[workflows] Avoid usage of access token in issue-write.yml #94011
Conversation
This adds a new composite workflow that allows you to download artifacts from other workflows without using an access token. actions/download-artifact from GitHub requires an access token in order to download artifacts from a different workflow, which is why we can't use it here if we want to avoid using a token. See https://github.com/actions/download-artifact?tab=readme-ov-file#download-artifacts-from-other-workflow-runs-or-repositories
|
@llvm/pr-subscribers-github-workflow Author: Tom Stellard (tstellar) ChangesThis adds a new composite workflow that allows you to download artifacts from other workflows without using an access token. actions/download-artifact from GitHub requires an access token in order to download artifacts from a different workflow, which is why we can't use it here if we want to avoid using a token. Full diff: https://github.com/llvm/llvm-project/pull/94011.diff 2 Files Affected:
diff --git a/.github/workflows/issue-write.yml b/.github/workflows/issue-write.yml
index e003be006c4e1..a057d75501484 100644
--- a/.github/workflows/issue-write.yml
+++ b/.github/workflows/issue-write.yml
@@ -19,12 +19,22 @@ jobs:
if: >
github.event.workflow_run.event == 'pull_request'
steps:
+ - name: Fetch Sources
+ uses: actions/checkout@v4
+ with:
+ sparse-checkout: |
+ .github/workflows/unprivileged-download-artifact/action.yml
+ sparse-checkout-cone-mode: false
- name: 'Download artifact'
- uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
+ uses: ./.github/workflows/unprivileged-download-artifact
+ id: download-artifact
with:
- github-token: ${{ secrets.ISSUE_WRITE_DOWNLOAD_ARTIFACT }}
run-id: ${{ github.event.workflow_run.id }}
- name: workflow-args
+ artifact-name: workflow-args
+
+ - name: Unpack Artifact
+ run: |
+ unzip ${{ steps.download-artifact.outputs.filename }}
- name: 'Comment on PR'
uses: actions/github-script@v3
diff --git a/.github/workflows/unprivileged-download-artifact/action.yml b/.github/workflows/unprivileged-download-artifact/action.yml
new file mode 100644
index 0000000000000..d4aaf462d3027
--- /dev/null
+++ b/.github/workflows/unprivileged-download-artifact/action.yml
@@ -0,0 +1,70 @@
+name: Unprivileged Download Artifact
+description: Download artifacts from another workflow run without using an access token.
+inputs:
+ run-id:
+ description: The run-id for the workflow run that you want to download the artifact from. If ommited it will download the most recently created artifact from the repo with the artifact-name.
+ required: false
+ artifact-name:
+ desciption: The name of the artifact to download.
+ required: true
+
+
+outputs:
+ filename:
+ description: "The filename of the downloaded artifact or the empty string if the artifact was not found."
+ value: ${{ steps.download-artifact.outputs.filename }}
+ artifact-id:
+ description: "The id of the artifact being downloaded."
+ value: ${{ steps.artifact-url.outputs.id }}
+
+
+runs:
+ using: "composite"
+ steps:
+ - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #v7.0.1
+ id: artifact-url
+ with:
+ script: |
+ var response;
+ if (!"${{ inputs.run-id }}") {
+ response = await github.rest.actions.listArtifactsForRepo({
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ name: "${{ inputs.artifact-name }}"
+ })
+ } else {
+ response = await github.rest.actions.listWorkflowRunArtifacts({
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ run_id: "${{ inputs.run-id }}",
+ name: "${{ inputs.artifact-name }}"
+ })
+ }
+
+ console.log(response)
+
+ for (artifact of response.data.artifacts) {
+ console.log(artifact);
+ }
+
+ if (response.data.artifacts.length == 0) {
+ console.log("Could not find artifact ${{ inputs.artifact-name }} for workflow run ${{ inputs.run-id }}")
+ return;
+ }
+
+ const url_response = await github.rest.actions.downloadArtifact({
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ artifact_id: response.data.artifacts[0].id,
+ archive_format: "zip"
+ })
+
+ core.setOutput("url", url_response.url);
+ core.setOutput("id", response.data.artifacts[0].id);
+
+ - shell: bash
+ if: steps.artifact-url.outputs.url != ''
+ id: download-artifact
+ run: |
+ curl -L -o ${{ inputs.artifact-name }}.zip "${{ steps.artifact-url.outputs.url }}"
+ echo "filename=${{ inputs.artifact-name }}.zip" >> $GITHUB_OUTPUT
|
There was a problem hiding this comment.
Thanks!
I'm not an expert in GitHub Actions scripts, so it's better to get the feedback from @boomanaiden154.
|
Ping. |
There was a problem hiding this comment.
Minor nits.
Is there additional context for why this change is needed? I remember seeing something, but can't find it now.
We should also probably figure out what we want to support for downstreams versus what we don't. This is a decent chunk of additional complexity for something that I don't believe has any upstream benefit.
| description: Download artifacts from another workflow run without using an access token. | ||
| inputs: | ||
| run-id: | ||
| description: The run-id for the workflow run that you want to download the artifact from. If ommited it will download the most recently created artifact from the repo with the artifact-name. |
There was a problem hiding this comment.
Is it possible to wrap this to 80 characters?
.github/workflows/issue-write.yml
Outdated
|
|
||
| - name: Unpack Artifact | ||
| run: | | ||
| unzip ${{ steps.download-artifact.outputs.filename }} |
There was a problem hiding this comment.
Can we do this in the action similar to how download-artifact does it?
This discussion has the context for this change - #80495 (comment). |
Ah, thanks. @tstellar Is there another advantage to having this upstream rather than just documenting somewhere what tokens need to be setup/with what permissions for the workflows to work? |
The advantage for upstream is that it's one less secret for us to maintain. |
And also composite actions don't have access to secrets, so if you want to download an artifact in a composite action you need to add an extra parameter for the secret. |
Makes sense. It would be nice if Github would allow this in the upstream action, but maybe the security argument there makes sense. |
Summary: This adds a new composite workflow that allows you to download artifacts from other workflows without using an access token. actions/download-artifact from GitHub requires an access token in order to download artifacts from a different workflow, which is why we can't use it here if we want to avoid using a token. See https://github.com/actions/download-artifact?tab=readme-ov-file#download-artifacts-from-other-workflow-runs-or-repositories Test Plan: Reviewers: Subscribers: Tasks: Tags: Differential Revision: https://phabricator.intern.facebook.com/D60251441
This adds a new composite workflow that allows you to download artifacts from other workflows without using an access token.
actions/download-artifact from GitHub requires an access token in order to download artifacts from a different workflow, which is why we can't use it here if we want to avoid using a token.
See https://github.com/actions/download-artifact?tab=readme-ov-file#download-artifacts-from-other-workflow-runs-or-repositories