From bf1c8819d9a57ec2ccca6a9d23326bc03119046e Mon Sep 17 00:00:00 2001
From: Finn Evers <finn@zed.dev>
Date: Mon, 29 Dec 2025 16:41:56 +0100
Subject: [PATCH] ci: Properly request token for extension repositories
 (#45824)

Release Notes:

- N/A
---
 .github/workflows/extension_workflow_rollout.yml   | 14 ++++++++------
 .../xtask/src/tasks/workflows/extension_bump.rs    | 14 ++++++++------
 .../xtask/src/tasks/workflows/extension_release.rs |  7 +++++--
 .../tasks/workflows/extension_workflow_rollout.rs  | 12 ++++++++++--
 4 files changed, 31 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/extension_workflow_rollout.yml b/.github/workflows/extension_workflow_rollout.yml
index 719c67846c82fb32fcf713380f32d7c8af740301..7c4643ab7f741458209321ce6ddb8985183c8c3e 100644
--- a/.github/workflows/extension_workflow_rollout.yml
+++ b/.github/workflows/extension_workflow_rollout.yml
@@ -42,12 +42,14 @@ jobs:
       fail-fast: false
       max-parallel: 5
     steps:
-    - id: get-app-token
-      name: steps::authenticate_as_zippy
-      uses: actions/create-github-app-token@bef1eaf1c0ac2b148ee2a0a74c65fbe6db0631f1
+    - id: generate-token
+      name: extension_bump::generate_token
+      uses: actions/create-github-app-token@v2
       with:
         app-id: ${{ secrets.ZED_ZIPPY_APP_ID }}
         private-key: ${{ secrets.ZED_ZIPPY_APP_PRIVATE_KEY }}
+        owner: zed-extensions
+        repositories: ${{ matrix.repo }}
     - name: checkout_zed_repo
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:
@@ -57,7 +59,7 @@ jobs:
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:
         clean: false
-        token: ${{ steps.get-app-token.outputs.token }}
+        token: ${{ steps.generate-token.outputs.token }}
         repository: zed-extensions/${{ matrix.repo }}
         path: extension
     - name: extension_workflow_rollout::rollout_workflows_to_extension::copy_workflow_files
@@ -86,7 +88,7 @@ jobs:
         author: zed-zippy[bot] <234243425+zed-zippy[bot]@users.noreply.github.com>
         base: main
         delete-branch: true
-        token: ${{ steps.get-app-token.outputs.token }}
+        token: ${{ steps.generate-token.outputs.token }}
         sign-commits: true
     - name: extension_workflow_rollout::rollout_workflows_to_extension::enable_auto_merge
       run: |
@@ -97,5 +99,5 @@ jobs:
         fi
       shell: bash -euxo pipefail {0}
       env:
-        GH_TOKEN: ${{ steps.get-app-token.outputs.token }}
+        GH_TOKEN: ${{ steps.generate-token.outputs.token }}
     timeout-minutes: 10
diff --git a/tooling/xtask/src/tasks/workflows/extension_bump.rs b/tooling/xtask/src/tasks/workflows/extension_bump.rs
index eac25ffbaf5ef806beab89999b6457504a8d1bd8..eac64ed4572271b2be27a497d339bd85fdcfb926 100644
--- a/tooling/xtask/src/tasks/workflows/extension_bump.rs
+++ b/tooling/xtask/src/tasks/workflows/extension_bump.rs
@@ -101,7 +101,8 @@ fn create_version_label(
     app_id: &WorkflowSecret,
     app_secret: &WorkflowSecret,
 ) -> NamedJob {
-    let (generate_token, generated_token) = generate_token(app_id, app_secret, None);
+    let (generate_token, generated_token) =
+        generate_token(&app_id.to_string(), &app_secret.to_string(), None);
     let job = steps::dependant_job(dependencies)
         .cond(Expression::new(format!(
             "{DEFAULT_REPOSITORY_OWNER_GUARD} && github.event_name == 'push' && github.ref == 'refs/heads/main' && {} == 'false'",
@@ -181,7 +182,8 @@ fn bump_extension_version(
     app_id: &WorkflowSecret,
     app_secret: &WorkflowSecret,
 ) -> NamedJob {
-    let (generate_token, generated_token) = generate_token(app_id, app_secret, None);
+    let (generate_token, generated_token) =
+        generate_token(&app_id.to_string(), &app_secret.to_string(), None);
     let (bump_version, new_version) = bump_version(current_version, bump_type);
 
     let job = steps::dependant_job(dependencies)
@@ -202,16 +204,16 @@ fn bump_extension_version(
 }
 
 pub(crate) fn generate_token(
-    app_id: &WorkflowSecret,
-    app_secret: &WorkflowSecret,
+    app_id_source: &str,
+    app_secret_source: &str,
     repository_target: Option<RepositoryTarget>,
 ) -> (Step<Use>, StepOutput) {
     let step = named::uses("actions", "create-github-app-token", "v2")
         .id("generate-token")
         .add_with(
             Input::default()
-                .add("app-id", app_id.to_string())
-                .add("private-key", app_secret.to_string())
+                .add("app-id", app_id_source)
+                .add("private-key", app_secret_source)
                 .when_some(
                     repository_target,
                     |input,
diff --git a/tooling/xtask/src/tasks/workflows/extension_release.rs b/tooling/xtask/src/tasks/workflows/extension_release.rs
index 2344495661ca523f570dc2f7a0c95039082bb5ce..2679c976c05bae84bfe8b318eb98fe91ceeca7cd 100644
--- a/tooling/xtask/src/tasks/workflows/extension_release.rs
+++ b/tooling/xtask/src/tasks/workflows/extension_release.rs
@@ -27,8 +27,11 @@ pub(crate) fn extension_release() -> Workflow {
 
 fn create_release(app_id: &WorkflowSecret, app_secret: &WorkflowSecret) -> NamedJob {
     let extension_registry = RepositoryTarget::new("zed-industries", &["extensions"]);
-    let (generate_token, generated_token) =
-        generate_token(&app_id, &app_secret, Some(extension_registry));
+    let (generate_token, generated_token) = generate_token(
+        &app_id.to_string(),
+        &app_secret.to_string(),
+        Some(extension_registry),
+    );
     let (get_extension_id, extension_id) = get_extension_id();
 
     let job = Job::default()
diff --git a/tooling/xtask/src/tasks/workflows/extension_workflow_rollout.rs b/tooling/xtask/src/tasks/workflows/extension_workflow_rollout.rs
index 443232127e3210b3ac903a1f00f6229f18de2ddc..307513d728a12495a65adcefd72a8cc9b5db208a 100644
--- a/tooling/xtask/src/tasks/workflows/extension_workflow_rollout.rs
+++ b/tooling/xtask/src/tasks/workflows/extension_workflow_rollout.rs
@@ -3,9 +3,10 @@ use indoc::indoc;
 use serde_json::json;
 
 use crate::tasks::workflows::{
+    extension_bump::{RepositoryTarget, generate_token},
     runners,
     steps::{self, NamedJob, named},
-    vars::StepOutput,
+    vars::{self, StepOutput},
 };
 
 const EXCLUDED_REPOS: &[&str] = &["workflows", "material-icon-theme"];
@@ -143,7 +144,14 @@ fn rollout_workflows_to_extension(fetch_repos_job: &NamedJob) -> NamedJob {
         .add_env(("GH_TOKEN", token.to_string()))
     }
 
-    let (authenticate, token) = steps::authenticate_as_zippy();
+    let (authenticate, token) = generate_token(
+        vars::ZED_ZIPPY_APP_ID,
+        vars::ZED_ZIPPY_APP_PRIVATE_KEY,
+        Some(RepositoryTarget::new(
+            "zed-extensions",
+            &["${{ matrix.repo }}"],
+        )),
+    );
     let (calculate_short_sha, short_sha) = get_short_sha();
 
     let job = Job::default()