Skip to content

Commit 3ae7da5

Browse files
DavidSpickettDavidSpickett
committed
[GitHub] Make release aduit more strict for LLVM 19 and beyond
Before 19, we had releases from release managers, the bot, and community members. 19 started to restrict this, with only select community members uploading releases. From 20, only release managers and the bot should be uploading releases. The lists of users are written out each time to make modifying this easier. If we cannot parse the release number, I've made it raise an issue saying so. Since this may also be a sign of a malicious action.
1 parent 7b5e90b commit 3ae7da5

File tree

1 file changed

+72
-27
lines changed

1 file changed

+72
-27
lines changed

.github/workflows/release-asset-audit.py

Lines changed: 72 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
import github
2+
import re
23
import sys
34

45
_SPECIAL_CASE_BINARIES = {
@@ -16,38 +17,82 @@ def _is_valid(uploader_name, valid_uploaders, asset_name):
1617
return False
1718

1819

20+
def _get_uploaders(release_version):
21+
# Until llvm 18, assets were uploaded by community members, the release managers
22+
# and the GitHub Actions bot.
23+
if release_version <= 18:
24+
return set(
25+
[
26+
"DimitryAndric",
27+
"stefanp-ibm",
28+
"lei137",
29+
"omjavaid",
30+
"nicolerabjohn",
31+
"amy-kwan",
32+
"mandlebug",
33+
"zmodem",
34+
"androm3da",
35+
"tru",
36+
"rovka",
37+
"rorth",
38+
"quinnlp",
39+
"kamaub",
40+
"abrisco",
41+
"jakeegan",
42+
"maryammo",
43+
"tstellar",
44+
"github-actions[bot]",
45+
]
46+
)
47+
# llvm 19 and beyond, only the release managers, bot and a much smaller
48+
# number of community members.
49+
elif release_version == 19:
50+
return set(
51+
[
52+
"zmodem",
53+
"omjavaid",
54+
"tru",
55+
"tstellar",
56+
"github-actions[bot]",
57+
]
58+
)
59+
else:
60+
return set(
61+
[
62+
"zmodem",
63+
"tru",
64+
"tstellar",
65+
"github-actions[bot]",
66+
]
67+
)
68+
69+
70+
def _get_major_release_version(release_title):
71+
# All release titles are of the form "LLVM X.Y.Z(-rcN)".
72+
match = re.match("LLVM ([0-9]+)\.", release_title)
73+
if match is None:
74+
_write_comment_and_exit_with_error(
75+
f'Could not parse release version from release title "{release_title}".'
76+
)
77+
else:
78+
return int(match.groups()[0])
79+
80+
81+
def _write_comment_and_exit_with_error(comment):
82+
with open("comment", "w") as file:
83+
file.write(comment)
84+
sys.exit(1)
85+
86+
1987
def main():
2088
token = sys.argv[1]
2189

2290
gh = github.Github(login_or_token=token)
2391
repo = gh.get_repo("llvm/llvm-project")
2492

25-
uploaders = set(
26-
[
27-
"DimitryAndric",
28-
"stefanp-ibm",
29-
"lei137",
30-
"omjavaid",
31-
"nicolerabjohn",
32-
"amy-kwan",
33-
"mandlebug",
34-
"zmodem",
35-
"androm3da",
36-
"tru",
37-
"rovka",
38-
"rorth",
39-
"quinnlp",
40-
"kamaub",
41-
"abrisco",
42-
"jakeegan",
43-
"maryammo",
44-
"tstellar",
45-
"github-actions[bot]",
46-
]
47-
)
48-
4993
for release in repo.get_releases():
5094
print("Release:", release.title)
95+
uploaders = _get_uploaders(_get_major_release_version(release.title))
5196
for asset in release.get_assets():
5297
created_at = asset.created_at
5398
updated_at = (
@@ -57,9 +102,9 @@ def main():
57102
f"{asset.name} : {asset.uploader.login} [{created_at} {updated_at}] ( {asset.download_count} )"
58103
)
59104
if not _is_valid(asset.uploader.login, uploaders, asset.name):
60-
with open('comment', 'w') as file:
61-
file.write(f'@{asset.uploader.login} is not a valid uploader.')
62-
sys.exit(1)
105+
_write_comment_and_exit_with_error(
106+
f"@{asset.uploader.login} is not a valid uploader."
107+
)
63108

64109

65110
if __name__ == "__main__":

0 commit comments

Comments
 (0)