Skip to content

Commit

Permalink
[workflows] Fix permissions check for creating new releases (llvm#81163)
Browse files Browse the repository at this point in the history
The default GitHub token does not have read permissions on the org, so
we need to use a custom token in order to read the members of the
llvm-release-managers team.
  • Loading branch information
tstellar authored Feb 21, 2024
1 parent b9a071d commit 2836d8e
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 5 deletions.
4 changes: 3 additions & 1 deletion .github/workflows/release-tasks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ jobs:
name: Create a New Release
runs-on: ubuntu-latest
needs: validate-tag

steps:
- name: Install Dependencies
run: |
Expand All @@ -40,8 +41,9 @@ jobs:
- name: Create Release
env:
GITHUB_TOKEN: ${{ github.token }}
USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
run: |
./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --release ${{ needs.validate-tag.outputs.release-version }} --user ${{ github.actor }} create
./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --release ${{ needs.validate-tag.outputs.release-version }} --user ${{ github.actor }} --user-token "$USER_TOKEN" create
release-documentation:
name: Build and Upload Release Documentation
needs:
Expand Down
16 changes: 12 additions & 4 deletions llvm/utils/release/github-upload-release.py
Original file line number Diff line number Diff line change
Expand Up @@ -77,20 +77,28 @@ def upload_files(repo, release, files):
parser.add_argument("--token", type=str)
parser.add_argument("--release", type=str)
parser.add_argument("--user", type=str)
parser.add_argument("--user-token", type=str)

# Upload args
parser.add_argument("--files", nargs="+", type=str)

args = parser.parse_args()

github = github.Github(args.token)
llvm_org = github.get_organization("llvm")
gh = github.Github(args.token)
llvm_org = gh.get_organization("llvm")
llvm_repo = llvm_org.get_repo("llvm-project")

if args.user:
if not args.user_token:
print("--user-token option required when --user is used")
sys.exit(1)
# Validate that this user is allowed to modify releases.
user = github.get_user(args.user)
team = llvm_org.get_team_by_slug("llvm-release-managers")
user = gh.get_user(args.user)
team = (
github.Github(args.user_token)
.get_organization("llvm")
.get_team_by_slug("llvm-release-managers")
)
if not team.has_in_members(user):
print("User {} is not a allowed to modify releases".format(args.user))
sys.exit(1)
Expand Down

0 comments on commit 2836d8e

Please sign in to comment.