workflows/release-documentation: Submit a pull request with changes (#108247)

This is instead of pushing directly. Creating a pull request is slightly more work for the release manager, but it is more secure as we no longer need a secret with write access to the www-releases repo.
2024-10-01 06:12:03 -07:00
parent 8f2aa9dbad
commit 9cd289fa4a
1 changed files with 8 additions and 5 deletions
--- a/.github/workflows/release-documentation.yml
+++ b/.github/workflows/release-documentation.yml
@@ -72,17 +72,20 @@ jobs:
          ref: main
          fetch-depth: 0
          path: www-releases
+          persist-credentials: false

      - name: Upload Release Notes
        if: env.upload
        env:
-          WWW_RELEASES_TOKEN: ${{ secrets.WWW_RELEASES_TOKEN }}
+          GH_TOKEN: ${{ secrets.WWW_RELEASES_TOKEN }}
        run: |
-          mkdir -p ../www-releases/${{ inputs.release-version }}
-          mv ./docs-build/html-export/* ../www-releases/${{ inputs.release-version }}
-          cd ../www-releases
+          mkdir -p www-releases/${{ inputs.release-version }}
+          mv ./docs-build/html-export/* www-releases/${{ inputs.release-version }}
+          cd www-releases
+          git checkout -b ${{ inputs.release-version }}
          git add ${{ inputs.release-version }}
          git config user.email "llvmbot@llvm.org"
          git config user.name "llvmbot"
          git commit -a -m "Add ${{ inputs.release-version }} documentation"
-          git push "https://$WWW_RELEASES_TOKEN@github.com/${{ github.repository_owner }}/www-releases" main:main
+          git push --force  "https://$GH_TOKEN@github.com/llvmbot/www-releases.git" HEAD:refs/heads/${{ inputs.release-version }}
+          gh pr create -f -B main -H ${{ inputs.release-version }} -R llvmbot/www-releases