.github/workflows/release-asset-audit.yml - mirrors/github.com/llvm/llvm-project - Git at Google

 name: Release Asset Audit

 on:
   workflow_dispatch:
   release:
   schedule:
     # * is a special character in YAML so you have to quote this string
     # Run once an hour
     - cron:  '5 * * * *'

   pull_request:
     paths:
       - ".github/workflows/release-asset-audit.py"
       - ".github/workflows/release-asset-audit.yml"

 permissions:
   contents: read # Default everything to read-only

 jobs:
   audit:
     name: "Release Asset Audit"
     runs-on: ubuntu-24.04
     if: github.repository == 'llvm/llvm-project'
     steps:
       - name: Checkout LLVM
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           sparse-checkout: |
             .github/workflows/release-asset-audit.py
             llvm/utils/git/requirements.txt
       - name: "Run Audit Script"
         env:
           GITHUB_TOKEN: ${{ github.token }}
         run: |
           pip install --require-hashes -r ./llvm/utils/git/requirements.txt
           python3 ./.github/workflows/release-asset-audit.py $GITHUB_TOKEN

       - name: Upload comment file
         if: failure()
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: comment
           path: |
             comment

   notify-audit-failed:
     name: "Notify Audit Failed"
     environment:
       name: main-branch-only
       deployment: false
     runs-on: ubuntu-24.04
     if: >-
       github.repository == 'llvm/llvm-project' &&
       github.event_name != 'pull_request' &&
       failure()
     needs:
       - audit
     steps:
       - name: Download Comment
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: comment
       - id: app-token
         uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3  # v3.1.1
         with:
           client-id: ${{ secrets.LLVM_TOKEN_GENERATOR_CLIENT_ID }}
           private-key: ${{ secrets.LLVM_TOKEN_GENERATOR_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
           permission-contents: read
           permission-issues: write
       - name: "File Issue"
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           github-token: ${{ steps.app-token.outputs.token }}
           script: |
             var fs = require('fs');
             var body = ''
             if (fs.existsSync('./comment')) {
               body = fs.readFileSync('./comment') + "\n\n";
             }
             body = body + `\n\nhttps://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`

             const issue = await github.rest.issues.create({
                owner: context.repo.owner,
                repo: context.repo.repo,
                title: "Release Asset Audit Failed",
                labels: ['infrastructure'],
                body: body
             });
             console.log(issue);
	name: Release Asset Audit

	on:
	workflow_dispatch:
	release:
	schedule:
	# * is a special character in YAML so you have to quote this string
	# Run once an hour
	- cron: '5 * * * *'

	pull_request:
	paths:
	- ".github/workflows/release-asset-audit.py"
	- ".github/workflows/release-asset-audit.yml"

	permissions:
	contents: read # Default everything to read-only

	jobs:
	audit:
	name: "Release Asset Audit"
	runs-on: ubuntu-24.04
	if: github.repository == 'llvm/llvm-project'
	steps:
	- name: Checkout LLVM
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	sparse-checkout: \|
	.github/workflows/release-asset-audit.py
	llvm/utils/git/requirements.txt
	- name: "Run Audit Script"
	env:
	GITHUB_TOKEN: ${{ github.token }}
	run: \|
	pip install --require-hashes -r ./llvm/utils/git/requirements.txt
	python3 ./.github/workflows/release-asset-audit.py $GITHUB_TOKEN

	- name: Upload comment file
	if: failure()
	uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
	with:
	name: comment
	path: \|
	comment

	notify-audit-failed:
	name: "Notify Audit Failed"
	environment:
	name: main-branch-only
	deployment: false
	runs-on: ubuntu-24.04
	if: >-
	github.repository == 'llvm/llvm-project' &&
	github.event_name != 'pull_request' &&
	failure()
	needs:
	- audit
	steps:
	- name: Download Comment
	uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	with:
	name: comment
	- id: app-token
	uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
	with:
	client-id: ${{ secrets.LLVM_TOKEN_GENERATOR_CLIENT_ID }}
	private-key: ${{ secrets.LLVM_TOKEN_GENERATOR_PRIVATE_KEY }}
	owner: ${{ github.repository_owner }}
	permission-contents: read
	permission-issues: write
	- name: "File Issue"
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	with:
	github-token: ${{ steps.app-token.outputs.token }}
	script: \|
	var fs = require('fs');
	var body = ''
	if (fs.existsSync('./comment')) {
	body = fs.readFileSync('./comment') + "\n\n";
	}
	body = body + `\n\nhttps://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`

	const issue = await github.rest.issues.create({
	owner: context.repo.owner,
	repo: context.repo.repo,
	title: "Release Asset Audit Failed",
	labels: ['infrastructure'],
	body: body
	});
	console.log(issue);