feat(workflow): update alpha release workflow when permissions are not restrive

travi · travi · commit 5a5a7ef34c1c · 2023-06-25T08:41:31.000-05:00
diff --git a/src/semantic-release/ci-providers/github-workflows/release-workflow-for-alpha/lifter-test.js b/src/semantic-release/ci-providers/github-workflows/release-workflow-for-alpha/lifter-test.js
@@ -46,11 +46,41 @@ suite('release workflow lifter', () => {
     assert.calledWith(scaffolder.default, {projectRoot, nodeVersion});
   });
 
-  test('that the scaffolder is not called when a modern release workflow already exists', async () => {
+  test('that the scaffolder is re-run when the release workflow does not restrict permissions', async () => {
     core.fileExists.withArgs(pathToReleaseWorkflowFile).resolves(true);
     fs.readFile.withArgs(pathToReleaseWorkflowFile, 'utf-8').resolves(existingWorkflowContents);
     jsYaml.load.withArgs(existingWorkflowContents).returns({on: {}});
 
+    await lift({projectRoot, nodeVersion});
+
+    assert.calledWith(scaffolder.default, {projectRoot, nodeVersion});
+  });
+
+  test('that the scaffolder is re-run when the release workflow does not restrict permissions enough', async () => {
+    core.fileExists.withArgs(pathToReleaseWorkflowFile).resolves(true);
+    fs.readFile.withArgs(pathToReleaseWorkflowFile, 'utf-8').resolves(existingWorkflowContents);
+    jsYaml.load.withArgs(existingWorkflowContents).returns({on: {}, permissions: any.simpleObject()});
+
+    await lift({projectRoot, nodeVersion});
+
+    assert.calledWith(scaffolder.default, {projectRoot, nodeVersion});
+  });
+
+  test('that the scaffolder is re-run when the workflow does not properly restrict contents permission', async () => {
+    core.fileExists.withArgs(pathToReleaseWorkflowFile).resolves(true);
+    fs.readFile.withArgs(pathToReleaseWorkflowFile, 'utf-8').resolves(existingWorkflowContents);
+    jsYaml.load.withArgs(existingWorkflowContents).returns({on: {}, permissions: {contents: 'write'}});
+
+    await lift({projectRoot, nodeVersion});
+
+    assert.calledWith(scaffolder.default, {projectRoot, nodeVersion});
+  });
+
+  test('that the scaffolder is not called when a modern release workflow already exists', async () => {
+    core.fileExists.withArgs(pathToReleaseWorkflowFile).resolves(true);
+    fs.readFile.withArgs(pathToReleaseWorkflowFile, 'utf-8').resolves(existingWorkflowContents);
+    jsYaml.load.withArgs(existingWorkflowContents).returns({on: {}, permissions: {contents: 'read'}});
+
     await lift({projectRoot});
 
     assert.notCalled(scaffolder.default);
diff --git a/src/semantic-release/ci-providers/github-workflows/release-workflow-for-alpha/lifter.js b/src/semantic-release/ci-providers/github-workflows/release-workflow-for-alpha/lifter.js
@@ -4,9 +4,20 @@ import {fileExists} from '@form8ion/core';
 
 import scaffolder from './scaffolder';
 
+function workflowPermissionsAreMinimal(existingContents) {
+  return existingContents.permissions
+    && existingContents.permissions.contents
+    && 'read' === existingContents.permissions.contents;
+}
+
+async function contentsNeedToBeUpdated(pathToReleaseWorkflowFile) {
+  const existingContents = load(await fs.readFile(pathToReleaseWorkflowFile, 'utf-8'));
+
+  return existingContents.on.workflow_dispatch || !workflowPermissionsAreMinimal(existingContents);
+}
+
 async function releaseWorkflowShouldBeScaffolded(pathToReleaseWorkflowFile) {
-  return !await fileExists(pathToReleaseWorkflowFile)
-    || load(await fs.readFile(pathToReleaseWorkflowFile, 'utf-8')).on.workflow_dispatch;
+  return !await fileExists(pathToReleaseWorkflowFile) || contentsNeedToBeUpdated(pathToReleaseWorkflowFile);
 }
 
 export default async function ({projectRoot, nodeVersion}) {
