workflows/check: move owners check job from codeowners

This runs the "check owners" job as part of the main PR workflow, with
multiple advantages:
- The job doesn't run anymore when undrafting a PR, where it's not
required, because the OWNERS file's contents didn't change.
- A valid OWNERS file is now a requirement to merge a PR.
- The OWNERS file is always checked on the exact same test merge commit
that the remainder of the workflows are running on as well.

.github/workflows/check.yml

@@ -9,6 +9,17 @@ on:
       headBranch:
         required: true
         type: string
+      mergedSha:
+        required: true
+        type: string
+      targetSha:
+        required: true
+        type: string
+    secrets:
+      CACHIX_AUTH_TOKEN:
+        required: true
+      OWNER_RO_APP_PRIVATE_KEY:
+        required: true
 
 permissions: {}
 
@@ -70,3 +81,72 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
         run: gh api /rate_limit | jq
+
+  # For checking code owners, this job depends on a GitHub App with the following permissions:
+  # - Permissions:
+  #   - Repository > Administration: read-only
+  #   - Organization > Members: read-only
+  # - Install App on this repository, setting these variables:
+  #   - OWNER_RO_APP_ID (variable)
+  #   - OWNER_RO_APP_PRIVATE_KEY (secret)
+  #
+  # This should not use the same app as the job to request reviewers, because this job requires
+  # handling untrusted PR input.
+  owners:
+    runs-on: ubuntu-24.04-arm
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          sparse-checkout: .github/actions
+      - name: Check if the PR can be merged and checkout the merge and target commits
+        uses: ./.github/actions/get-merge-commit
+        with:
+          mergedSha: ${{ inputs.mergedSha }}
+          merged-as-untrusted: true
+          pinnedFrom: trusted
+          targetSha: ${{ inputs.targetSha }}
+          target-as-trusted: true
+
+      - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
+
+      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
+        with:
+          # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
+          name: nixpkgs-ci
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+
+      - name: Build codeowners validator
+        run: nix-build trusted/ci --arg nixpkgs ./pinned -A codeownersValidator
+
+      - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0
+        if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID
+        id: app-token
+        with:
+          app-id: ${{ vars.OWNER_RO_APP_ID }}
+          private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
+          permission-administration: read
+          permission-members: read
+
+      - name: Log current API rate limits
+        if: steps.app-token.outputs.token
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: gh api /rate_limit | jq
+
+      - name: Validate codeowners
+        if: steps.app-token.outputs.token
+        env:
+          OWNERS_FILE: untrusted/ci/OWNERS
+          GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
+          REPOSITORY_PATH: untrusted
+          OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
+          # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
+          EXPERIMENTAL_CHECKS: "avoid-shadowing"
+        run: result/bin/codeowners-validator
+
+      - name: Log current API rate limits
+        if: steps.app-token.outputs.token
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: gh api /rate_limit | jq

.github/workflows/codeowners-v2.yml

@@ -18,75 +18,6 @@ defaults:
     shell: bash
 
 jobs:
-  # For checking code owners, this job depends on a GitHub App with the following permissions:
-  # - Permissions:
-  #   - Repository > Administration: read-only
-  #   - Organization > Members: read-only
-  # - Install App on this repository, setting these variables:
-  #   - OWNER_RO_APP_ID (variable)
-  #   - OWNER_RO_APP_PRIVATE_KEY (secret)
-  #
-  # This should not use the same app as the job to request reviewers, because this job requires
-  # handling untrusted PR input.
-  check:
-    name: Check
-    runs-on: ubuntu-24.04-arm
-    timeout-minutes: 5
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          sparse-checkout: |
-            .github/actions
-            ci/github-script
-      - name: Check if the PR can be merged and checkout the merge and target commits
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
-          target-as-trusted: true
-
-      - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
-
-      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
-        with:
-          # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
-          name: nixpkgs-ci
-          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-
-      - name: Build codeowners validator
-        run: nix-build trusted/ci -A codeownersValidator
-
-      - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0
-        if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID
-        id: app-token
-        with:
-          app-id: ${{ vars.OWNER_RO_APP_ID }}
-          private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
-          permission-administration: read
-          permission-members: read
-
-      - name: Log current API rate limits
-        if: steps.app-token.outputs.token
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: gh api /rate_limit | jq
-
-      - name: Validate codeowners
-        if: steps.app-token.outputs.token
-        env:
-          OWNERS_FILE: untrusted/ci/OWNERS
-          GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
-          REPOSITORY_PATH: untrusted
-          OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
-          # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
-          EXPERIMENTAL_CHECKS: "avoid-shadowing"
-        run: result/bin/codeowners-validator
-
-      - name: Log current API rate limits
-        if: steps.app-token.outputs.token
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: gh api /rate_limit | jq
-
   # Request reviews from code owners
   # For requesting code owners, this job depends on a GitHub App with the following permissions:
   # - Permissions:

.github/workflows/pr.yml

@@ -87,9 +87,14 @@ jobs:
     permissions:
       # cherry-picks
       pull-requests: write
+    secrets:
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      OWNER_RO_APP_PRIVATE_KEY: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
     with:
       baseBranch: ${{ needs.prepare.outputs.baseBranch }}
       headBranch: ${{ needs.prepare.outputs.headBranch }}
+      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
+      targetSha: ${{ needs.prepare.outputs.targetSha }}
 
   lint:
     name: Lint