ci: Grant GitHub token more granular permissions (#45825)

Finn Evers created 1 week ago

Release Notes:

- N/A

Change summary

.github/workflows/extension_workflow_rollout.yml                |  3 
tooling/xtask/src/tasks/workflows/extension_bump.rs             | 24 ++
tooling/xtask/src/tasks/workflows/extension_workflow_rollout.rs | 15 +
3 files changed, 36 insertions(+), 6 deletions(-)

Detailed changes

.github/workflows/extension_workflow_rollout.yml 🔗

@@ -50,6 +50,9 @@ jobs:
         private-key: ${{ secrets.ZED_ZIPPY_APP_PRIVATE_KEY }}
         owner: zed-extensions
         repositories: ${{ matrix.repo }}
+        permission-pull-requests: write
+        permission-contents: write
+        permission-workflows: write
     - name: checkout_zed_repo
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:

tooling/xtask/src/tasks/workflows/extension_bump.rs 🔗

@@ -220,8 +220,21 @@ pub(crate) fn generate_token(
                      RepositoryTarget {
                          owner,
                          repositories,
+                         permissions,
                      }| {
-                        input.add("owner", owner).add("repositories", repositories)
+                        input
+                            .add("owner", owner)
+                            .add("repositories", repositories)
+                            .when_some(permissions, |input, permissions| {
+                                permissions
+                                    .into_iter()
+                                    .fold(input, |input, (permission, level)| {
+                                        input.add(
+                                            permission,
+                                            serde_json::to_value(&level).unwrap_or_default(),
+                                        )
+                                    })
+                            })
                     },
                 ),
         );
@@ -297,6 +310,7 @@ fn create_pull_request(new_version: StepOutput, generated_token: StepOutput) ->
 pub(crate) struct RepositoryTarget {
     owner: String,
     repositories: String,
+    permissions: Option<Vec<(String, Level)>>,
 }
 
 impl RepositoryTarget {
@@ -304,6 +318,14 @@ impl RepositoryTarget {
         Self {
             owner: owner.to_string(),
             repositories: repositories.join("\n"),
+            permissions: None,
+        }
+    }
+
+    pub fn permissions(self, permissions: impl Into<Vec<(String, Level)>>) -> Self {
+        Self {
+            permissions: Some(permissions.into()),
+            ..self
         }
     }
 }

tooling/xtask/src/tasks/workflows/extension_workflow_rollout.rs 🔗

@@ -1,4 +1,6 @@
-use gh_workflow::{Event, Expression, Job, Run, Step, Strategy, Use, Workflow, WorkflowDispatch};
+use gh_workflow::{
+    Event, Expression, Job, Level, Run, Step, Strategy, Use, Workflow, WorkflowDispatch,
+};
 use indoc::indoc;
 use serde_json::json;
 
@@ -147,10 +149,13 @@ fn rollout_workflows_to_extension(fetch_repos_job: &NamedJob) -> NamedJob {
     let (authenticate, token) = generate_token(
         vars::ZED_ZIPPY_APP_ID,
         vars::ZED_ZIPPY_APP_PRIVATE_KEY,
-        Some(RepositoryTarget::new(
-            "zed-extensions",
-            &["${{ matrix.repo }}"],
-        )),
+        Some(
+            RepositoryTarget::new("zed-extensions", &["${{ matrix.repo }}"]).permissions([
+                ("permission-pull-requests".to_owned(), Level::Write),
+                ("permission-contents".to_owned(), Level::Write),
+                ("permission-workflows".to_owned(), Level::Write),
+            ]),
+        ),
     );
     let (calculate_short_sha, short_sha) = get_short_sha();