Merge attempt by ./merge_from_main.sh into branch amd-trunk-dev

Author: DominikAdamski

.github/workflows/docs.yml

@@ -23,6 +23,7 @@ on:
       - 'lld/docs/**'
       - 'openmp/docs/**'
       - 'polly/docs/**'
+      - 'flang/docs/**'
   pull_request:
     paths:
       - 'llvm/docs/**'
@@ -35,11 +36,13 @@ on:
       - 'lld/docs/**'
       - 'openmp/docs/**'
       - 'polly/docs/**'
+      - 'flang/docs/**'
 
 jobs:
   check-docs-build:
     name: "Test documentation build"
     runs-on: ubuntu-latest
+    if: github.repository == 'llvm/llvm-project'
     steps:
       # Don't fetch before checking for file changes to force the file changes
       # action to use the Github API in pull requests. If it's a push to a
@@ -75,6 +78,8 @@ jobs:
               - 'openmp/docs/**'
             polly:
               - 'polly/docs/**'
+            flang:
+              - 'flang/docs/**'
       - name: Fetch LLVM sources (PR)
         if: ${{ github.event_name == 'pull_request' }}
         uses: actions/checkout@v4
@@ -143,4 +148,11 @@ jobs:
         run: |
           cmake -B polly-build -GNinja -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_PROJECTS="polly" -DLLVM_ENABLE_SPHINX=ON ./llvm
           TZ=UTC ninja -C polly-build docs-polly-html docs-polly-man
+      - name: Build Flang docs
+        if: steps.docs-changed-subprojects.outputs.flang_any_changed == 'true'
+        # TODO(boomanaiden154): Remove the SPHINX_WARNINGS_AS_ERRORS from the
+        # CMake invocation once the warnings in the flang docs build are fixed.
+        run: |
+          cmake -B flang-build -GNinja -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_PROJECTS="clang;mlir;flang" -DLLVM_ENABLE_SPHINX=ON -DSPHINX_WARNINGS_AS_ERRORS=OFF ./llvm
+          TZ=UTC ninja -C flang-build docs-flang-html docs-flang-man
 

.github/workflows/new-prs.yml

@@ -1,56 +1,36 @@
 name: "Labelling new pull requests"
+
+permissions:
+  contents: read
+
 on:
-  workflow_run:
-    workflows: ["PR Receive"]
+  # It's safe to use pull_request_target here, because we aren't checking out
+  # code from the pull request branch.
+  # See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - ready_for_review
+      - synchronize
 
 jobs:
   automate-prs-labels:
     permissions:
-      contents: read
       pull-requests: write
     runs-on: ubuntu-latest
+    # Ignore PRs with more than 10 commits.  Pull requests with a lot of
+    # commits tend to be accidents usually when someone made a mistake while trying
+    # to rebase.  We want to ignore these pull requests to avoid excessive
+    # notifications.
     if: >
       github.repository == 'llvm/llvm-project' &&
-      github.event.workflow_run.event == 'pull_request_target' &&
-      github.event.workflow_run.conclusion == 'success'
+      github.event.pull_request.draft == false &&
+      github.event.pull_request.commits < 10
     steps:
-      # From: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
-      # Updated version here: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#using-data-from-the-triggering-workflow
-      - name: Debug
-        run: |
-          echo "Event: ${{ github.event.workflow_run.event }} Conclusion: ${{ github.event.workflow_run.conclusion }}"
-      - name: 'Download artifact'
-        uses: actions/github-script@v6
-        with:
-          script: |
-            const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               run_id: context.payload.workflow_run.id
-            });
-            const matchArtifact = artifacts.data.artifacts.find((artifact) =>
-              artifact.name === 'pr'
-            );
-            const download = await github.rest.actions.downloadArtifact({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               artifact_id: matchArtifact.id,
-               archive_format: 'zip'
-            });
-            const { writeFileSync } = require('node:fs');
-            writeFileSync('${{ github.workspace }}/pr.zip', Buffer.from(download.data));
-
-      - run: unzip pr.zip
-
-      - name: "Get PR Number"
-        id: vars
-        run:
-          echo "pr-number=$(cat NR)" >> "$GITHUB_OUTPUT"
-
       - uses: actions/labeler@v4
         with:
           configuration-path: .github/new-prs-labeler.yml
           # workaround for https://github.com/actions/labeler/issues/112
           sync-labels: ''
           repo-token: ${{ secrets.ISSUE_SUBSCRIBER_TOKEN }}
-          pr-number: ${{ steps.vars.outputs.pr-number }}

.github/workflows/pr-code-format.yml

@@ -6,18 +6,19 @@ permissions:
 jobs:
   code_formatter:
     runs-on: ubuntu-latest
+    if: github.repository == 'llvm/llvm-project'
     steps:
       - name: Fetch LLVM sources
         uses: actions/checkout@v4
         with:
-          fetch-depth: 2
+          fetch-depth: 2 # Fetches only the last 2 commits
 
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v39
         with:
           separator: ","
-          fetch_depth: 100 # Fetches only the last 10 commits
+          fetch_depth: 2000 # Fetches only the last 2000 commits
 
       - name: "Listed files"
         run: |

.github/workflows/pr-receive-label.yml

@@ -1,22 +1,17 @@
 name: PR Subscriber
 
 on:
-  workflow_run:
-    workflows: ["PR Receive Label"]
+  pull_request_target:
     types:
-      - completed
+      - labeled
 
 permissions:
-  actions: read
   contents: read
 
 jobs:
   auto-subscribe:
     runs-on: ubuntu-latest
-    if: >
-      github.repository == 'llvm/llvm-project' &&
-      github.event.workflow_run.event == 'pull_request' &&
-      github.event.workflow_run.conclusion == 'success'
+    if: github.repository == 'llvm/llvm-project'
     steps:
       - name: Setup Automation Script
         run: |
@@ -26,47 +21,10 @@ jobs:
           chmod a+x github-automation.py
           pip install -r requirements.txt
 
-      - name: 'Wait for other actions'
-        # We can't use the concurrency tag for these jobs, because it will
-        # cancel pending jobs if another job is running.
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          python3 pr-subscriber-wait.py
-
-
-      # From: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
-      # Updated version here: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#using-data-from-the-triggering-workflow
-      - name: 'Download artifact'
-        uses: actions/github-script@v6
-        with:
-          script: |
-            const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               run_id: context.payload.workflow_run.id
-            });
-            const matchArtifact = artifacts.data.artifacts.find((artifact) =>
-              artifact.name === 'pr'
-            );
-            const download = await github.rest.actions.downloadArtifact({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               artifact_id: matchArtifact.id,
-               archive_format: 'zip'
-            });
-            const { writeFileSync } = require('node:fs');
-            writeFileSync('${{ github.workspace }}/pr.zip', Buffer.from(download.data));
-
-      - run: unzip pr.zip
-
       - name: Update watchers
-        # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
         run: |
-          PR_NUMBER=$(cat NR)
-          LABEL_NAME=$(cat LABEL)
           ./github-automation.py \
             --token '${{ secrets.ISSUE_SUBSCRIBER_TOKEN }}' \
             pr-subscriber \
-            --issue-number "$PR_NUMBER" \
-            --label-name "$LABEL_NAME"
+            --issue-number "${{ github.event.number }}" \
+            --label-name "${{ github.event.label.name }}"

.github/workflows/pr-receive.yml

@@ -0,0 +1,61 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+# Check current LLVM-Project results here: https://securityscorecards.dev/viewer/?uri=github.com/llvm/llvm-project
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '38 20 * * *'
+
+# Declare default permissions as read only.
+permissions:
+  contents: read
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write      
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.      
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        with:
+          sarif_file: results.sarif

.github/workflows/pr-subscriber-wait.py

@@ -1,5 +1,7 @@
 # The LLVM Compiler Infrastructure
 
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/llvm/llvm-project/badge)](https://securityscorecards.dev/viewer/?uri=github.com/llvm/llvm-project)
+
 Welcome to the LLVM project!
 
 This repository contains the source code for LLVM, a toolkit for the

.github/workflows/pr-subscriber.yml

@@ -32,7 +32,7 @@ class ReorderFunctions : public BinaryFunctionPass {
     RT_EXEC_COUNT,
     RT_HFSORT,
     RT_HFSORT_PLUS,
-    RT_CDS,
+    RT_CDSORT,
     RT_PETTIS_HANSEN,
     RT_RANDOM,
     RT_USER