.github/workflows/codeowners-v2.yml at lib-types-attrNamesToTrue

Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
nixpkgs / .github / workflows / codeowners-v2.yml
at lib-types-attrNamesToTrue 123 lines 4.7 kB view raw
wrap content
  1# This workflow depends on two GitHub Apps with the following permissions:
  2# - For checking code owners:
  3#   - Permissions:
  4#     - Repository > Administration: read-only
  5#     - Organization > Members: read-only
  6#   - Install App on this repository, setting these variables:
  7#     - OWNER_RO_APP_ID (variable)
  8#     - OWNER_RO_APP_PRIVATE_KEY (secret)
  9# - For requesting code owners:
 10#   - Permissions:
 11#     - Repository > Administration: read-only
 12#     - Organization > Members: read-only
 13#     - Repository > Pull Requests: read-write
 14#   - Install App on this repository, setting these variables:
 15#     - OWNER_APP_ID (variable)
 16#     - OWNER_APP_PRIVATE_KEY (secret)
 17#
 18# This split is done because checking code owners requires handling untrusted PR input,
 19# while requesting code owners requires PR write access, and those shouldn't be mixed.
 20#
 21# Note that the latter is also used for ./eval.yml requesting reviewers.
 22
 23name: Codeowners v2
 24
 25on:
 26  pull_request:
 27    paths:
 28      - .github/workflows/codeowners-v2.yml
 29  pull_request_target:
 30    types: [opened, ready_for_review, synchronize, reopened, edited]
 31
 32permissions: {}
 33
 34env:
 35  OWNERS_FILE: ci/OWNERS
 36  # Don't do anything on draft PRs
 37  DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
 38
 39jobs:
 40  get-merge-commit:
 41    if: github.repository_owner == 'NixOS'
 42    uses: ./.github/workflows/get-merge-commit.yml
 43
 44  # Check that code owners is valid
 45  check:
 46    name: Check
 47    runs-on: ubuntu-24.04-arm
 48    needs: get-merge-commit
 49    if: github.repository_owner == 'NixOS' && needs.get-merge-commit.outputs.mergedSha
 50    steps:
 51      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
 52
 53      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
 54        with:
 55          # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
 56          name: nixpkgs-ci
 57          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
 58
 59      # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
 60      # We later build and run code from the base branch with access to secrets,
 61      # so it's important this is not the PRs code.
 62      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 63        with:
 64          path: base
 65
 66      - name: Build codeowners validator
 67        run: nix-build base/ci -A codeownersValidator
 68
 69      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
 70        if: vars.OWNER_RO_APP_ID
 71        id: app-token
 72        with:
 73          app-id: ${{ vars.OWNER_RO_APP_ID }}
 74          private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
 75          permission-administration: read
 76          permission-members: read
 77
 78      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 79        with:
 80          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
 81          path: pr
 82
 83      - name: Validate codeowners
 84        if: steps.app-token.outputs.token
 85        run: result/bin/codeowners-validator
 86        env:
 87          OWNERS_FILE: pr/${{ env.OWNERS_FILE }}
 88          GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
 89          REPOSITORY_PATH: pr
 90          OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
 91          # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
 92          EXPERIMENTAL_CHECKS: "avoid-shadowing"
 93
 94  # Request reviews from code owners
 95  request:
 96    name: Request
 97    runs-on: ubuntu-24.04-arm
 98    if: github.repository_owner == 'NixOS'
 99    steps:
100      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
101
102      # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
103      # This is intentional, because we need to request the review of owners as declared in the base branch.
104      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
105
106      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
107        if: vars.OWNER_APP_ID
108        id: app-token
109        with:
110          app-id: ${{ vars.OWNER_APP_ID }}
111          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
112          permission-administration: read
113          permission-members: read
114          permission-pull-requests: write
115
116      - name: Build review request package
117        run: nix-build ci -A requestReviews
118
119      - name: Request reviews
120        if: steps.app-token.outputs.token
121        run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
122        env:
123          GH_TOKEN: ${{ steps.app-token.outputs.token }}