MrSubidubi created
extensions/workflows/bump_version.yml | 4
extensions/workflows/release_version.yml | 3
extensions/workflows/run_tests.yml | 2
tooling/xtask/src/tasks/workflows/extensions/bump_version.rs | 10 +
tooling/xtask/src/tasks/workflows/extensions/release_version.rs | 7 +
tooling/xtask/src/tasks/workflows/extensions/run_tests.rs | 16 +-
6 files changed, 32 insertions(+), 10 deletions(-)
@@ -40,6 +40,10 @@ jobs:
needs:
- determine_bump_type
if: github.event.action != 'labeled' || needs.determine_bump_type.outputs.bump_type != 'patch'
+ permissions:
+ contents: write
+ issues: write
+ pull-requests: write
uses: zed-industries/zed/.github/workflows/extension_bump.yml@main
secrets:
app-id: ${{ secrets.ZED_ZIPPY_APP_ID }}
@@ -7,6 +7,9 @@ on:
- v**
jobs:
call_release_version:
+ permissions:
+ contents: write
+ pull-requests: write
uses: zed-industries/zed/.github/workflows/extension_release.yml@main
secrets:
app-id: ${{ secrets.ZED_ZIPPY_APP_ID }}
@@ -10,6 +10,8 @@ on:
- main
jobs:
call_extension_tests:
+ permissions:
+ contents: read
uses: zed-industries/zed/.github/workflows/extension_tests.yml@main
concurrency:
group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.ref_name == 'main' && github.sha || 'anysha' }}pr
@@ -1,6 +1,6 @@
use gh_workflow::{
- Event, Expression, Input, Job, PullRequest, PullRequestType, Push, Run, Step, UsesJob,
- Workflow, WorkflowDispatch,
+ Event, Expression, Input, Job, Level, Permissions, PullRequest, PullRequestType, Push, Run,
+ Step, UsesJob, Workflow, WorkflowDispatch,
};
use indexmap::IndexMap;
use indoc::indoc;
@@ -40,6 +40,12 @@ pub(crate) fn call_bump_version(
"github.event.action != 'labeled' || {} != 'patch'",
bump_type.expr()
)))
+ .permissions(
+ Permissions::default()
+ .contents(Level::Write)
+ .issues(Level::Write)
+ .pull_requests(Level::Write),
+ )
.uses(
"zed-industries",
"zed",
@@ -1,4 +1,4 @@
-use gh_workflow::{Event, Job, Push, UsesJob, Workflow};
+use gh_workflow::{Event, Job, Level, Permissions, Push, UsesJob, Workflow};
use crate::tasks::workflows::{
extensions::WithAppSecrets,
@@ -14,6 +14,11 @@ pub(crate) fn release_version() -> Workflow {
pub(crate) fn call_release_version() -> NamedJob<UsesJob> {
let job = Job::default()
+ .permissions(
+ Permissions::default()
+ .contents(Level::Write)
+ .pull_requests(Level::Write),
+ )
.uses(
"zed-industries",
"zed",
@@ -1,4 +1,4 @@
-use gh_workflow::{Event, Job, PullRequest, Push, UsesJob, Workflow};
+use gh_workflow::{Event, Job, Level, Permissions, PullRequest, Push, UsesJob, Workflow};
use crate::tasks::workflows::{
steps::{NamedJob, named},
@@ -16,12 +16,14 @@ pub(crate) fn run_tests() -> Workflow {
}
pub(crate) fn call_extension_tests() -> NamedJob<UsesJob> {
- let job = Job::default().uses(
- "zed-industries",
- "zed",
- ".github/workflows/extension_tests.yml",
- "main",
- );
+ let job = Job::default()
+ .permissions(Permissions::default().contents(Level::Read))
+ .uses(
+ "zed-industries",
+ "zed",
+ ".github/workflows/extension_tests.yml",
+ "main",
+ );
named::job(job)
}