bd46a7d172
This is needed for #187905. Unless we disable the check, Zizmor will flag uses of `actions/checkout` without an explicit `persist-credentials` setting. Of course, some workflows could rely on the credentials persisted by `actions/checkout`. I asked Claude to check each affected job, and it flagged only `prune-branches.yml`. The script `prune-unused-branches.py` relies on the persisted credentials, so I've left that as `persist-credentials: true` for now.
103 lines
3.3 KiB
YAML
103 lines
3.3 KiB
YAML
name: Release Documentation
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
release-version:
|
|
description: 'Release Version'
|
|
required: true
|
|
type: string
|
|
upload:
|
|
description: 'Upload documentation'
|
|
required: false
|
|
type: boolean
|
|
|
|
workflow_call:
|
|
inputs:
|
|
release-version:
|
|
description: 'Release Version'
|
|
required: true
|
|
type: string
|
|
upload:
|
|
description: 'Upload documentation'
|
|
required: false
|
|
type: boolean
|
|
secrets:
|
|
LLVMBOT_WWW_RELEASES_PUSH:
|
|
description: "Secret used to push changes to llvmbot www-releases fork."
|
|
required: false
|
|
WWW_RELEASES_TOKEN:
|
|
description: "Secret used to create a PR with the documentation changes."
|
|
required: false
|
|
|
|
jobs:
|
|
release-documentation:
|
|
name: Build and Upload Release Documentation
|
|
environment: release
|
|
runs-on: ubuntu-24.04
|
|
env:
|
|
upload: ${{ inputs.upload && !contains(inputs.release-version, 'rc') }}
|
|
steps:
|
|
- name: Checkout LLVM
|
|
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Setup Python env
|
|
uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
|
|
with:
|
|
cache: 'pip'
|
|
cache-dependency-path: './llvm/docs/requirements.txt'
|
|
|
|
- name: Install Dependencies
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y \
|
|
graphviz \
|
|
python3-github \
|
|
ninja-build \
|
|
texlive-font-utils
|
|
pip3 install --user -r ./llvm/docs/requirements.txt
|
|
|
|
- name: Build Documentation
|
|
env:
|
|
GITHUB_TOKEN: ${{ github.token }}
|
|
run: |
|
|
./llvm/utils/release/build-docs.sh -release "${{ inputs.release-version }}" -no-doxygen
|
|
|
|
- name: Create Release Notes Artifact
|
|
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # 7.0.0
|
|
with:
|
|
name: release-notes
|
|
path: docs-build/html-export/
|
|
|
|
- name: Clone www-releases
|
|
if: env.upload
|
|
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
|
with:
|
|
repository: ${{ github.repository_owner }}/www-releases
|
|
ref: main
|
|
fetch-depth: 0
|
|
path: www-releases
|
|
persist-credentials: false
|
|
|
|
- name: Upload Release Notes
|
|
if: env.upload
|
|
env:
|
|
PUSH_TOKEN: ${{ secrets.LLVMBOT_WWW_RELEASES_PUSH }}
|
|
GH_TOKEN: ${{ secrets.WWW_RELEASES_TOKEN }}
|
|
run: |
|
|
mkdir -p www-releases/${{ inputs.release-version }}
|
|
mv ./docs-build/html-export/* www-releases/${{ inputs.release-version }}
|
|
cd www-releases
|
|
git checkout -b ${{ inputs.release-version }}
|
|
git add ${{ inputs.release-version }}
|
|
git config user.email "llvmbot@llvm.org"
|
|
git config user.name "llvmbot"
|
|
git commit -a -m "Add ${{ inputs.release-version }} documentation"
|
|
git push --force "https://$PUSH_TOKEN@github.com/llvmbot/www-releases.git" HEAD:refs/heads/${{ inputs.release-version }}
|
|
gh pr create -f -B main -H llvmbot:${{ inputs.release-version }}
|