Re-apply: workflows: Use main-branch-only environment when using ISSUE_SUBSCRIBER_TOKEN (#179990)#193801
Open
Re-apply: workflows: Use main-branch-only environment when using ISSUE_SUBSCRIBER_TOKEN (#179990)#193801
Conversation
…E_SUBSCRIBER_TOKEN (llvm#179990) This way we can prevent the secret from being used in user branches. We originally reverted this because it was spamming the PRs with 'deployment' messages. GitHub has added a new feature to disable these messages, so it should be safe to re-apply this.
Member
|
@llvm/pr-subscribers-github-workflow Author: Tom Stellard (tstellar) ChangesThis way we can prevent the secret from being used in user branches. We originally reverted this because it was spamming the PRs with 'deployment' messages. GitHub has added a new feature to disable these messages, so it should be safe to re-apply this. Full diff: https://github.com/llvm/llvm-project/pull/193801.diff 5 Files Affected:
diff --git a/.github/workflows/issue-subscriber.yml b/.github/workflows/issue-subscriber.yml
index b4ba59c761060..6e444300cd991 100644
--- a/.github/workflows/issue-subscriber.yml
+++ b/.github/workflows/issue-subscriber.yml
@@ -10,6 +10,9 @@ permissions:
jobs:
auto-subscribe:
+ environment:
+ name: main-branch-only
+ deployment: false
runs-on: ubuntu-24.04
if: github.repository == 'llvm/llvm-project'
steps:
diff --git a/.github/workflows/new-issues.yml b/.github/workflows/new-issues.yml
index 3b372a632e3c8..f3747a2df7f81 100644
--- a/.github/workflows/new-issues.yml
+++ b/.github/workflows/new-issues.yml
@@ -10,6 +10,9 @@ jobs:
automate-issues-labels:
permissions:
issues: write
+ environment:
+ name: main-branch-only
+ deployment: false
runs-on: ubuntu-24.04
if: github.repository == 'llvm/llvm-project'
steps:
diff --git a/.github/workflows/new-prs.yml b/.github/workflows/new-prs.yml
index dbb983ccc329a..e6f55a069ecad 100644
--- a/.github/workflows/new-prs.yml
+++ b/.github/workflows/new-prs.yml
@@ -56,6 +56,10 @@ jobs:
automate-prs-labels:
# Greet first so that only the author gets that notification.
needs: greeter
+ # See https://github.blog/changelog/2025-11-07-actions-pull_request_target-and-environment-branch-protections-changes/
+ environment:
+ name: main-branch-only
+ deployment: false
runs-on: ubuntu-24.04
# Ignore PRs with more than 10 commits. Pull requests with a lot of
# commits tend to be accidents usually when someone made a mistake while trying
diff --git a/.github/workflows/pr-subscriber.yml b/.github/workflows/pr-subscriber.yml
index 74e7bbb83f94f..a0e5b4c0f5044 100644
--- a/.github/workflows/pr-subscriber.yml
+++ b/.github/workflows/pr-subscriber.yml
@@ -10,6 +10,10 @@ permissions:
jobs:
auto-subscribe:
+ # See https://github.blog/changelog/2025-11-07-actions-pull_request_target-and-environment-branch-protections-changes/
+ environment:
+ name: main-branch-only
+ deployment: false
runs-on: ubuntu-24.04
if: github.repository == 'llvm/llvm-project'
steps:
diff --git a/.github/workflows/release-asset-audit.yml b/.github/workflows/release-asset-audit.yml
index bd429daa8e5e2..daab5859b109d 100644
--- a/.github/workflows/release-asset-audit.yml
+++ b/.github/workflows/release-asset-audit.yml
@@ -46,6 +46,9 @@ jobs:
notify-audit-failed:
name: "Notify Audit Failed"
+ environment:
+ name: main-branch-only
+ deployment: false
runs-on: ubuntu-24.04
if: >-
github.repository == 'llvm/llvm-project' &&
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This way we can prevent the secret from being used in user branches.
We originally reverted this because it was spamming the PRs with 'deployment' messages. GitHub has added a new feature to disable these messages, so it should be safe to re-apply this.