From 7ac040833025bf234dec485ddaa6c459b25d2196 Mon Sep 17 00:00:00 2001
From: David Sherret <dsherret@users.noreply.github.com>
Date: Fri, 1 Mar 2024 11:11:32 -0500
Subject: ci: actually fix workflow permissions (#22644)

Also adds a lint to ensure this file is kept up to date.
---
 .github/workflows/ci.generate.ts | 24 +++++++++++++++++-------
 .github/workflows/ci.yml         |  2 ++
 2 files changed, 19 insertions(+), 7 deletions(-)

(limited to '.github/workflows')

diff --git a/.github/workflows/ci.generate.ts b/.github/workflows/ci.generate.ts
index 01eb04315..b2a8c99c9 100755
--- a/.github/workflows/ci.generate.ts
+++ b/.github/workflows/ci.generate.ts
@@ -301,6 +301,9 @@ function handleMatrixItems(items: {
 
 const ci = {
   name: "ci",
+  permissions: {
+    contents: "write",
+  },
   on: {
     push: {
       branches: ["main"],
@@ -1075,11 +1078,18 @@ const ci = {
   },
 };
 
-let finalText = `# GENERATED BY ./ci.generate.ts -- DO NOT DIRECTLY EDIT\n\n`;
-finalText += yaml.stringify(ci, {
-  noRefs: true,
-  lineWidth: 10_000,
-  noCompatMode: true,
-});
+export function generate() {
+  let finalText = `# GENERATED BY ./ci.generate.ts -- DO NOT DIRECTLY EDIT\n\n`;
+  finalText += yaml.stringify(ci, {
+    noRefs: true,
+    lineWidth: 10_000,
+    noCompatMode: true,
+  });
+  return finalText;
+}
+
+export const CI_YML_URL = new URL("./ci.yml", import.meta.url);
 
-Deno.writeTextFileSync(new URL("./ci.yml", import.meta.url), finalText);
+if (import.meta.main) {
+  Deno.writeTextFileSync(CI_YML_URL, generate());
+}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 17157ce5b..b36195beb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,6 +1,8 @@
 # GENERATED BY ./ci.generate.ts -- DO NOT DIRECTLY EDIT
 
 name: ci
+permissions:
+  contents: write
 on:
   push:
     branches:
-- 
cgit v1.2.3