linux-firmware: 20241017 -> 20241110
[NixPkgs.git] / .github / workflows / codeowners-v2.yml
blob3c64675a8fe1e6651753540b641388caadc06730
1 name: Codeowners v2
3 # This workflow depends on two GitHub Apps with the following permissions:
4 # - For checking code owners:
5 #   - Permissions:
6 #     - Repository > Administration: read-only
7 #     - Organization > Members: read-only
8 #   - Install App on this repository, setting these variables:
9 #     - OWNER_RO_APP_ID (variable)
10 #     - OWNER_RO_APP_PRIVATE_KEY (secret)
11 # - For requesting code owners:
12 #   - Permissions:
13 #     - Repository > Administration: read-only
14 #     - Organization > Members: read-only
15 #     - Repository > Pull Requests: read-write
16 #   - Install App on this repository, setting these variables:
17 #     - OWNER_APP_ID (variable)
18 #     - OWNER_APP_PRIVATE_KEY (secret)
20 # This split is done because checking code owners requires handling untrusted PR input,
21 # while requesting code owners requires PR write access, and those shouldn't be mixed.
23 on:
24   pull_request_target:
25     types: [opened, ready_for_review, synchronize, reopened, edited]
27 # We don't need any default GitHub token
28 permissions: {}
30 env:
31   OWNERS_FILE: ci/OWNERS
32   # Don't do anything on draft PRs
33   DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
35 jobs:
36   # Check that code owners is valid
37   check:
38     name: Check
39     runs-on: ubuntu-latest
40     steps:
41     - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
43     - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
44       if: github.repository_owner == 'NixOS'
45       with:
46         # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
47         name: nixpkgs-ci
48         authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
50     # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
51     # We later build and run code from the base branch with access to secrets,
52     # so it's important this is not the PRs code.
53     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
54       with:
55         path: base
57     - name: Build codeowners validator
58       run: nix-build base/ci -A codeownersValidator
60     - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
61       id: app-token
62       with:
63         app-id: ${{ vars.OWNER_RO_APP_ID }}
64         private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
66     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
67       with:
68         ref: refs/pull/${{ github.event.number }}/merge
69         path: pr
71     - name: Validate codeowners
72       run: result/bin/codeowners-validator
73       env:
74         OWNERS_FILE: pr/${{ env.OWNERS_FILE }}
75         GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
76         REPOSITORY_PATH: pr
77         OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
78         # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
79         EXPERIMENTAL_CHECKS: "avoid-shadowing"
81   # Request reviews from code owners
82   request:
83     name: Request
84     runs-on: ubuntu-latest
85     steps:
86     - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
88     # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
89     # This is intentional, because we need to request the review of owners as declared in the base branch.
90     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
92     - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
93       id: app-token
94       with:
95         app-id: ${{ vars.OWNER_APP_ID }}
96         private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
98     - name: Build review request package
99       run: nix-build ci -A requestReviews
101     - name: Request reviews
102       run: result/bin/request-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
103       env:
104         GH_TOKEN: ${{ steps.app-token.outputs.token }}