[Security] Use github environment for update-commit-hash workflow (#1…

…07060) Similar to: #101718 https://github.com/pytorch/pytorch/actions/runs/5856611801/job/15876722301 Please note since we can't specify environment for a composite workflow. It was needed to move update-commit-hash as action rather then workflow. Still todo: Move docs and binary builds Pull Request resolved: #107060 Approved by: https://github.com/seemethere
pytorch · Aug 14, 2023 · 32f93b1 · 32f93b1
1 parent 5bbfb96
commit 32f93b1
Show file tree

Hide file tree

Showing 4 changed files with 99 additions and 91 deletions.
diff --git a/.github/actions/update-commit-hash/action.yml b/.github/actions/update-commit-hash/action.yml
@@ -0,0 +1,59 @@
+name: Update commit hash
+
+inputs:
+  repo-owner:
+    required: false
+    type: string
+    description: Name of repository's owner.
+    default: pytorch
+  repo-name:
+    required: true
+    type: string
+    description: Name of the repository we're updating commit hash for.
+  branch:
+    required: true
+    type: string
+    description: Branch to fetch commit of
+  pin-folder:
+    type: string
+    description: Path to folder with commit pin
+    required: false
+    default: .github/ci_commit_pins
+  updatebot-token:
+    required: true
+    type: string
+    description: update bot token
+  pytorchbot-token:
+    required: true
+    type: string
+    description: update bot token
+
+description: update commit hash
+
+runs:
+  using: composite
+  steps:
+    - name: Checkout repo
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 1
+        submodules: false
+        token: ${{ inputs.updatebot-token }}
+    - name: Checkout
+      shell: bash
+      run: |
+        git clone https://github.com/${{ inputs.repo-owner }}/${{ inputs.repo-name }}.git --quiet
+    - name: Check if there already exists a PR
+      shell: bash
+      env:
+        REPO_NAME: ${{ inputs.repo-name }}
+        BRANCH: ${{ inputs.branch }}
+        PIN_FOLDER: ${{ inputs.pin-folder }}
+        UPDATEBOT_TOKEN: ${{ inputs.updatebot-token }}
+        PYTORCHBOT_TOKEN: ${{ inputs.pytorchbot-token }}
+        NEW_BRANCH_NAME: update-${{ inputs.repo-name }}-commit-hash/${{ github.run_id }}-${{ github.run_number }}-${{ github.run_attempt }}
+      run: |
+        # put this here instead of the script to prevent accidentally changing the config when running the script locally
+        git config --global user.name "PyTorch UpdateBot"
+        git config --global user.email "pytorchupdatebot@users.noreply.github.com"
+        python .github/scripts/update_commit_hashes.py --repo-name "${REPO_NAME}" --branch "${BRANCH}" --pin-folder "${PIN_FOLDER}"
diff --git a/.github/workflows/_update-commit-hash.yml b/.github/workflows/_update-commit-hash.yml
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -37,11 +37,18 @@ jobs:
       GH_PYTORCHBOT_TOKEN: ${{ secrets.GH_PYTORCHBOT_TOKEN }}
 
   update-vision-commit-hash:
-    uses: ./.github/workflows/_update-commit-hash.yml
-    if: ${{ github.event_name == 'schedule' }}
-    with:
-      repo-name: vision
-      branch: main
-    secrets:
-      UPDATEBOT_TOKEN: ${{ secrets.UPDATEBOT_TOKEN }}
-      PYTORCHBOT_TOKEN: ${{ secrets.GH_PYTORCHBOT_TOKEN }}
+    runs-on: ubuntu-latest
+    environment: update-commit-hash
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: update-vision-commit-hash
+        uses: ./.github/actions/update-commit-hash
+        if: ${{ github.event_name == 'schedule' }}
+        with:
+          repo-name: vision
+          branch: main
+          updatebot-token: ${{ secrets.UPDATEBOT_TOKEN }}
+          pytorchbot-token: ${{ secrets.GH_PYTORCHBOT_TOKEN }}
diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml
@@ -9,22 +9,28 @@ on:
   workflow_dispatch:
 
 jobs:
-  update-xla-commit-hash:
-    uses: ./.github/workflows/_update-commit-hash.yml
-    with:
-      repo-name: xla
-      branch: master
-    secrets:
-      UPDATEBOT_TOKEN: ${{ secrets.UPDATEBOT_TOKEN }}
-      PYTORCHBOT_TOKEN: ${{ secrets.GH_PYTORCHBOT_TOKEN }}
-
-  update-triton-commit-hash:
-    uses: ./.github/workflows/_update-commit-hash.yml
-    with:
-      repo-owner: openai
-      repo-name: triton
-      branch: main
-      pin-folder: .ci/docker/ci_commit_pins
-    secrets:
-      UPDATEBOT_TOKEN: ${{ secrets.UPDATEBOT_TOKEN }}
-      PYTORCHBOT_TOKEN: ${{ secrets.GH_PYTORCHBOT_TOKEN }}
+  update-commit-hash:
+    runs-on: ubuntu-latest
+    environment: update-commit-hash
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: update-xla-commit-hash
+        continue-on-error: true
+        uses: ./.github/actions/update-commit-hash
+        with:
+          repo-name: xla
+          branch: master
+          updatebot-token: ${{ secrets.UPDATEBOT_TOKEN }}
+          pytorchbot-token: ${{ secrets.GH_PYTORCHBOT_TOKEN }}
+      - name: update-triton-commit-hash
+        uses: ./.github/actions/update-commit-hash
+        with:
+          repo-owner: openai
+          repo-name: triton
+          branch: main
+          pin-folder: .ci/docker/ci_commit_pins
+          updatebot-token: ${{ secrets.UPDATEBOT_TOKEN }}
+          pytorchbot-token: ${{ secrets.GH_PYTORCHBOT_TOKEN }}