bd46a7d172
This is needed for #187905. Unless we disable the check, Zizmor will flag uses of `actions/checkout` without an explicit `persist-credentials` setting. Of course, some workflows could rely on the credentials persisted by `actions/checkout`. I asked Claude to check each affected job, and it flagged only `prune-branches.yml`. The script `prune-unused-branches.py` relies on the persisted credentials, so I've left that as `persist-credentials: true` for now.
33 lines
840 B
YAML
33 lines
840 B
YAML
name: LLVM Project Version Check
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- 'release/**'
|
|
pull_request:
|
|
branches:
|
|
- 'release/**'
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
version_check:
|
|
if: github.repository_owner == 'llvm'
|
|
runs-on: ubuntu-24.04
|
|
steps:
|
|
- name: Fetch LLVM sources
|
|
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
|
with:
|
|
persist-credentials: false
|
|
fetch-depth: 0
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
pip install --require-hashes -r ./llvm/utils/git/requirements.txt
|
|
|
|
- name: Version Check
|
|
run: |
|
|
version=$(grep -o 'LLVM_VERSION_\(MAJOR\|MINOR\|PATCH\) [0-9]\+' cmake/Modules/LLVMVersion.cmake | cut -d ' ' -f 2 | tr "\n" "." | sed 's/.$//g')
|
|
.github/workflows/version-check.py "$version"
|