+31

ci/codeowners-validator/default.nix

reviewed

··· 1 1 + { 2 2 + buildGoModule, 3 3 + fetchFromGitHub, 4 4 + fetchpatch, 5 5 + }: 6 6 + buildGoModule { 7 7 + name = "codeowners-validator"; 8 8 + src = fetchFromGitHub { 9 9 + owner = "mszostok"; 10 10 + repo = "codeowners-validator"; 11 11 + rev = "f3651e3810802a37bd965e6a9a7210728179d076"; 12 12 + hash = "sha256-5aSmmRTsOuPcVLWfDF6EBz+6+/Qpbj66udAmi1CLmWQ="; 13 13 + }; 14 14 + patches = [ 15 15 + # https://github.com/mszostok/codeowners-validator/pull/222 16 16 + (fetchpatch { 17 17 + name = "user-write-access-check"; 18 18 + url = "https://github.com/mszostok/codeowners-validator/compare/f3651e3810802a37bd965e6a9a7210728179d076...840eeb88b4da92bda3e13c838f67f6540b9e8529.patch"; 19 19 + hash = "sha256-t3Dtt8SP9nbO3gBrM0nRE7+G6N/ZIaczDyVHYAG/6mU="; 20 20 + }) 21 21 + # Undoes part of the above PR: We don't want to require write access 22 22 + # to the repository, that's only needed for GitHub's native CODEOWNERS. 23 23 + # Furthermore, it removes an unneccessary check from the code 24 24 + # that breaks tokens generated for GitHub Apps. 25 25 + ./permissions.patch 26 26 + # Allows setting a custom CODEOWNERS path using the OWNERS_FILE env var 27 27 + ./owners-file-name.patch 28 28 + ]; 29 29 + postPatch = "rm -r docs/investigation"; 30 30 + vendorHash = "sha256-R+pW3xcfpkTRqfS2ETVOwG8PZr0iH5ewroiF7u8hcYI="; 31 31 + }

+15

ci/codeowners-validator/owners-file-name.patch

reviewed

··· 1 1 + diff --git a/pkg/codeowners/owners.go b/pkg/codeowners/owners.go 2 2 + index 6910bd2..e0c95e9 100644 3 3 + --- a/pkg/codeowners/owners.go 4 4 + +++ b/pkg/codeowners/owners.go 5 5 + @@ -39,6 +39,10 @@ func NewFromPath(repoPath string) ([]Entry, error) { 6 6 + // openCodeownersFile finds a CODEOWNERS file and returns content. 7 7 + // see: https://help.github.com/articles/about-code-owners/#codeowners-file-location 8 8 + func openCodeownersFile(dir string) (io.Reader, error) { 9 9 + + if file, ok := os.LookupEnv("OWNERS_FILE"); ok { 10 10 + + return fs.Open(file) 11 11 + + } 12 12 + + 13 13 + var detectedFiles []string 14 14 + for _, p := range []string{".", "docs", ".github"} { 15 15 + pth := path.Join(dir, p)

+36

ci/codeowners-validator/permissions.patch

reviewed

··· 1 1 + diff --git a/internal/check/valid_owner.go b/internal/check/valid_owner.go 2 2 + index a264bcc..610eda8 100644 3 3 + --- a/internal/check/valid_owner.go 4 4 + +++ b/internal/check/valid_owner.go 5 5 + @@ -16,7 +16,6 @@ import ( 6 6 + const scopeHeader = "X-OAuth-Scopes" 7 7 + 8 8 + var reqScopes = map[github.Scope]struct{}{ 9 9 + - github.ScopeReadOrg: {}, 10 10 + } 11 11 + 12 12 + type ValidOwnerConfig struct { 13 13 + @@ -223,10 +222,7 @@ func (v *ValidOwner) validateTeam(ctx context.Context, name string) *validateErr 14 14 + for _, t := range v.repoTeams { 15 15 + // GitHub normalizes name before comparison 16 16 + if strings.EqualFold(t.GetSlug(), team) { 17 17 + - if t.Permissions["push"] { 18 18 + - return nil 19 19 + - } 20 20 + - return newValidateError("Team %q cannot review PRs on %q as neither it nor any parent team has write permissions.", team, v.orgRepoName) 21 21 + + return nil 22 22 + } 23 23 + } 24 24 + 25 25 + @@ -245,10 +241,7 @@ func (v *ValidOwner) validateGitHubUser(ctx context.Context, name string) *valid 26 26 + for _, u := range v.repoUsers { 27 27 + // GitHub normalizes name before comparison 28 28 + if strings.EqualFold(u.GetLogin(), userName) { 29 29 + - if u.Permissions["push"] { 30 30 + - return nil 31 31 + - } 32 32 + - return newValidateError("User %q cannot review PRs on %q as they don't have write permissions.", userName, v.orgRepoName) 33 33 + + return nil 34 34 + } 35 35 + } 36 36 +

+1

ci/default.nix

reviewed

··· 25 25 { 26 26 inherit pkgs; 27 27 requestReviews = pkgs.callPackage ./request-reviews { }; 28 28 + codeownersValidator = pkgs.callPackage ./codeowners-validator { }; 28 29 }