.github/workflows/codeowners-v2.yml at python-updates · tjh.dev/nixpkgs

tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
nixpkgs / .github / workflows / codeowners-v2.yml
at python-updates 5.4 kB view raw
  1# This workflow depends on two GitHub Apps with the following permissions:
  2# - For checking code owners:
  3#   - Permissions:
  4#     - Repository > Administration: read-only
  5#     - Organization > Members: read-only
  6#   - Install App on this repository, setting these variables:
  7#     - OWNER_RO_APP_ID (variable)
  8#     - OWNER_RO_APP_PRIVATE_KEY (secret)
  9# - For requesting code owners:
 10#   - Permissions:
 11#     - Repository > Administration: read-only
 12#     - Organization > Members: read-only
 13#     - Repository > Pull Requests: read-write
 14#   - Install App on this repository, setting these variables:
 15#     - OWNER_APP_ID (variable)
 16#     - OWNER_APP_PRIVATE_KEY (secret)
 17#
 18# This split is done because checking code owners requires handling untrusted PR input,
 19# while requesting code owners requires PR write access, and those shouldn't be mixed.
 20#
 21# Note that the latter is also used for ./eval.yml requesting reviewers.
 22
 23name: Codeowners v2
 24
 25on:
 26  pull_request:
 27    paths:
 28      - .github/workflows/codeowners-v2.yml
 29  pull_request_target:
 30    types: [opened, ready_for_review, synchronize, reopened]
 31
 32concurrency:
 33  group: codeowners-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
 34  cancel-in-progress: true
 35
 36permissions: {}
 37
 38defaults:
 39  run:
 40    shell: bash
 41
 42env:
 43  OWNERS_FILE: ci/OWNERS
 44  # Don't do anything on draft PRs
 45  DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
 46
 47jobs:
 48  # Check that code owners is valid
 49  check:
 50    name: Check
 51    runs-on: ubuntu-24.04-arm
 52    steps:
 53      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 54        with:
 55          sparse-checkout: .github/actions
 56      - name: Check if the PR can be merged and checkout the merge and target commits
 57        uses: ./.github/actions/get-merge-commit
 58        with:
 59          merged-as-untrusted: true
 60          target-as-trusted: true
 61
 62      - uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
 63
 64      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
 65        with:
 66          # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
 67          name: nixpkgs-ci
 68          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
 69
 70      - name: Build codeowners validator
 71        run: nix-build trusted/ci -A codeownersValidator
 72
 73      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
 74        if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID
 75        id: app-token
 76        with:
 77          app-id: ${{ vars.OWNER_RO_APP_ID }}
 78          private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
 79          permission-administration: read
 80          permission-members: read
 81
 82      - name: Log current API rate limits
 83        if: steps.app-token.outputs.token
 84        env:
 85          GH_TOKEN: ${{ steps.app-token.outputs.token }}
 86        run: gh api /rate_limit | jq
 87
 88      - name: Validate codeowners
 89        if: steps.app-token.outputs.token
 90        env:
 91          OWNERS_FILE: untrusted/${{ env.OWNERS_FILE }}
 92          GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
 93          REPOSITORY_PATH: untrusted
 94          OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
 95          # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
 96          EXPERIMENTAL_CHECKS: "avoid-shadowing"
 97        run: result/bin/codeowners-validator
 98
 99      - name: Log current API rate limits
100        if: steps.app-token.outputs.token
101        env:
102          GH_TOKEN: ${{ steps.app-token.outputs.token }}
103        run: gh api /rate_limit | jq
104
105  # Request reviews from code owners
106  request:
107    name: Request
108    runs-on: ubuntu-24.04-arm
109    steps:
110      - uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
111
112      # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
113      # This is intentional, because we need to request the review of owners as declared in the base branch.
114      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
115        with:
116          path: trusted
117
118      - name: Build review request package
119        run: nix-build trusted/ci -A requestReviews
120
121      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
122        if: github.event_name == 'pull_request_target' && vars.OWNER_APP_ID
123        id: app-token
124        with:
125          app-id: ${{ vars.OWNER_APP_ID }}
126          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
127          permission-administration: read
128          permission-members: read
129          permission-pull-requests: write
130
131      - name: Log current API rate limits
132        if: steps.app-token.outputs.token
133        env:
134          GH_TOKEN: ${{ steps.app-token.outputs.token }}
135        run: gh api /rate_limit | jq
136
137      - name: Request reviews
138        if: steps.app-token.outputs.token
139        env:
140          GH_TOKEN: ${{ steps.app-token.outputs.token }}
141        run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
142
143      - name: Log current API rate limits
144        if: steps.app-token.outputs.token
145        env:
146          GH_TOKEN: ${{ steps.app-token.outputs.token }}
147        run: gh api /rate_limit | jq