workflows/release-binaries: Replace some workflow interpolations with env vars (#120860)

This is recommended by the GitHub Actions security hardening guide: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
2025-01-03 15:08:40 -08:00 · 2025-01-03 15:08:40 -08:00 · dfa4312c9b
commit dfa4312c9b
parent 06cf4f9704
1 changed files with 8 additions and 8 deletions
--- a/.github/workflows/release-binaries.yml
+++ b/.github/workflows/release-binaries.yml
@ -83,7 +83,7 @@ jobs:
        USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
      shell: bash
      run: |
-        ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user ${{ github.actor }} --user-token "$USER_TOKEN" check-permissions
+        ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user "$GITHUB_ACTOR" --user-token "$USER_TOKEN" check-permissions

    - name: Collect Variables
      id: vars
@ -102,8 +102,8 @@ jobs:
          release_version="$trimmed"
          ref="llvmorg-$release_version"
        else
-          release_version="${{ (github.event_name == 'pull_request' && format('PR{0}', github.event.pull_request.number)) || 'CI'}}-${{ github.sha }}"
-          ref=${{ github.sha }}
+          release_version="${{ (github.event_name == 'pull_request' && format('PR{0}', github.event.pull_request.number)) || 'CI'}}-$GITHUB_SHA"
+          ref="$GITHUB_SHA"
        fi
        if [ -n "${{ inputs.upload }}" ]; then
          upload="${{ inputs.upload }}"
@ -114,20 +114,20 @@ jobs:
        echo "ref=$ref" >> $GITHUB_OUTPUT
        echo "upload=$upload" >> $GITHUB_OUTPUT

-        release_binary_basename="LLVM-$release_version-${{ runner.os }}-${{ runner.arch }}"
+        release_binary_basename="LLVM-$release_version-$RUNNER_OS-$RUNNER_ARCH"
        echo "release-binary-basename=$release_binary_basename" >> $GITHUB_OUTPUT
        echo "release-binary-filename=$release_binary_basename.tar.xz" >> $GITHUB_OUTPUT

        # Detect necessary CMake flags
-        target="${{ runner.os }}-${{ runner.arch }}"
+        target="$RUNNER_OS-$RUNNER_ARCH"
        echo "enable-pgo=false" >> $GITHUB_OUTPUT
        target_cmake_flags="-DLLVM_RELEASE_ENABLE_PGO=OFF"
        # The macOS builds try to cross compile some libraries so we need to
        # add extra CMake args to disable them.
        # See https://github.com/llvm/llvm-project/issues/99767
-        if [ "${{ runner.os }}" = "macOS" ]; then
+        if [ "$RUNNER_OS" = "macOS" ]; then
          target_cmake_flags="$target_cmake_flags -DBOOTSTRAP_COMPILER_RT_ENABLE_IOS=OFF"
-          if [ "${{ runner.arch }}" = "ARM64" ]; then
+          if [ "$RUNNER_ARCH" = "ARM64" ]; then
            arches=arm64
          else
            arches=x86_64
@ -137,7 +137,7 @@ jobs:

        build_flang="true"

-        if [ "${{ runner.os }}" = "Windows" ]; then
+        if [ "$RUNNER_OS" = "Windows" ]; then
          # The build times out on Windows, so we need to disable LTO.
          target_cmake_flags="$target_cmake_flags -DLLVM_RELEASE_ENABLE_LTO=OFF"
        fi