From bd3d4edb5fef28c38172e9c8c18bb65fe34a442f Mon Sep 17 00:00:00 2001
From: Alexander Artemenko <svetlyak.40wt@gmail.com>
Date: Mon, 11 Dec 2023 15:30:25 +0000
Subject: [PATCH 1/2] Switched to secrets.GITHUB_TOKEN

---
 .github/workflows/release.yml |  5 ++++-
 src/changelog.lisp            | 10 ++++++++++
 src/jobs/autotag.lisp         |  4 +++-
 src/jobs/job.lisp             | 30 ++++++++++++++++++++++++++++--
 4 files changed, 45 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9d6d209..954a253 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,6 +9,9 @@
   },
   "jobs": {
     "autotag": {
+      "permissions": {
+        "contents": "write"
+      },
       "runs-on": "ubuntu-latest",
       "env": {
         "OS": "ubuntu-latest"
@@ -27,7 +30,7 @@
             "tag_prefix": "v"
           },
           "env": {
-            "GITHUB_TOKEN": "${{ secrets.DEPLOY_TRIGGER_TOKEN }}"
+            "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}"
           }
         }
       ]
diff --git a/src/changelog.lisp b/src/changelog.lisp
index 8a87e41..9b325d7 100644
--- a/src/changelog.lisp
+++ b/src/changelog.lisp
@@ -7,8 +7,18 @@
 
 (defchangelog (:ignore-words ("40ANTS-DOC"
                               "ASDF"
+			      "DEPLOY_TRIGGER_TOKEN"
+			      "GITHUB_TOKEN"
                               "OSX")
                :external-docs ("https://40ants.com/40ants-asdf-system/"))
+  (0.12.0 2023-12-11
+          "
+Changed
+=======
+
+Use `secrets.GITHUB_TOKEN` instead of `secrets.DEPLOY_TRIGGER_TOKEN` and set required scopes for the token.
+This way you don't have to setup a special secret for each repository or an organization.
+")
   (0.11.0 2023-12-01
           "
 Added
diff --git a/src/jobs/autotag.lisp b/src/jobs/autotag.lisp
index fb14c36..ee6f857 100644
--- a/src/jobs/autotag.lisp
+++ b/src/jobs/autotag.lisp
@@ -12,7 +12,7 @@
 
 (defparameter *default-tag-prefix* "v")
 
-(defparameter *default-token-pattern* "${{ secrets.DEPLOY_TRIGGER_TOKEN }}")
+(defparameter *default-token-pattern* "${{ secrets.GITHUB_TOKEN }}")
 
 
 (defclass autotag (40ants-ci/jobs/job:job)
@@ -36,6 +36,8 @@
                   :type string
                   :documentation "Auth token pattern."
                   :reader token-pattern))
+  (:default-initargs
+   :permissions '(:contents "write"))
   (:documentation "This type of the job created a git tag when finds a new tag in specified file."))
 
 
diff --git a/src/jobs/job.lisp b/src/jobs/job.lisp
index 8e388c7..f6f8ead 100644
--- a/src/jobs/job.lisp
+++ b/src/jobs/job.lisp
@@ -13,7 +13,9 @@
            #:os
            #:name
            #:make-matrix
-           #:make-env))
+           #:make-env
+           #:permissions
+           #:make-permissions))
 (in-package 40ants-ci/jobs/job)
 
 
@@ -29,7 +31,17 @@
             :documentation "A list of plists denoting matrix combinations to be excluded.")
    (steps :initform nil
           :initarg :steps
-          :reader steps)))
+          :reader steps)
+   (permissions :initform nil
+                :initarg :permissions
+                :documentation "A plist of permissions need for running the job.
+
+                                These permissions will be bound to secrets.GITHUB_TOKEN variable.
+                                Use default-initargs to override permissions in subclasses:
+
+                                (:default-initargs
+                                 :permissions '(:content \"write\"))"
+                :reader permissions)))
 
 
 (defmethod initialize-instance :after ((job job) &rest initargs)
@@ -94,12 +106,26 @@
         (first (os job)))))
 
 
+(defgeneric make-permissions (job)
+  (:documentation "Should return an alist with mapping from string to string where keys are scopes and values are permission names. Default method generates this alist from the plist of job's \"permissions\" slot.")
+  (:method ((job job))
+    (loop for (key value) on (permissions job) by #'cddr
+          for key-as-str = (string-downcase key)
+          for value-as-str = (string-downcase value)
+          collect (cons key-as-str
+                        value-as-str))))
+
+
 (defmethod 40ants-ci/github:prepare-data ((job job))
   (append 
    (when (use-matrix-p job)
      `(("strategy" . (("fail-fast" . :false)
                       ("matrix" . ,(make-matrix job))))))
 
+   (when (permissions job)
+     (list (cons "permissions"
+                 (make-permissions job))))
+
    `(("runs-on" . ,(make-runs-on job))
      ("env" . ,(make-env job))
      ("steps" . ,(make-steps job)))))

From f0ed1c3c5b2ddfc14514ce349d846975aca26e49 Mon Sep 17 00:00:00 2001
From: Alexander Artemenko <svetlyak.40wt@gmail.com>
Date: Tue, 12 Dec 2023 17:36:57 +0000
Subject: [PATCH 2/2] Added documentation on autotag.

---
 src/core.lisp     | 23 +++++++++++++++++++++++
 src/jobs/job.lisp |  6 ++++--
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/src/core.lisp b/src/core.lisp
index 82b6bfd..7bb3a59 100644
--- a/src/core.lisp
+++ b/src/core.lisp
@@ -102,6 +102,7 @@ of the package inferred ASDF system `EXAMPLE/CI`. A file should have the followi
 
 
 (defsection @job-types (:title "Job Types")
+  (@autotag section)
   (@linter section)
   (@critic section)
   (@run-tests section)
@@ -207,6 +208,26 @@ and they will be executed in parallel. See docs on 40ANTS-CI/JOBS/CRITIC:CRITIC
 to learn about supported arguments.")
 
 
+(defsection @autotag (:title "Autotag")
+  "
+This job is automates git tag placement on the commit where you have changed the ChangeLog.md.
+
+This can be a useful to automate package deployment and releases. You update the changelog,
+a job pushes a new git tag and the next action triggers on this tag and build a release.
+
+Or you if you publish your library at Quicklisp distribution, then you can change
+it's source type to the `latest-github-tag` to provide more stable releases to your
+users. This way you commits into master will be ignored until you change the changelog and
+git tag will be pushed. Here is an [example](https://github.com/quicklisp/quicklisp-projects/blob/ee133271c81caf5d8bbf8cef3054544ff47b64c6/projects/alexa/source.txt) how to setup this kind of quicklisp project source.
+
+(defworkflow release
+  :on-push-to \"master\"
+  :jobs ((40ants-ci/jobs/autotag:autotag)))
+"
+  (40ants-ci/jobs/autotag:autotag function)
+  (40ants-ci/jobs/autotag:autotag class))
+
+
 (defsection @run-tests (:title "Running Tests"
                         :ignore-words ("ASDF:TEST-SYSTEM"))
   "
@@ -523,9 +544,11 @@ and a way how to create new job types.
   (40ants-ci/jobs/job:name (reader 40ants-ci/jobs/job:job))
   (40ants-ci/jobs/job:os (reader 40ants-ci/jobs/job:job))
   (40ants-ci/jobs/job:steps (reader 40ants-ci/jobs/job:job))
+  (40ants-ci/jobs/job:permissions (reader 40ants-ci/jobs/job:job))
   (40ants-ci/jobs/job:make-env generic-function)
   (40ants-ci/jobs/job:use-matrix-p generic-function)
   (40ants-ci/jobs/job:make-matrix generic-function)
+  (40ants-ci/jobs/job:make-permissions generic-function)
   
   (40ants-ci/jobs/lisp-job:lisp-job class)
   (40ants-ci/jobs/lisp-job:lisp (reader 40ants-ci/jobs/lisp-job:lisp-job))
diff --git a/src/jobs/job.lisp b/src/jobs/job.lisp
index f6f8ead..972c339 100644
--- a/src/jobs/job.lisp
+++ b/src/jobs/job.lisp
@@ -36,11 +36,13 @@
                 :initarg :permissions
                 :documentation "A plist of permissions need for running the job.
 
-                                These permissions will be bound to secrets.GITHUB_TOKEN variable.
+                                These permissions will be bound to `secrets.GITHUB_TOKEN` variable.
                                 Use default-initargs to override permissions in subclasses:
 
+                                ```lisp
                                 (:default-initargs
-                                 :permissions '(:content \"write\"))"
+                                 :permissions '(:content \"write\"))
+                                ```"
                 :reader permissions)))