ci: Grant GitHub token more granular permissions (#45825)

Release Notes: - N/A
2025-12-29 17:16:01 +01:00
parent bf1c8819d9
commit f53b01d5a2
3 changed files with 36 additions and 6 deletions
--- a/.github/workflows/extension_workflow_rollout.yml
+++ b/.github/workflows/extension_workflow_rollout.yml
@@ -50,6 +50,9 @@ jobs:
        private-key: ${{ secrets.ZED_ZIPPY_APP_PRIVATE_KEY }}
        owner: zed-extensions
        repositories: ${{ matrix.repo }}
+        permission-pull-requests: write
+        permission-contents: write
+        permission-workflows: write
    - name: checkout_zed_repo
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
--- a/tooling/xtask/src/tasks/workflows/extension_bump.rs
+++ b/tooling/xtask/src/tasks/workflows/extension_bump.rs
@@ -220,8 +220,21 @@ pub(crate) fn generate_token(
                     RepositoryTarget {
                         owner,
                         repositories,
+                         permissions,
                     }| {
-                        input.add("owner", owner).add("repositories", repositories)
+                        input
+                            .add("owner", owner)
+                            .add("repositories", repositories)
+                            .when_some(permissions, |input, permissions| {
+                                permissions
+                                    .into_iter()
+                                    .fold(input, |input, (permission, level)| {
+                                        input.add(
+                                            permission,
+                                            serde_json::to_value(&level).unwrap_or_default(),
+                                        )
+                                    })
+                            })
                    },
                ),
        );
@@ -297,6 +310,7 @@ fn create_pull_request(new_version: StepOutput, generated_token: StepOutput) ->
 pub(crate) struct RepositoryTarget {
    owner: String,
    repositories: String,
+    permissions: Option<Vec<(String, Level)>>,
 }

 impl RepositoryTarget {
@@ -304,6 +318,14 @@ impl RepositoryTarget {
        Self {
            owner: owner.to_string(),
            repositories: repositories.join("\n"),
+            permissions: None,
+        }
+    }
+
+    pub fn permissions(self, permissions: impl Into<Vec<(String, Level)>>) -> Self {
+        Self {
+            permissions: Some(permissions.into()),
+            ..self
        }
    }
 }
--- a/tooling/xtask/src/tasks/workflows/extension_workflow_rollout.rs
+++ b/tooling/xtask/src/tasks/workflows/extension_workflow_rollout.rs
@@ -1,4 +1,6 @@
-use gh_workflow::{Event, Expression, Job, Run, Step, Strategy, Use, Workflow, WorkflowDispatch};
+use gh_workflow::{
+    Event, Expression, Job, Level, Run, Step, Strategy, Use, Workflow, WorkflowDispatch,
+};
 use indoc::indoc;
 use serde_json::json;

@@ -147,10 +149,13 @@ fn rollout_workflows_to_extension(fetch_repos_job: &NamedJob) -> NamedJob {
    let (authenticate, token) = generate_token(
        vars::ZED_ZIPPY_APP_ID,
        vars::ZED_ZIPPY_APP_PRIVATE_KEY,
-        Some(RepositoryTarget::new(
-            "zed-extensions",
-            &["${{ matrix.repo }}"],
-        )),
+        Some(
+            RepositoryTarget::new("zed-extensions", &["${{ matrix.repo }}"]).permissions([
+                ("permission-pull-requests".to_owned(), Level::Write),
+                ("permission-contents".to_owned(), Level::Write),
+                ("permission-workflows".to_owned(), Level::Write),
+            ]),
+        ),
    );
    let (calculate_short_sha, short_sha) = get_short_sha();