From 7ac040833025bf234dec485ddaa6c459b25d2196 Mon Sep 17 00:00:00 2001
From: David Sherret <dsherret@users.noreply.github.com>
Date: Fri, 1 Mar 2024 11:11:32 -0500
Subject: [PATCH] ci: actually fix workflow permissions (#22644)

Also adds a lint to ensure this file is kept up to date.
---
 .github/workflows/ci.generate.ts | 24 +++++++++++++++++-------
 .github/workflows/ci.yml         |  2 ++
 tools/lint.js                    | 26 +++++++++++++++++++-------
 3 files changed, 38 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/ci.generate.ts b/.github/workflows/ci.generate.ts
index 01eb04315c..b2a8c99c96 100755
--- a/.github/workflows/ci.generate.ts
+++ b/.github/workflows/ci.generate.ts
@@ -301,6 +301,9 @@ function handleMatrixItems(items: {
 
 const ci = {
   name: "ci",
+  permissions: {
+    contents: "write",
+  },
   on: {
     push: {
       branches: ["main"],
@@ -1075,11 +1078,18 @@ const ci = {
   },
 };
 
-let finalText = `# GENERATED BY ./ci.generate.ts -- DO NOT DIRECTLY EDIT\n\n`;
-finalText += yaml.stringify(ci, {
-  noRefs: true,
-  lineWidth: 10_000,
-  noCompatMode: true,
-});
+export function generate() {
+  let finalText = `# GENERATED BY ./ci.generate.ts -- DO NOT DIRECTLY EDIT\n\n`;
+  finalText += yaml.stringify(ci, {
+    noRefs: true,
+    lineWidth: 10_000,
+    noCompatMode: true,
+  });
+  return finalText;
+}
 
-Deno.writeTextFileSync(new URL("./ci.yml", import.meta.url), finalText);
+export const CI_YML_URL = new URL("./ci.yml", import.meta.url);
+
+if (import.meta.main) {
+  Deno.writeTextFileSync(CI_YML_URL, generate());
+}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 17157ce5b2..b36195beb5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,6 +1,8 @@
 # GENERATED BY ./ci.generate.ts -- DO NOT DIRECTLY EDIT
 
 name: ci
+permissions:
+  contents: write
 on:
   push:
     branches:
diff --git a/tools/lint.js b/tools/lint.js
index 14567ed1d2..56662fdd8d 100755
--- a/tools/lint.js
+++ b/tools/lint.js
@@ -2,6 +2,7 @@
 // Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
 import { buildMode, getPrebuilt, getSources, join, ROOT_PATH } from "./util.js";
 import { checkCopyright } from "./copyright_checker.js";
+import * as ciFile from "../.github/workflows/ci.generate.ts";
 
 const promises = [];
 
@@ -12,17 +13,18 @@ if (!js && !rs) {
   rs = true;
 }
 
-if (js) {
-  promises.push(dlint());
-  promises.push(dlintPreferPrimordials());
-}
-
 if (rs) {
   promises.push(clippy());
 }
 
-if (js && rs) {
-  promises.push(checkCopyright());
+if (js) {
+  promises.push(dlint());
+  promises.push(dlintPreferPrimordials());
+  promises.push(ensureCiYmlUpToDate());
+
+  if (rs) {
+    promises.push(checkCopyright());
+  }
 }
 
 const results = await Promise.allSettled(promises);
@@ -164,3 +166,13 @@ async function clippy() {
     throw new Error("clippy failed");
   }
 }
+
+async function ensureCiYmlUpToDate() {
+  const expectedCiFileText = ciFile.generate();
+  const actualCiFileText = await Deno.readTextFile(ciFile.CI_YML_URL);
+  if (expectedCiFileText !== actualCiFileText) {
+    throw new Error(
+      "./.github/workflows/ci.yml is out of date. Run: ./.github/workflows/ci.generate.ts",
+    );
+  }
+}