2024-10-09 16:51:18 +00:00
|
|
|
name: Codeowners
|
|
|
|
|
|
|
|
# This workflow depends on a GitHub App with the following permissions:
|
|
|
|
# - Repository > Administration: read-only
|
|
|
|
# - Organization > Members: read-only
|
|
|
|
# - Repository > Pull Requests: read-write
|
|
|
|
# The App needs to be installed on this repository
|
|
|
|
# the OWNER_APP_ID repository variable needs to be set
|
|
|
|
# the OWNER_APP_PRIVATE_KEY repository secret needs to be set
|
|
|
|
|
|
|
|
on:
|
|
|
|
pull_request_target:
|
|
|
|
types: [opened, ready_for_review, synchronize, reopened, edited]
|
|
|
|
|
|
|
|
env:
|
2024-10-11 05:15:48 +00:00
|
|
|
OWNERS_FILE: ci/OWNERS
|
|
|
|
# Don't do anything on draft PRs
|
|
|
|
DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
|
2024-10-09 16:51:18 +00:00
|
|
|
|
|
|
|
jobs:
|
|
|
|
# Check that code owners is valid
|
|
|
|
check:
|
|
|
|
name: Check
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
|
|
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
|
|
|
|
|
2024-10-11 05:15:48 +00:00
|
|
|
- uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
|
|
|
|
if: github.repository_owner == 'NixOS'
|
|
|
|
with:
|
|
|
|
# This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
|
|
|
|
name: nixpkgs-ci
|
|
|
|
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
|
|
|
|
|
2024-10-09 16:51:18 +00:00
|
|
|
# Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
|
|
|
|
# We later build and run code from the base branch with access to secrets,
|
|
|
|
# so it's important this is not the PRs code.
|
2024-10-11 05:15:48 +00:00
|
|
|
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
|
2024-10-09 16:51:18 +00:00
|
|
|
with:
|
|
|
|
path: base
|
|
|
|
|
|
|
|
- name: Build codeowners validator
|
|
|
|
run: nix-build base/ci -A codeownersValidator
|
|
|
|
|
|
|
|
- uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
|
|
|
|
id: app-token
|
|
|
|
with:
|
|
|
|
app-id: ${{ vars.OWNER_APP_ID }}
|
|
|
|
private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
|
|
|
|
|
2024-10-11 05:15:48 +00:00
|
|
|
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
|
2024-10-09 16:51:18 +00:00
|
|
|
with:
|
|
|
|
ref: refs/pull/${{ github.event.number }}/merge
|
|
|
|
path: pr
|
|
|
|
|
|
|
|
- name: Validate codeowners
|
|
|
|
run: result/bin/codeowners-validator
|
|
|
|
env:
|
|
|
|
OWNERS_FILE: pr/${{ env.OWNERS_FILE }}
|
|
|
|
GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
|
|
|
|
REPOSITORY_PATH: pr
|
|
|
|
OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
|
|
|
|
# Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
|
|
|
|
EXPERIMENTAL_CHECKS: "avoid-shadowing"
|
|
|
|
|
|
|
|
# Request reviews from code owners
|
|
|
|
request:
|
|
|
|
name: Request
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
|
|
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
|
|
|
|
|
|
|
|
# Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
|
|
|
|
# This is intentional, because we need to request the review of owners as declared in the base branch.
|
2024-10-11 05:15:48 +00:00
|
|
|
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
|
2024-10-09 16:51:18 +00:00
|
|
|
|
|
|
|
- uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
|
|
|
|
id: app-token
|
|
|
|
with:
|
|
|
|
app-id: ${{ vars.OWNER_APP_ID }}
|
|
|
|
private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
|
|
|
|
|
|
|
|
- name: Build review request package
|
|
|
|
run: nix-build ci -A requestReviews
|
|
|
|
|
|
|
|
- name: Request reviews
|
|
|
|
run: result/bin/request-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
|
|
|
|
env:
|
|
|
|
GH_TOKEN: ${{ steps.app-token.outputs.token }}
|