ci: Properly request token for extension repositories (#45824)

Release Notes: - N/A
2025-12-29 16:41:56 +01:00
parent 3247264288
commit bf1c8819d9
4 changed files with 31 additions and 16 deletions
--- a/.github/workflows/extension_workflow_rollout.yml
+++ b/.github/workflows/extension_workflow_rollout.yml
@@ -42,12 +42,14 @@ jobs:
      fail-fast: false
      max-parallel: 5
    steps:
-    - id: get-app-token
-      name: steps::authenticate_as_zippy
-      uses: actions/create-github-app-token@bef1eaf1c0ac2b148ee2a0a74c65fbe6db0631f1
+    - id: generate-token
+      name: extension_bump::generate_token
+      uses: actions/create-github-app-token@v2
      with:
        app-id: ${{ secrets.ZED_ZIPPY_APP_ID }}
        private-key: ${{ secrets.ZED_ZIPPY_APP_PRIVATE_KEY }}
+        owner: zed-extensions
+        repositories: ${{ matrix.repo }}
    - name: checkout_zed_repo
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
@@ -57,7 +59,7 @@ jobs:
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
        clean: false
-        token: ${{ steps.get-app-token.outputs.token }}
+        token: ${{ steps.generate-token.outputs.token }}
        repository: zed-extensions/${{ matrix.repo }}
        path: extension
    - name: extension_workflow_rollout::rollout_workflows_to_extension::copy_workflow_files
@@ -86,7 +88,7 @@ jobs:
        author: zed-zippy[bot] <234243425+zed-zippy[bot]@users.noreply.github.com>
        base: main
        delete-branch: true
-        token: ${{ steps.get-app-token.outputs.token }}
+        token: ${{ steps.generate-token.outputs.token }}
        sign-commits: true
    - name: extension_workflow_rollout::rollout_workflows_to_extension::enable_auto_merge
      run: |
@@ -97,5 +99,5 @@ jobs:
        fi
      shell: bash -euxo pipefail {0}
      env:
-        GH_TOKEN: ${{ steps.get-app-token.outputs.token }}
+        GH_TOKEN: ${{ steps.generate-token.outputs.token }}
    timeout-minutes: 10
--- a/tooling/xtask/src/tasks/workflows/extension_bump.rs
+++ b/tooling/xtask/src/tasks/workflows/extension_bump.rs
@@ -101,7 +101,8 @@ fn create_version_label(
    app_id: &WorkflowSecret,
    app_secret: &WorkflowSecret,
 ) -> NamedJob {
-    let (generate_token, generated_token) = generate_token(app_id, app_secret, None);
+    let (generate_token, generated_token) =
+        generate_token(&app_id.to_string(), &app_secret.to_string(), None);
    let job = steps::dependant_job(dependencies)
        .cond(Expression::new(format!(
            "{DEFAULT_REPOSITORY_OWNER_GUARD} && github.event_name == 'push' && github.ref == 'refs/heads/main' && {} == 'false'",
@@ -181,7 +182,8 @@ fn bump_extension_version(
    app_id: &WorkflowSecret,
    app_secret: &WorkflowSecret,
 ) -> NamedJob {
-    let (generate_token, generated_token) = generate_token(app_id, app_secret, None);
+    let (generate_token, generated_token) =
+        generate_token(&app_id.to_string(), &app_secret.to_string(), None);
    let (bump_version, new_version) = bump_version(current_version, bump_type);

    let job = steps::dependant_job(dependencies)
@@ -202,16 +204,16 @@ fn bump_extension_version(
 }

 pub(crate) fn generate_token(
-    app_id: &WorkflowSecret,
-    app_secret: &WorkflowSecret,
+    app_id_source: &str,
+    app_secret_source: &str,
    repository_target: Option<RepositoryTarget>,
 ) -> (Step<Use>, StepOutput) {
    let step = named::uses("actions", "create-github-app-token", "v2")
        .id("generate-token")
        .add_with(
            Input::default()
-                .add("app-id", app_id.to_string())
-                .add("private-key", app_secret.to_string())
+                .add("app-id", app_id_source)
+                .add("private-key", app_secret_source)
                .when_some(
                    repository_target,
                    |input,
--- a/tooling/xtask/src/tasks/workflows/extension_release.rs
+++ b/tooling/xtask/src/tasks/workflows/extension_release.rs
@@ -27,8 +27,11 @@ pub(crate) fn extension_release() -> Workflow {

 fn create_release(app_id: &WorkflowSecret, app_secret: &WorkflowSecret) -> NamedJob {
    let extension_registry = RepositoryTarget::new("zed-industries", &["extensions"]);
-    let (generate_token, generated_token) =
-        generate_token(&app_id, &app_secret, Some(extension_registry));
+    let (generate_token, generated_token) = generate_token(
+        &app_id.to_string(),
+        &app_secret.to_string(),
+        Some(extension_registry),
+    );
    let (get_extension_id, extension_id) = get_extension_id();

    let job = Job::default()
--- a/tooling/xtask/src/tasks/workflows/extension_workflow_rollout.rs
+++ b/tooling/xtask/src/tasks/workflows/extension_workflow_rollout.rs
@@ -3,9 +3,10 @@ use indoc::indoc;
 use serde_json::json;

 use crate::tasks::workflows::{
+    extension_bump::{RepositoryTarget, generate_token},
    runners,
    steps::{self, NamedJob, named},
-    vars::StepOutput,
+    vars::{self, StepOutput},
 };

 const EXCLUDED_REPOS: &[&str] = &["workflows", "material-icon-theme"];
@@ -143,7 +144,14 @@ fn rollout_workflows_to_extension(fetch_repos_job: &NamedJob) -> NamedJob {
        .add_env(("GH_TOKEN", token.to_string()))
    }

-    let (authenticate, token) = steps::authenticate_as_zippy();
+    let (authenticate, token) = generate_token(
+        vars::ZED_ZIPPY_APP_ID,
+        vars::ZED_ZIPPY_APP_PRIVATE_KEY,
+        Some(RepositoryTarget::new(
+            "zed-extensions",
+            &["${{ matrix.repo }}"],
+        )),
+    );
    let (calculate_short_sha, short_sha) = get_short_sha();

    let job = Job::default()