From 9b22b83341003e4beb039e650097a4b94785dc42 Mon Sep 17 00:00:00 2001
From: Luke Karrys <luke@lukekarrys.com>
Date: Tue, 28 Nov 2023 08:56:47 -0700
Subject: [PATCH] fix: give release integration workflow correct permissions
 and secrets (#384)

---
 .github/workflows/release-integration.yml    | 4 +++-
 .github/workflows/release.yml                | 4 ++++
 lib/content/_job-release-integration-yml.hbs | 1 -
 lib/content/release-integration-yml.hbs      | 5 +++++
 lib/content/release-yml.hbs                  | 6 ++++++
 5 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release-integration.yml b/.github/workflows/release-integration.yml
index adc52786..36637581 100644
--- a/.github/workflows/release-integration.yml
+++ b/.github/workflows/release-integration.yml
@@ -15,6 +15,9 @@ on:
         required: true
         type: string
         description: 'A json array of releases. Required fields: publish: tagName, publishTag. publish check: pkgName, version'
+    secrets:
+      PUBLISH_TOKEN:
+        required: true
 
 jobs:
   publish:
@@ -24,7 +27,6 @@ jobs:
       run:
         shell: bash
     permissions:
-      deployments: write
       id-token: write
     steps:
       - name: Checkout
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 88ea5829..ba73bb8d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -243,6 +243,10 @@ jobs:
     name: Release Integration
     if: needs.release.outputs.releases
     uses: ./.github/workflows/release-integration.yml
+    permissions:
+      id-token: write
+    secrets:
+      PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
     with:
       releases: ${{ needs.release.outputs.releases }}
 
diff --git a/lib/content/_job-release-integration-yml.hbs b/lib/content/_job-release-integration-yml.hbs
index 6c1e2d78..d0da5ed8 100644
--- a/lib/content/_job-release-integration-yml.hbs
+++ b/lib/content/_job-release-integration-yml.hbs
@@ -5,7 +5,6 @@ defaults:
     shell: bash
 {{#if publish}}
 permissions:
-  deployments: write
   id-token: write
 {{/if}}
 steps:
diff --git a/lib/content/release-integration-yml.hbs b/lib/content/release-integration-yml.hbs
index d11f6a25..807d1279 100644
--- a/lib/content/release-integration-yml.hbs
+++ b/lib/content/release-integration-yml.hbs
@@ -13,6 +13,11 @@ on:
         required: true
         type: string
         description: 'A json array of releases. Required fields: publish: tagName, publishTag. publish check: pkgName, version'
+    {{#if publish}}
+    secrets:
+      PUBLISH_TOKEN:
+        required: true
+    {{/if}} 
 
 jobs:
   publish:
diff --git a/lib/content/release-yml.hbs b/lib/content/release-yml.hbs
index 47ac0ca0..100b3328 100644
--- a/lib/content/release-yml.hbs
+++ b/lib/content/release-yml.hbs
@@ -184,6 +184,12 @@ jobs:
     name: Release Integration
     if: needs.release.outputs.releases
     uses: ./.github/workflows/release-integration.yml
+    {{#if publish}}
+    permissions:
+      id-token: write
+    secrets:
+      PUBLISH_TOKEN: $\{{ secrets.PUBLISH_TOKEN }}
+    {{/if}}
     with:
       releases: $\{{ needs.release.outputs.releases }}