Switched to secrets.GITHUB_TOKEN

40ants · Dec 11, 2023 · bd3d4ed · bd3d4ed
1 parent 5ff9ca9
commit bd3d4ed
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 4 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,6 +9,9 @@
   },
   "jobs": {
     "autotag": {
+      "permissions": {
+        "contents": "write"
+      },
       "runs-on": "ubuntu-latest",
       "env": {
         "OS": "ubuntu-latest"
@@ -27,7 +30,7 @@
             "tag_prefix": "v"
           },
           "env": {
-            "GITHUB_TOKEN": "${{ secrets.DEPLOY_TRIGGER_TOKEN }}"
+            "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}"
           }
         }
       ]

diff --git a/src/changelog.lisp b/src/changelog.lisp
@@ -7,8 +7,18 @@
 
 (defchangelog (:ignore-words ("40ANTS-DOC"
                               "ASDF"
+			      "DEPLOY_TRIGGER_TOKEN"
+			      "GITHUB_TOKEN"
                               "OSX")
                :external-docs ("https://40ants.com/40ants-asdf-system/"))
+  (0.12.0 2023-12-11
+          "
+Changed
+=======
+
+Use `secrets.GITHUB_TOKEN` instead of `secrets.DEPLOY_TRIGGER_TOKEN` and set required scopes for the token.
+This way you don't have to setup a special secret for each repository or an organization.
+")
   (0.11.0 2023-12-01
           "
 Added

diff --git a/src/jobs/autotag.lisp b/src/jobs/autotag.lisp
@@ -12,7 +12,7 @@
 
 (defparameter *default-tag-prefix* "v")
 
-(defparameter *default-token-pattern* "${{ secrets.DEPLOY_TRIGGER_TOKEN }}")
+(defparameter *default-token-pattern* "${{ secrets.GITHUB_TOKEN }}")
 
 
 (defclass autotag (40ants-ci/jobs/job:job)
@@ -36,6 +36,8 @@
                   :type string
                   :documentation "Auth token pattern."
                   :reader token-pattern))
+  (:default-initargs
+   :permissions '(:contents "write"))
   (:documentation "This type of the job created a git tag when finds a new tag in specified file."))
 
 

diff --git a/src/jobs/job.lisp b/src/jobs/job.lisp
@@ -13,7 +13,9 @@
            #:os
            #:name
            #:make-matrix
-           #:make-env))
+           #:make-env
+           #:permissions
+           #:make-permissions))
 (in-package 40ants-ci/jobs/job)
 
 
@@ -29,7 +31,17 @@
             :documentation "A list of plists denoting matrix combinations to be excluded.")
    (steps :initform nil
           :initarg :steps
-          :reader steps)))
+          :reader steps)
+   (permissions :initform nil
+                :initarg :permissions
+                :documentation "A plist of permissions need for running the job.
+
+                                These permissions will be bound to secrets.GITHUB_TOKEN variable.
+                                Use default-initargs to override permissions in subclasses:
+
+                                (:default-initargs
+                                 :permissions '(:content \"write\"))"
+                :reader permissions)))
 
 
 (defmethod initialize-instance :after ((job job) &rest initargs)
@@ -94,12 +106,26 @@
         (first (os job)))))
 
 
+(defgeneric make-permissions (job)
+  (:documentation "Should return an alist with mapping from string to string where keys are scopes and values are permission names. Default method generates this alist from the plist of job's \"permissions\" slot.")
+  (:method ((job job))
+    (loop for (key value) on (permissions job) by #'cddr
+          for key-as-str = (string-downcase key)
+          for value-as-str = (string-downcase value)
+          collect (cons key-as-str
+                        value-as-str))))
+
+
 (defmethod 40ants-ci/github:prepare-data ((job job))
   (append 
    (when (use-matrix-p job)
      `(("strategy" . (("fail-fast" . :false)
                       ("matrix" . ,(make-matrix job))))))
 
+   (when (permissions job)
+     (list (cons "permissions"
+                 (make-permissions job))))
+
    `(("runs-on" . ,(make-runs-on job))
      ("env" . ,(make-env job))
      ("steps" . ,(make-steps job)))))