From 7881551ddac3240def8301662719400db5d02c61 Mon Sep 17 00:00:00 2001 From: Finn Evers Date: Mon, 1 Dec 2025 21:30:51 +0100 Subject: [PATCH] ci: Request GitHub token for proper repository (#43940) Release Notes: - N/A --- .github/workflows/extension_bump.yml | 2 +- .github/workflows/extension_release.yml | 2 ++ .github/workflows/extension_tests.yml | 2 +- .../src/tasks/workflows/extension_bump.rs | 35 ++++++++++++++++--- .../src/tasks/workflows/extension_release.rs | 6 ++-- .../src/tasks/workflows/extension_tests.rs | 2 +- tooling/xtask/src/tasks/workflows/steps.rs | 1 + 7 files changed, 41 insertions(+), 9 deletions(-) diff --git a/.github/workflows/extension_bump.yml b/.github/workflows/extension_bump.yml index 4bdd340bc6893d2ebbb64958403a7e8706f7c0ac..7fce9decb2f429e39cdae4dd26ae7f621e72e56b 100644 --- a/.github/workflows/extension_bump.yml +++ b/.github/workflows/extension_bump.yml @@ -51,7 +51,7 @@ jobs: mkdir -p /tmp/ext-output ./zed-extension --source-dir . --scratch-dir /tmp/ext-scratch --output-dir /tmp/ext-output shell: bash -euxo pipefail {0} - timeout-minutes: 1 + timeout-minutes: 2 check_bump_needed: if: (github.repository_owner == 'zed-industries' || github.repository_owner == 'zed-extensions') runs-on: namespace-profile-2x4-ubuntu-2404 diff --git a/.github/workflows/extension_release.yml b/.github/workflows/extension_release.yml index 263e6465a749e401747e32c279b972791c54f960..5212a79c3e55637aa932be62aea0a626af545a7c 100644 --- a/.github/workflows/extension_release.yml +++ b/.github/workflows/extension_release.yml @@ -21,6 +21,8 @@ jobs: with: app-id: ${{ secrets.app-id }} private-key: ${{ secrets.app-secret }} + owner: zed-industries + repositories: extensions - name: steps::checkout_repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: diff --git a/.github/workflows/extension_tests.yml b/.github/workflows/extension_tests.yml index e579c6739dd3201d37b8029fcbc205f28f9bafd9..3da03ab02ffd4d3aac7b2bb5fa043e0f8554951b 100644 --- a/.github/workflows/extension_tests.yml +++ b/.github/workflows/extension_tests.yml @@ -108,7 +108,7 @@ jobs: mkdir -p /tmp/ext-output ./zed-extension --source-dir . --scratch-dir /tmp/ext-scratch --output-dir /tmp/ext-output shell: bash -euxo pipefail {0} - timeout-minutes: 1 + timeout-minutes: 2 tests_pass: needs: - orchestrate diff --git a/tooling/xtask/src/tasks/workflows/extension_bump.rs b/tooling/xtask/src/tasks/workflows/extension_bump.rs index 41c90aec121a9e8737b975238266a26abed71a61..c3feb7973b2dc95916e46d77b369cb6d6a6f3645 100644 --- a/tooling/xtask/src/tasks/workflows/extension_bump.rs +++ b/tooling/xtask/src/tasks/workflows/extension_bump.rs @@ -5,7 +5,9 @@ use crate::tasks::workflows::{ extension_release::extension_workflow_secrets, extension_tests::{self}, runners, - steps::{self, CommonJobConditions, DEFAULT_REPOSITORY_OWNER_GUARD, NamedJob, named}, + steps::{ + self, CommonJobConditions, DEFAULT_REPOSITORY_OWNER_GUARD, FluentBuilder, NamedJob, named, + }, vars::{ JobOutput, StepOutput, WorkflowInput, WorkflowSecret, one_workflow_per_non_main_branch, }, @@ -113,7 +115,7 @@ fn create_version_label( app_id: &WorkflowSecret, app_secret: &WorkflowSecret, ) -> NamedJob { - let (generate_token, generated_token) = generate_token(app_id, app_secret); + let (generate_token, generated_token) = generate_token(app_id, app_secret, None); let job = steps::dependant_job(dependencies) .cond(Expression::new(format!( "{DEFAULT_REPOSITORY_OWNER_GUARD} && github.event_name == 'push' && github.ref == 'refs/heads/main' && {} == 'false'", @@ -193,7 +195,7 @@ fn bump_extension_version( app_id: &WorkflowSecret, app_secret: &WorkflowSecret, ) -> NamedJob { - let (generate_token, generated_token) = generate_token(app_id, app_secret); + let (generate_token, generated_token) = generate_token(app_id, app_secret, None); let (bump_version, new_version) = bump_version(current_version, bump_type); let job = steps::dependant_job(dependencies) @@ -216,13 +218,24 @@ fn bump_extension_version( pub(crate) fn generate_token( app_id: &WorkflowSecret, app_secret: &WorkflowSecret, + repository_target: Option, ) -> (Step, StepOutput) { let step = named::uses("actions", "create-github-app-token", "v2") .id("generate-token") .add_with( Input::default() .add("app-id", app_id.to_string()) - .add("private-key", app_secret.to_string()), + .add("private-key", app_secret.to_string()) + .when_some( + repository_target, + |input, + RepositoryTarget { + owner, + repositories, + }| { + input.add("owner", owner).add("repositories", repositories) + }, + ), ); let generated_token = StepOutput::new(&step, "token"); @@ -288,3 +301,17 @@ fn create_pull_request(new_version: StepOutput, generated_token: StepOutput) -> .add("sign-commits", true), ) } + +pub(crate) struct RepositoryTarget { + owner: String, + repositories: String, +} + +impl RepositoryTarget { + pub fn new(owner: T, repositories: &[&str]) -> Self { + Self { + owner: owner.to_string(), + repositories: repositories.join("\n"), + } + } +} diff --git a/tooling/xtask/src/tasks/workflows/extension_release.rs b/tooling/xtask/src/tasks/workflows/extension_release.rs index fa064549184e675ae80b429f097448238b847935..c55fed0cb8a0959923be79a55f0397d6190453e4 100644 --- a/tooling/xtask/src/tasks/workflows/extension_release.rs +++ b/tooling/xtask/src/tasks/workflows/extension_release.rs @@ -2,7 +2,7 @@ use gh_workflow::{Event, Job, Run, Step, Use, Workflow, WorkflowCall}; use indoc::indoc; use crate::tasks::workflows::{ - extension_bump::generate_token, + extension_bump::{RepositoryTarget, generate_token}, runners, steps::{CommonJobConditions, NamedJob, checkout_repo, named}, vars::{StepOutput, WorkflowSecret}, @@ -26,7 +26,9 @@ pub(crate) fn extension_release() -> Workflow { } fn create_release(app_id: &WorkflowSecret, app_secret: &WorkflowSecret) -> NamedJob { - let (generate_token, generated_token) = generate_token(&app_id, &app_secret); + let extension_registry = RepositoryTarget::new("zed-industries", &["extensions"]); + let (generate_token, generated_token) = + generate_token(&app_id, &app_secret, Some(extension_registry)); let (get_extension_id, extension_id) = get_extension_id(); let job = Job::default() diff --git a/tooling/xtask/src/tasks/workflows/extension_tests.rs b/tooling/xtask/src/tasks/workflows/extension_tests.rs index 8ea1435292372e33d5f98d1b3a5d5db0582a6a46..e71bb52570137aa201459af6c9bbf19f7b96ae2f 100644 --- a/tooling/xtask/src/tasks/workflows/extension_tests.rs +++ b/tooling/xtask/src/tasks/workflows/extension_tests.rs @@ -82,7 +82,7 @@ pub(crate) fn check_extension() -> NamedJob { let job = Job::default() .with_repository_owner_guard() .runs_on(runners::LINUX_SMALL) - .timeout_minutes(1u32) + .timeout_minutes(2u32) .add_step(steps::checkout_repo()) .add_step(cache_download) .add_step(download_zed_extension_cli(cache_hit)) diff --git a/tooling/xtask/src/tasks/workflows/steps.rs b/tooling/xtask/src/tasks/workflows/steps.rs index 62f71bbcb5129117a4d2d57e9858c48393a73243..722a5f0704542889703fdbb42c691d01bc50ace6 100644 --- a/tooling/xtask/src/tasks/workflows/steps.rs +++ b/tooling/xtask/src/tasks/workflows/steps.rs @@ -180,6 +180,7 @@ pub(crate) fn dependant_job(deps: &[&NamedJob]) -> Job { impl FluentBuilder for Job {} impl FluentBuilder for Workflow {} +impl FluentBuilder for Input {} /// A helper trait for building complex objects with imperative conditionals in a fluent style. /// Copied from GPUI to avoid adding GPUI as dependency