From 9ca7fc4b608842516fe4986f2f7ca9940e126736 Mon Sep 17 00:00:00 2001
From: Baptiste Augrain <daiyam@zokugun.org>
Date: Sat, 18 Apr 2026 03:20:59 +0200
Subject: [PATCH] ci: fix expressions and permissions

---
 .github/workflows/ci-build-linux.yml          |  2 +-
 .github/workflows/ci-build-windows.yml        |  2 +-
 .github/workflows/publish-insider-linux.yml   | 22 ++++++++-----------
 .github/workflows/publish-insider-macos.yml   |  5 +++--
 .github/workflows/publish-insider-windows.yml |  8 ++++---
 .github/workflows/publish-stable-linux.yml    | 17 ++++++--------
 .github/workflows/publish-stable-macos.yml    |  5 +++--
 .github/workflows/publish-stable-windows.yml  |  8 ++++---
 8 files changed, 34 insertions(+), 35 deletions(-)

diff --git a/.github/workflows/ci-build-linux.yml b/.github/workflows/ci-build-linux.yml
index dc09cbf..306a4bf 100644
--- a/.github/workflows/ci-build-linux.yml
+++ b/.github/workflows/ci-build-linux.yml
@@ -182,7 +182,7 @@ jobs:
 
       - name: Prepare assets
         env:
-          SHOULD_BUILD_APPIMAGE: ${{ (vars[format('DISABLE_{0}_APPIMAGE', ((github.ref == 'refs/heads/insider' || (github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'insider')) && 'INSIDER' || 'STABLE'))] == 'yes' && 'no' || 'yes' }}
+          SHOULD_BUILD_APPIMAGE: ${{ vars[format('DISABLE_{0}_APPIMAGE', ((github.ref == 'refs/heads/insider' || (github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'insider')) && 'INSIDER' || 'STABLE'))] == 'yes' && 'no' || 'yes' }}
           SHOULD_BUILD_REH: 'no'
           SHOULD_BUILD_REH_WEB: 'no'
           VSCODE_SYSROOT_REPOSITORY: ${{ steps.build.outputs.VSCODE_SYSROOT_REPOSITORY }}
diff --git a/.github/workflows/ci-build-windows.yml b/.github/workflows/ci-build-windows.yml
index 8fd81ec..9091d23 100644
--- a/.github/workflows/ci-build-windows.yml
+++ b/.github/workflows/ci-build-windows.yml
@@ -140,7 +140,7 @@ jobs:
 
       - name: Build
         env:
-          DISABLE_MSI: ${{ vars[format('DISABLE_{0}_MSI', ((github.ref == 'refs/heads/insider' || (github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'insider')) && 'INSIDER' || 'STABLE')] }}
+          DISABLE_MSI: ${{ vars[format('DISABLE_{0}_MSI', ((github.ref == 'refs/heads/insider' || (github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'insider')) && 'INSIDER' || 'STABLE'))] }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           npm_config_arch: ${{ matrix.vscode_arch }}
           npm_config_target_arch: ${{ matrix.vscode_arch }}
diff --git a/.github/workflows/publish-insider-linux.yml b/.github/workflows/publish-insider-linux.yml
index 37a7845..076b039 100644
--- a/.github/workflows/publish-insider-linux.yml
+++ b/.github/workflows/publish-insider-linux.yml
@@ -1,7 +1,7 @@
 name: Publish - Insider - Linux
 
 on:
-  workflow_dispatch:
+  workflow_dispatch: {}
   repository_dispatch:
     types:
       - publish-insider
@@ -125,7 +125,8 @@ jobs:
       - compile
     runs-on: ubuntu-latest
     environment: publish
-    permissions: {}
+    permissions:
+      contents: write
     strategy:
       fail-fast: false
       matrix:
@@ -221,8 +222,6 @@ jobs:
         if: env.DISABLED != 'yes' && env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'yes'
 
       - name: Release
-        permissions:
-          contents: write
         env:
           GITHUB_TOKEN: ${{ secrets.STRONGER_GITHUB_TOKEN }}
           GITHUB_USERNAME: ${{ github.repository_owner }}
@@ -242,7 +241,8 @@ jobs:
       - compile
     runs-on: ubuntu-22.04
     environment: publish
-    permissions: {}
+    permissions:
+      contents: write
     strategy:
       fail-fast: false
       matrix:
@@ -334,8 +334,6 @@ jobs:
         if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no')
 
       - name: Release
-        permissions:
-          contents: write
         env:
           GITHUB_TOKEN: ${{ secrets.STRONGER_GITHUB_TOKEN }}
           GITHUB_USERNAME: ${{ github.repository_owner }}
@@ -348,7 +346,8 @@ jobs:
       - compile
     runs-on: ubuntu-22.04
     environment: publish
-    permissions: {}
+    permissions:
+      contents: write
     strategy:
       fail-fast: false
       matrix:
@@ -416,8 +415,6 @@ jobs:
         if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no')
 
       - name: Release
-        permissions:
-          contents: write
         env:
           GITHUB_TOKEN: ${{ secrets.STRONGER_GITHUB_TOKEN }}
           GITHUB_USERNAME: ${{ github.repository_owner }}
@@ -460,7 +457,8 @@ jobs:
       - build
     runs-on: ubuntu-latest
     environment: publish
-    permissions: {}
+    permissions:
+      contents: write
     env:
       RELEASE_VERSION: ${{ needs.check.outputs.RELEASE_VERSION }}
       SNAP_NAME: codium-insiders
@@ -492,8 +490,6 @@ jobs:
       #     isClassic: 'true'
 
       - uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # latest
-        permissions:
-          contents: write
         with:
           repo_name: ${{ env.ASSETS_REPOSITORY }}
           repo_token: ${{ secrets.STRONGER_GITHUB_TOKEN }}
diff --git a/.github/workflows/publish-insider-macos.yml b/.github/workflows/publish-insider-macos.yml
index ec05dab..ccd6a6c 100644
--- a/.github/workflows/publish-insider-macos.yml
+++ b/.github/workflows/publish-insider-macos.yml
@@ -1,7 +1,7 @@
 name: Publish - Insider - macOS
 
 on:
-  workflow_dispatch:
+  workflow_dispatch: {}
   repository_dispatch:
     types:
       - publish-insider
@@ -21,7 +21,8 @@ jobs:
   build:
     runs-on: ${{ matrix.runner }}
     environment: publish
-    permissions: {}
+    permissions:
+      contents: write
     env:
       SHOULD_BUILD: yes
       SHOULD_DEPLOY: yes
diff --git a/.github/workflows/publish-insider-windows.yml b/.github/workflows/publish-insider-windows.yml
index a4a92ea..a5adcd8 100644
--- a/.github/workflows/publish-insider-windows.yml
+++ b/.github/workflows/publish-insider-windows.yml
@@ -1,7 +1,7 @@
 name: Publish - Insider - Windows
 
 on:
-  workflow_dispatch:
+  workflow_dispatch: {}
   repository_dispatch:
     types:
       - publish-insider
@@ -115,7 +115,8 @@ jobs:
       - compile
     runs-on: windows-2022
     environment: publish
-    permissions: {}
+    permissions:
+      contents: write
     strategy:
       fail-fast: false
       matrix:
@@ -229,7 +230,8 @@ jobs:
     needs: build
     runs-on: windows-2022
     environment: publish
-    permissions: {}
+    permissions:
+      contents: write
     defaults:
       run:
         shell: bash
diff --git a/.github/workflows/publish-stable-linux.yml b/.github/workflows/publish-stable-linux.yml
index f97eb6c..b2cc47a 100644
--- a/.github/workflows/publish-stable-linux.yml
+++ b/.github/workflows/publish-stable-linux.yml
@@ -1,7 +1,7 @@
 name: Publish - Stable - Linux
 
 on:
-  workflow_dispatch:
+  workflow_dispatch: {}
   repository_dispatch:
     types:
       - publish-stable
@@ -126,7 +126,8 @@ jobs:
       - compile
     runs-on: ubuntu-latest
     environment: publish
-    permissions: {}
+    permissions:
+      contents: write
     strategy:
       fail-fast: false
       matrix:
@@ -222,8 +223,6 @@ jobs:
         if: env.DISABLED != 'yes' && env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'yes'
 
       - name: Release
-        permissions:
-          contents: write
         env:
           GITHUB_TOKEN: ${{ secrets.STRONGER_GITHUB_TOKEN }}
           GITHUB_USERNAME: ${{ github.repository_owner }}
@@ -243,7 +242,8 @@ jobs:
       - compile
     runs-on: ubuntu-22.04
     environment: publish
-    permissions: {}
+    permissions:
+      contents: write
     strategy:
       fail-fast: false
       matrix:
@@ -335,8 +335,6 @@ jobs:
         if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no')
 
       - name: Release
-        permissions:
-          contents: write
         env:
           GITHUB_TOKEN: ${{ secrets.STRONGER_GITHUB_TOKEN }}
           GITHUB_USERNAME: ${{ github.repository_owner }}
@@ -349,7 +347,8 @@ jobs:
       - compile
     runs-on: ubuntu-22.04
     environment: publish
-    permissions: {}
+    permissions:
+      contents: write
     strategy:
       fail-fast: false
       matrix:
@@ -417,8 +416,6 @@ jobs:
         if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no')
 
       - name: Release
-        permissions:
-          contents: write
         env:
           GITHUB_TOKEN: ${{ secrets.STRONGER_GITHUB_TOKEN }}
           GITHUB_USERNAME: ${{ github.repository_owner }}
diff --git a/.github/workflows/publish-stable-macos.yml b/.github/workflows/publish-stable-macos.yml
index 4afd993..f894bf4 100644
--- a/.github/workflows/publish-stable-macos.yml
+++ b/.github/workflows/publish-stable-macos.yml
@@ -1,7 +1,7 @@
 name: Publish - Stable - macOS
 
 on:
-  workflow_dispatch:
+  workflow_dispatch: {}
   repository_dispatch:
     types:
       - publish-stable
@@ -21,7 +21,8 @@ jobs:
   build:
     runs-on: ${{ matrix.runner }}
     environment: publish
-    permissions: {}
+    permissions:
+      contents: write
     env:
       SHOULD_BUILD: yes
       SHOULD_DEPLOY: yes
diff --git a/.github/workflows/publish-stable-windows.yml b/.github/workflows/publish-stable-windows.yml
index f92d333..d287e2c 100644
--- a/.github/workflows/publish-stable-windows.yml
+++ b/.github/workflows/publish-stable-windows.yml
@@ -1,7 +1,7 @@
 name: Publish - Stable - Windows
 
 on:
-  workflow_dispatch:
+  workflow_dispatch: {}
   repository_dispatch:
     types:
       - publish-stable
@@ -115,7 +115,8 @@ jobs:
       - compile
     runs-on: windows-2022
     environment: publish
-    permissions: {}
+    permissions:
+      contents: write
     strategy:
       fail-fast: false
       matrix:
@@ -228,7 +229,8 @@ jobs:
     needs: build
     runs-on: windows-2022
     environment: publish
-    permissions: {}
+    permissions:
+      contents: write
     defaults:
       run:
         shell: bash