diff --git a/.github/workflows/extension_workflow_rollout.yml b/.github/workflows/extension_workflow_rollout.yml index 7c4643ab7f741458209321ce6ddb8985183c8c3e..1684c7bc517473489fce3ae493a6fe7eaee60810 100644 --- a/.github/workflows/extension_workflow_rollout.yml +++ b/.github/workflows/extension_workflow_rollout.yml @@ -50,6 +50,9 @@ jobs: private-key: ${{ secrets.ZED_ZIPPY_APP_PRIVATE_KEY }} owner: zed-extensions repositories: ${{ matrix.repo }} + permission-pull-requests: write + permission-contents: write + permission-workflows: write - name: checkout_zed_repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: diff --git a/tooling/xtask/src/tasks/workflows/extension_bump.rs b/tooling/xtask/src/tasks/workflows/extension_bump.rs index eac64ed4572271b2be27a497d339bd85fdcfb926..70ec4d7cb78bbf851d4b9dc3e60aa060fb93d76d 100644 --- a/tooling/xtask/src/tasks/workflows/extension_bump.rs +++ b/tooling/xtask/src/tasks/workflows/extension_bump.rs @@ -220,8 +220,21 @@ pub(crate) fn generate_token( RepositoryTarget { owner, repositories, + permissions, }| { - input.add("owner", owner).add("repositories", repositories) + input + .add("owner", owner) + .add("repositories", repositories) + .when_some(permissions, |input, permissions| { + permissions + .into_iter() + .fold(input, |input, (permission, level)| { + input.add( + permission, + serde_json::to_value(&level).unwrap_or_default(), + ) + }) + }) }, ), ); @@ -297,6 +310,7 @@ fn create_pull_request(new_version: StepOutput, generated_token: StepOutput) -> pub(crate) struct RepositoryTarget { owner: String, repositories: String, + permissions: Option>, } impl RepositoryTarget { @@ -304,6 +318,14 @@ impl RepositoryTarget { Self { owner: owner.to_string(), repositories: repositories.join("\n"), + permissions: None, + } + } + + pub fn permissions(self, permissions: impl Into>) -> Self { + Self { + permissions: Some(permissions.into()), + ..self } } } diff --git a/tooling/xtask/src/tasks/workflows/extension_workflow_rollout.rs b/tooling/xtask/src/tasks/workflows/extension_workflow_rollout.rs index 307513d728a12495a65adcefd72a8cc9b5db208a..1d0a714ebff97235891b14afc7bf04e64107a46f 100644 --- a/tooling/xtask/src/tasks/workflows/extension_workflow_rollout.rs +++ b/tooling/xtask/src/tasks/workflows/extension_workflow_rollout.rs @@ -1,4 +1,6 @@ -use gh_workflow::{Event, Expression, Job, Run, Step, Strategy, Use, Workflow, WorkflowDispatch}; +use gh_workflow::{ + Event, Expression, Job, Level, Run, Step, Strategy, Use, Workflow, WorkflowDispatch, +}; use indoc::indoc; use serde_json::json; @@ -147,10 +149,13 @@ fn rollout_workflows_to_extension(fetch_repos_job: &NamedJob) -> NamedJob { let (authenticate, token) = generate_token( vars::ZED_ZIPPY_APP_ID, vars::ZED_ZIPPY_APP_PRIVATE_KEY, - Some(RepositoryTarget::new( - "zed-extensions", - &["${{ matrix.repo }}"], - )), + Some( + RepositoryTarget::new("zed-extensions", &["${{ matrix.repo }}"]).permissions([ + ("permission-pull-requests".to_owned(), Level::Write), + ("permission-contents".to_owned(), Level::Write), + ("permission-workflows".to_owned(), Level::Write), + ]), + ), ); let (calculate_short_sha, short_sha) = get_short_sha();