From 2c86ed707c80b0606d0466b3e452fe2b746bd6e0 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Sun, 17 Aug 2025 22:24:24 +0200 Subject: [PATCH] workflows/reviewers: integrate codeowner reviews These two jobs mostly used the same code anyway, so they can easily run in the same job. This uses fewer resources and avoids running (and failing) the codeowners review job on Pull Requests from development branches like staging-next or haskell-updates. It also opens the door for more improvements later on, for example it will be much easier to implement a shared reviewer limit for both owners and maintainers now. (cherry picked from commit ddf81dead677725c7aea949d7c2abff619018f44) --- .github/workflows/codeowners-v2.yml | 76 ----------------------------- .github/workflows/reviewers.yml | 34 ++++++++++++- 2 files changed, 32 insertions(+), 78 deletions(-) delete mode 100644 .github/workflows/codeowners-v2.yml diff --git a/.github/workflows/codeowners-v2.yml b/.github/workflows/codeowners-v2.yml deleted file mode 100644 index 71bf4da1ee7d..000000000000 --- a/.github/workflows/codeowners-v2.yml +++ /dev/null @@ -1,76 +0,0 @@ -name: Codeowners v2 - -on: - pull_request: - paths: - - .github/workflows/codeowners-v2.yml - pull_request_target: - types: [opened, ready_for_review, synchronize, reopened] - -concurrency: - group: codeowners-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }} - cancel-in-progress: true - -permissions: {} - -defaults: - run: - shell: bash - -jobs: - # Request reviews from code owners - # For requesting code owners, this job depends on a GitHub App with the following permissions: - # - Permissions: - # - Repository > Administration: read-only - # - Organization > Members: read-only - # - Repository > Pull Requests: read-write - # - Install App on this repository, setting these variables: - # - OWNER_APP_ID (variable) - # - OWNER_APP_PRIVATE_KEY (secret) - # - # Note that this app is also used for ./eval.yml requesting reviewers. - request: - name: Request - runs-on: ubuntu-24.04-arm - timeout-minutes: 5 - steps: - - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 - - # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head. - # This is intentional, because we need to request the review of owners as declared in the base branch. - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - path: trusted - - - name: Build review request package - run: nix-build trusted/ci -A requestReviews - - - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0 - if: github.event_name == 'pull_request_target' && vars.OWNER_APP_ID - id: app-token - with: - app-id: ${{ vars.OWNER_APP_ID }} - private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} - permission-administration: read - permission-members: read - permission-pull-requests: write - - - name: Log current API rate limits - if: steps.app-token.outputs.token - env: - GH_TOKEN: ${{ steps.app-token.outputs.token }} - run: gh api /rate_limit | jq - - - name: Request reviews - if: steps.app-token.outputs.token - env: - GH_TOKEN: ${{ steps.app-token.outputs.token }} - # Don't do anything on draft PRs - DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }} - run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} ci/OWNERS - - - name: Log current API rate limits - if: steps.app-token.outputs.token - env: - GH_TOKEN: ${{ steps.app-token.outputs.token }} - run: gh api /rate_limit | jq diff --git a/.github/workflows/reviewers.yml b/.github/workflows/reviewers.yml index 2b1be250469d..5c2acb55a8de 100644 --- a/.github/workflows/reviewers.yml +++ b/.github/workflows/reviewers.yml @@ -38,8 +38,16 @@ jobs: - name: Build the requestReviews derivation run: nix-build trusted/ci -A requestReviews - # See ./codeowners-v2.yml, reuse the same App because we need the same permissions - # Can't use the token received from permissions above, because it can't get enough permissions + # For requesting reviewers, this job depends on a GitHub App with the following permissions: + # - Permissions: + # - Repository > Administration: read-only + # - Organization > Members: read-only + # - Repository > Pull Requests: read-write + # - Install App on this repository, setting these variables: + # - OWNER_APP_ID (variable) + # - OWNER_APP_PRIVATE_KEY (secret) + # + # Can't use the token received from permissions above, because it can't get enough permissions. - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0 if: github.event_name == 'pull_request_target' && vars.OWNER_APP_ID id: app-token @@ -50,6 +58,28 @@ jobs: permission-members: read permission-pull-requests: write + - name: Log current API rate limits (app-token) + if: ${{ steps.app-token.outputs.token }} + env: + GH_TOKEN: ${{ steps.app-token.outputs.token }} + run: gh api /rate_limit | jq + + - name: Requesting code owner reviews + if: steps.app-token.outputs.token + env: + GH_TOKEN: ${{ steps.app-token.outputs.token }} + REPOSITORY: ${{ github.repository }} + NUMBER: ${{ github.event.number }} + # Don't do anything on draft PRs + DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }} + run: result/bin/request-code-owner-reviews.sh "$REPOSITORY" "$NUMBER" ci/OWNERS + + - name: Log current API rate limits (app-token) + if: ${{ steps.app-token.outputs.token }} + env: + GH_TOKEN: ${{ steps.app-token.outputs.token }} + run: gh api /rate_limit | jq + - name: Log current API rate limits (github.token) env: GH_TOKEN: ${{ github.token }}