tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom

workflows/check: don't check github api for owners file

This removes the "owners" check from codeowners-validator. With it, all
tokens and permissions can be removed, because these were only needed to
make these requests.

This solves the problem of codeowners-validator not supporting our new
nested team structure for nixpkgs-maintainers. To make the onboarding of
new teams easier, we moved all teams "under" the nixpkgs-maintainers
team. This makes them inherit the right privileges (triage) for Nixpkgs.

However, this inheritance is not recognized by codeowners-validator,
thus it assumes that these teams don't have access to Nixpkgs. This then
fails the owners check immediately.

Removing the owners check also has a few other advantages:
- This check depends on external state: If a user is renamed or a team
removed, the check will fail. This makes it a bad check for required
status checks or merge queues - the check might fail randomly,
independent of the current PR.
- Running this check in a fork will never work, because the respective
users and teams don't have access to the fork's repo.

Both of this required us to set `continue-on-error: true` most of the
time.

Wolfgang Walther f7d6d11e 8353fec8

options
unified split
Changed files
+4 -48
.github
workflows
check.yml
pr.yml
test.yml
ci
github-script
prepare.js
+4 -42
.github/workflows/check.yml
··· 12 12 mergedSha: 13 13 required: true 14 14 type: string 15 - ownersCanFail: 16 - required: true 17 - type: boolean 18 15 targetSha: 19 16 required: true 20 17 type: string 21 18 secrets: 22 19 CACHIX_AUTH_TOKEN: 23 - required: true 24 - OWNER_RO_APP_PRIVATE_KEY: 25 20 required: true 26 21 27 22 permissions: {} ··· 72 67 GH_TOKEN: ${{ github.token }} 73 68 run: gh api /rate_limit | jq 74 69 75 - # For checking code owners, this job depends on a GitHub App with the following permissions: 76 - # - Permissions: 77 - # - Repository > Administration: read-only 78 - # - Organization > Members: read-only 79 - # - Install App on this repository, setting these variables: 80 - # - OWNER_RO_APP_ID (variable) 81 - # - OWNER_RO_APP_PRIVATE_KEY (secret) 82 - # 83 - # This should not use the same app as the job to request reviewers, because this job requires 84 - # handling untrusted PR input. 85 70 owners: 86 71 runs-on: ubuntu-24.04-arm 87 - continue-on-error: ${{ inputs.ownersCanFail }} 88 72 timeout-minutes: 5 89 73 steps: 90 74 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 ··· 94 78 uses: ./.github/actions/checkout 95 79 with: 96 80 merged-as-untrusted-at: ${{ inputs.mergedSha }} 97 - target-as-trusted-at: ${{ inputs.targetSha }} 98 81 99 82 - uses: cachix/install-nix-action@a809471b5c7c913aa67bec8f459a11a0decc3fce # v31 100 83 ··· 107 90 pushFilter: -source$ 108 91 109 92 - name: Build codeowners validator 110 - run: nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A codeownersValidator 111 - 112 - - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 113 - if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID 114 - id: app-token 115 - with: 116 - app-id: ${{ vars.OWNER_RO_APP_ID }} 117 - private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} 118 - permission-administration: read 119 - permission-members: read 120 - 121 - - name: Log current API rate limits 122 - if: steps.app-token.outputs.token 123 - env: 124 - GH_TOKEN: ${{ steps.app-token.outputs.token }} 125 - run: gh api /rate_limit | jq 93 + run: nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A codeownersValidator 126 94 127 95 - name: Validate codeowners 128 - if: steps.app-token.outputs.token 129 96 env: 130 97 OWNERS_FILE: nixpkgs/untrusted/ci/OWNERS 131 - GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} 132 98 REPOSITORY_PATH: nixpkgs/untrusted 133 - OWNER_CHECKER_REPOSITORY: ${{ github.repository }} 99 + # Omits "owners", which checks whether GitHub handles exist, but fails with nested team 100 + # structures. 101 + CHECKS: "duppatterns,files,syntax" 134 102 # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody 135 103 EXPERIMENTAL_CHECKS: "avoid-shadowing" 136 104 run: result/bin/codeowners-validator 137 - 138 - - name: Log current API rate limits 139 - if: steps.app-token.outputs.token 140 - env: 141 - GH_TOKEN: ${{ steps.app-token.outputs.token }} 142 - run: gh api /rate_limit | jq
-4
.github/workflows/pr.yml
··· 11 11 OWNER_APP_PRIVATE_KEY: 12 12 # The Test workflow should not actually request reviews from owners. 13 13 required: false 14 - OWNER_RO_APP_PRIVATE_KEY: 15 - required: true 16 14 17 15 concurrency: 18 16 group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }} ··· 59 57 pull-requests: write 60 58 secrets: 61 59 CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} 62 - OWNER_RO_APP_PRIVATE_KEY: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} 63 60 with: 64 61 baseBranch: ${{ needs.prepare.outputs.baseBranch }} 65 62 headBranch: ${{ needs.prepare.outputs.headBranch }} 66 63 mergedSha: ${{ needs.prepare.outputs.mergedSha }} 67 64 targetSha: ${{ needs.prepare.outputs.targetSha }} 68 - ownersCanFail: ${{ !contains(fromJSON(needs.prepare.outputs.touched), 'owners') }} 69 65 70 66 lint: 71 67 name: Lint
-1
.github/workflows/test.yml
··· 98 98 secrets: 99 99 CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} 100 100 NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }} 101 - OWNER_RO_APP_PRIVATE_KEY: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} 102 101 103 102 push: 104 103 if: needs.prepare.outputs.push
-1
ci/github-script/prepare.js
··· 221 221 222 222 const touched = [] 223 223 if (files.includes('ci/pinned.json')) touched.push('pinned') 224 - if (files.includes('ci/OWNERS')) touched.push('owners') 225 224 core.setOutput('touched', touched) 226 225 227 226 return