN: ${{ secrets.LLVMBOT_WWW_RELEASES_PUSH }} GH_TOKEN: ${{ secrets.WWW_RELEASES_TOKEN }} run: | mkdir -p www-releases/${{ inputs.release-version }} @@ -91,5 +95,5 @@ jobs: git config user.email "[email protected]" git config user.name "llvmbot" git commit -a -m "Add ${{ inputs.release-version }} documentation" - git push --force "https://[email protected]/llvmbot/www-releases.git"; HEAD:refs/heads/${{ inputs.release-version }} + git push --force "https://[email protected]/llvmbot/www-releases.git"; HEAD:refs/heads/${{ inputs.release-version }} gh pr create -f -B main -H llvmbot:${{ inputs.release-version }} diff --git a/.github/workflows/release-tasks.yml b/.github/workflows/release-tasks.yml index 3648e1463e1e0..ce44311507a83 100644 --- a/.github/workflows/release-tasks.yml +++ b/.github/workflows/release-tasks.yml @@ -56,6 +56,7 @@ jobs: upload: true # Called workflows don't have access to secrets by default, so we need to explicitly pass secrets that we use. secrets: + LLVMBOT_WWW_RELEASES_PUSH: ${{ secrets.LLVMBOT_WWW_RELEASES_PUSH }} WWW_RELEASES_TOKEN: ${{ secrets.WWW_RELEASES_TOKEN }} release-doxygen: _______________________________________________ llvm-branch-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-branch-commits
