| blob | 3c64675a8fe1e6651753540b641388caadc06730 |
1 name: Codeowners v2
3 # This workflow depends on two GitHub Apps with the following permissions:
4 # - For checking code owners:
5 # - Permissions:
6 # - Repository > Administration: read-only
7 # - Organization > Members: read-only
8 # - Install App on this repository, setting these variables:
9 # - OWNER_RO_APP_ID (variable)
10 # - OWNER_RO_APP_PRIVATE_KEY (secret)
11 # - For requesting code owners:
12 # - Permissions:
13 # - Repository > Administration: read-only
14 # - Organization > Members: read-only
15 # - Repository > Pull Requests: read-write
16 # - Install App on this repository, setting these variables:
17 # - OWNER_APP_ID (variable)
18 # - OWNER_APP_PRIVATE_KEY (secret)
19 #
20 # This split is done because checking code owners requires handling untrusted PR input,
21 # while requesting code owners requires PR write access, and those shouldn't be mixed.
23 on:
24 pull_request_target:
25 types: [opened, ready_for_review, synchronize, reopened, edited]
27 # We don't need any default GitHub token
28 permissions: {}
30 env:
31 OWNERS_FILE: ci/OWNERS
32 # Don't do anything on draft PRs
33 DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
35 jobs:
36 # Check that code owners is valid
37 check:
38 name: Check
39 runs-on: ubuntu-latest
40 steps:
41 - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
43 - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
44 if: github.repository_owner == 'NixOS'
45 with:
46 # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
47 name: nixpkgs-ci
48 authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
50 # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
51 # We later build and run code from the base branch with access to secrets,
52 # so it's important this is not the PRs code.
53 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
54 with:
55 path: base
57 - name: Build codeowners validator
58 run: nix-build base/ci -A codeownersValidator
60 - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
61 id: app-token
62 with:
63 app-id: ${{ vars.OWNER_RO_APP_ID }}
64 private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
66 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
67 with:
68 ref: refs/pull/${{ github.event.number }}/merge
69 path: pr
71 - name: Validate codeowners
72 run: result/bin/codeowners-validator
73 env:
74 OWNERS_FILE: pr/${{ env.OWNERS_FILE }}
75 GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
76 REPOSITORY_PATH: pr
77 OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
78 # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
79 EXPERIMENTAL_CHECKS: "avoid-shadowing"
81 # Request reviews from code owners
82 request:
83 name: Request
84 runs-on: ubuntu-latest
85 steps:
86 - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
88 # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
89 # This is intentional, because we need to request the review of owners as declared in the base branch.
90 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
92 - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
93 id: app-token
94 with:
95 app-id: ${{ vars.OWNER_APP_ID }}
96 private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
98 - name: Build review request package
99 run: nix-build ci -A requestReviews
101 - name: Request reviews
102 run: result/bin/request-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
103 env:
104 GH_TOKEN: ${{ steps.app-token.outputs.token }}