Switched to secrets.GITHUB_TOKEN

.github/workflows/release.yml

@@ -9,6 +9,9 @@
   },
   "jobs": {
     "autotag": {
+      "permissions": {
+        "contents": "write"
+      },
       "runs-on": "ubuntu-latest",
       "env": {
         "OS": "ubuntu-latest"
@@ -27,7 +30,7 @@
             "tag_prefix": "v"
           },
           "env": {
-            "GITHUB_TOKEN": "${{ secrets.DEPLOY_TRIGGER_TOKEN }}"
+            "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}"
           }
         }
       ]

src/changelog.lisp

@@ -7,8 +7,18 @@
 
 (defchangelog (:ignore-words ("40ANTS-DOC"
                               "ASDF"
+			      "DEPLOY_TRIGGER_TOKEN"
+			      "GITHUB_TOKEN"
                               "OSX")
                :external-docs ("https://40ants.com/40ants-asdf-system/"))
+  (0.12.0 2023-12-11
+          "
+Changed
+=======
+
+Use `secrets.GITHUB_TOKEN` instead of `secrets.DEPLOY_TRIGGER_TOKEN` and set required scopes for the token.
+This way you don't have to setup a special secret for each repository or an organization.
+")
   (0.11.0 2023-12-01
           "
 Added

src/core.lisp

@@ -102,6 +102,7 @@ of the package inferred ASDF system `EXAMPLE/CI`. A file should have the followi
 
 
 (defsection @job-types (:title "Job Types")
+  (@autotag section)
   (@linter section)
   (@critic section)
   (@run-tests section)
@@ -207,6 +208,26 @@ and they will be executed in parallel. See docs on 40ANTS-CI/JOBS/CRITIC:CRITIC
 to learn about supported arguments.")
 
 
+(defsection @autotag (:title "Autotag")
+  "
+This job is automates git tag placement on the commit where you have changed the ChangeLog.md.
+
+This can be a useful to automate package deployment and releases. You update the changelog,
+a job pushes a new git tag and the next action triggers on this tag and build a release.
+
+Or you if you publish your library at Quicklisp distribution, then you can change
+it's source type to the `latest-github-tag` to provide more stable releases to your
+users. This way you commits into master will be ignored until you change the changelog and
+git tag will be pushed. Here is an [example](https://github.com/quicklisp/quicklisp-projects/blob/ee133271c81caf5d8bbf8cef3054544ff47b64c6/projects/alexa/source.txt) how to setup this kind of quicklisp project source.
+
+(defworkflow release
+  :on-push-to \"master\"
+  :jobs ((40ants-ci/jobs/autotag:autotag)))
+"
+  (40ants-ci/jobs/autotag:autotag function)
+  (40ants-ci/jobs/autotag:autotag class))
+
+
 (defsection @run-tests (:title "Running Tests"
                         :ignore-words ("ASDF:TEST-SYSTEM"))
   "
@@ -523,9 +544,11 @@ and a way how to create new job types.
   (40ants-ci/jobs/job:name (reader 40ants-ci/jobs/job:job))
   (40ants-ci/jobs/job:os (reader 40ants-ci/jobs/job:job))
   (40ants-ci/jobs/job:steps (reader 40ants-ci/jobs/job:job))
+  (40ants-ci/jobs/job:permissions (reader 40ants-ci/jobs/job:job))
   (40ants-ci/jobs/job:make-env generic-function)
   (40ants-ci/jobs/job:use-matrix-p generic-function)
   (40ants-ci/jobs/job:make-matrix generic-function)
+  (40ants-ci/jobs/job:make-permissions generic-function)
 
   (40ants-ci/jobs/lisp-job:lisp-job class)
   (40ants-ci/jobs/lisp-job:lisp (reader 40ants-ci/jobs/lisp-job:lisp-job))

src/jobs/autotag.lisp

@@ -12,7 +12,7 @@
 
 (defparameter *default-tag-prefix* "v")
 
-(defparameter *default-token-pattern* "${{ secrets.DEPLOY_TRIGGER_TOKEN }}")
+(defparameter *default-token-pattern* "${{ secrets.GITHUB_TOKEN }}")
 
 
 (defclass autotag (40ants-ci/jobs/job:job)
@@ -36,6 +36,8 @@
                   :type string
                   :documentation "Auth token pattern."
                   :reader token-pattern))
+  (:default-initargs
+   :permissions '(:contents "write"))
   (:documentation "This type of the job created a git tag when finds a new tag in specified file."))
 
 

src/jobs/job.lisp

@@ -13,7 +13,9 @@
            #:os
            #:name
            #:make-matrix
-           #:make-env))
+           #:make-env
+           #:permissions
+           #:make-permissions))
 (in-package 40ants-ci/jobs/job)
 
 
@@ -29,7 +31,19 @@
             :documentation "A list of plists denoting matrix combinations to be excluded.")
    (steps :initform nil
           :initarg :steps
-          :reader steps)))
+          :reader steps)
+   (permissions :initform nil
+                :initarg :permissions
+                :documentation "A plist of permissions need for running the job.
+
+                                These permissions will be bound to `secrets.GITHUB_TOKEN` variable.
+                                Use default-initargs to override permissions in subclasses:
+
+                                ```lisp
+                                (:default-initargs
+                                 :permissions '(:content \"write\"))
+                                ```"
+                :reader permissions)))
 
 
 (defmethod initialize-instance :after ((job job) &rest initargs)
@@ -94,12 +108,26 @@
         (first (os job)))))
 
 
+(defgeneric make-permissions (job)
+  (:documentation "Should return an alist with mapping from string to string where keys are scopes and values are permission names. Default method generates this alist from the plist of job's \"permissions\" slot.")
+  (:method ((job job))
+    (loop for (key value) on (permissions job) by #'cddr
+          for key-as-str = (string-downcase key)
+          for value-as-str = (string-downcase value)
+          collect (cons key-as-str
+                        value-as-str))))
+
+
 (defmethod 40ants-ci/github:prepare-data ((job job))
   (append 
    (when (use-matrix-p job)
      `(("strategy" . (("fail-fast" . :false)
                       ("matrix" . ,(make-matrix job))))))
 
+   (when (permissions job)
+     (list (cons "permissions"
+                 (make-permissions job))))
+
    `(("runs-on" . ,(make-runs-on job))
      ("env" . ,(make-env job))
      ("steps" . ,(make-steps job)))))