shylie/llvm-project
1
0
Fork 0
Code Issues Pull Requests Actions 6 Packages Projects Releases Wiki Activity
llvm-project/.github/workflows/commit-access-review.yml
Tom Stellard fbf5bac107
workflows/commit-access-review: Use a GitHub App access token instead of llvmbot (#179364) 
This replaces the use of an access token associated with the llvmbot
account with one that is generated by a GitHub App. This is slightly
better, because it eliminates the need to periodically rotate the
llvmbot tokens, which is difficult to do, since it requires sharing a
password and 2fa code among all the admins.

The tokens generated by the app automatically expire after an hour, and
the private key that is used to request it can be easily rotated by an
LLVM Organization owner. Also, since a single private key can be used to
generate many tokens, there is only one secret to rotate instead of
many.
2026-02-13 11:34:30 -08:00

54 lines
1.7 KiB
YAML
Raw Blame History

name: Commit Access Review
on:
workflow_dispatch:
schedule:
# * is a special character in YAML so you have to quote this string
- cron: '0 7 1 * *'
permissions:
contents: read
issues: write
jobs:
commit-access-review:
if: github.repository_owner == 'llvm'
environment: main-branch-only
runs-on: ubuntu-24.04
steps:
- name: Fetch LLVM sources
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- name: Install dependencies
run: |
pip install --require-hashes -r ./llvm/utils/git/requirements.txt
- id: app-token
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf #v2.2.1
with:
app-id: ${{ secrets.LLVM_TOKEN_GENERATOR_CLIENT_ID }}
private-key: ${{ secrets.LLVM_TOKEN_GENERATOR_PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
permission-members: read
permission-contents: read
- name: Run Script
env:
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
python3 .github/workflows/commit-access-review.py $GITHUB_TOKEN
- name: Upload Triage List
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: triagers
path: triagers.log
- name: Create the issue
env:
GITHUB_TOKEN: ${{ github.token }}
run: |
# There is a limit to the number of mentions you can have in one comment, so
# we need to limit the number of users we mention.
cat triagers.log | head -n 25 | python3 .github/workflows/commit-create-issue.py $GITHUB_TOKEN
Reference in New Issue View Git Blame Copy Permalink