8454fb47ac
This removes one user of the ISSUE_SUBSCRIBER_TOKEN secret, which we want to eventually remove since secrets are more difficult to maintain. This also allows use to scope the token with less permissions since it isn't shared with other workflows.
92 lines
2.9 KiB
YAML
92 lines
2.9 KiB
YAML
name: Release Asset Audit
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
release:
|
|
schedule:
|
|
# * is a special character in YAML so you have to quote this string
|
|
# Run once an hour
|
|
- cron: '5 * * * *'
|
|
|
|
pull_request:
|
|
paths:
|
|
- ".github/workflows/release-asset-audit.py"
|
|
- ".github/workflows/release-asset-audit.yml"
|
|
|
|
permissions:
|
|
contents: read # Default everything to read-only
|
|
|
|
jobs:
|
|
audit:
|
|
name: "Release Asset Audit"
|
|
runs-on: ubuntu-24.04
|
|
if: github.repository == 'llvm/llvm-project'
|
|
steps:
|
|
- name: Checkout LLVM
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
sparse-checkout: |
|
|
.github/workflows/release-asset-audit.py
|
|
llvm/utils/git/requirements.txt
|
|
- name: "Run Audit Script"
|
|
env:
|
|
GITHUB_TOKEN: ${{ github.token }}
|
|
run: |
|
|
pip install --require-hashes -r ./llvm/utils/git/requirements.txt
|
|
python3 ./.github/workflows/release-asset-audit.py $GITHUB_TOKEN
|
|
|
|
- name: Upload comment file
|
|
if: failure()
|
|
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
|
|
with:
|
|
name: comment
|
|
path: |
|
|
comment
|
|
|
|
notify-audit-failed:
|
|
name: "Notify Audit Failed"
|
|
environment:
|
|
name: main-branch-only
|
|
deployment: false
|
|
runs-on: ubuntu-24.04
|
|
if: >-
|
|
github.repository == 'llvm/llvm-project' &&
|
|
github.event_name != 'pull_request' &&
|
|
failure()
|
|
needs:
|
|
- audit
|
|
steps:
|
|
- name: Download Comment
|
|
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
|
|
with:
|
|
name: comment
|
|
- id: app-token
|
|
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
|
|
with:
|
|
client-id: ${{ secrets.LLVM_TOKEN_GENERATOR_CLIENT_ID }}
|
|
private-key: ${{ secrets.LLVM_TOKEN_GENERATOR_PRIVATE_KEY }}
|
|
owner: ${{ github.repository_owner }}
|
|
permission-contents: read
|
|
permission-issues: write
|
|
- name: "File Issue"
|
|
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
|
|
with:
|
|
github-token: ${{ steps.app-token.outputs.token }}
|
|
script: |
|
|
var fs = require('fs');
|
|
var body = ''
|
|
if (fs.existsSync('./comment')) {
|
|
body = fs.readFileSync('./comment') + "\n\n";
|
|
}
|
|
body = body + `\n\nhttps://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`
|
|
|
|
const issue = await github.rest.issues.create({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
title: "Release Asset Audit Failed",
|
|
labels: ['infrastructure'],
|
|
body: body
|
|
});
|
|
console.log(issue);
|