workflows/reviewers: integrate codeowner reviews

These two jobs mostly used the same code anyway, so they can easily run in the same job. This uses fewer resources and avoids running (and failing) the codeowners review job on Pull Requests from development branches like staging-next or haskell-updates. It also opens the door for more improvements later on, for example it will be much easier to implement a shared reviewer limit for both owners and maintainers now. (cherry picked from commit ddf81dead6)
2026-01-12 02:40:31 +08:00 · 2025-08-17 22:24:24 +02:00
parent 2746652fdc
commit 2c86ed707c
2 changed files with 32 additions and 78 deletions
--- a/.github/workflows/codeowners-v2.yml
+++ b/.github/workflows/codeowners-v2.yml
@@ -1,76 +0,0 @@
-name: Codeowners v2
-
-on:
-  pull_request:
-    paths:
-      - .github/workflows/codeowners-v2.yml
-  pull_request_target:
-    types: [opened, ready_for_review, synchronize, reopened]
-
-concurrency:
-  group: codeowners-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
-  cancel-in-progress: true
-
-permissions: {}
-
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  # Request reviews from code owners
-  # For requesting code owners, this job depends on a GitHub App with the following permissions:
-  # - Permissions:
-  #   - Repository > Administration: read-only
-  #   - Organization > Members: read-only
-  #   - Repository > Pull Requests: read-write
-  # - Install App on this repository, setting these variables:
-  #   - OWNER_APP_ID (variable)
-  #   - OWNER_APP_PRIVATE_KEY (secret)
-  #
-  # Note that this app is also used for ./eval.yml requesting reviewers.
-  request:
-    name: Request
-    runs-on: ubuntu-24.04-arm
-    timeout-minutes: 5
-    steps:
-      - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
-
-      # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
-      # This is intentional, because we need to request the review of owners as declared in the base branch.
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          path: trusted
-
-      - name: Build review request package
-        run: nix-build trusted/ci -A requestReviews
-
-      - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0
-        if: github.event_name == 'pull_request_target' && vars.OWNER_APP_ID
-        id: app-token
-        with:
-          app-id: ${{ vars.OWNER_APP_ID }}
-          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
-          permission-administration: read
-          permission-members: read
-          permission-pull-requests: write
-
-      - name: Log current API rate limits
-        if: steps.app-token.outputs.token
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: gh api /rate_limit | jq
-
-      - name: Request reviews
-        if: steps.app-token.outputs.token
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-          # Don't do anything on draft PRs
-          DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
-        run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} ci/OWNERS
-
-      - name: Log current API rate limits
-        if: steps.app-token.outputs.token
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: gh api /rate_limit | jq
--- a/.github/workflows/reviewers.yml
+++ b/.github/workflows/reviewers.yml
@@ -38,8 +38,16 @@ jobs:
      - name: Build the requestReviews derivation
        run: nix-build trusted/ci -A requestReviews

-      # See ./codeowners-v2.yml, reuse the same App because we need the same permissions
-      # Can't use the token received from permissions above, because it can't get enough permissions
+      # For requesting reviewers, this job depends on a GitHub App with the following permissions:
+      # - Permissions:
+      #   - Repository > Administration: read-only
+      #   - Organization > Members: read-only
+      #   - Repository > Pull Requests: read-write
+      # - Install App on this repository, setting these variables:
+      #   - OWNER_APP_ID (variable)
+      #   - OWNER_APP_PRIVATE_KEY (secret)
+      #
+      # Can't use the token received from permissions above, because it can't get enough permissions.
      - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0
        if: github.event_name == 'pull_request_target' && vars.OWNER_APP_ID
        id: app-token
@@ -50,6 +58,28 @@ jobs:
          permission-members: read
          permission-pull-requests: write

+      - name: Log current API rate limits (app-token)
+        if: ${{ steps.app-token.outputs.token }}
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: gh api /rate_limit | jq
+
+      - name: Requesting code owner reviews
+        if: steps.app-token.outputs.token
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          REPOSITORY: ${{ github.repository }}
+          NUMBER: ${{ github.event.number }}
+          # Don't do anything on draft PRs
+          DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
+        run: result/bin/request-code-owner-reviews.sh "$REPOSITORY" "$NUMBER" ci/OWNERS
+
+      - name: Log current API rate limits (app-token)
+        if: ${{ steps.app-token.outputs.token }}
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: gh api /rate_limit | jq
+
      - name: Log current API rate limits (github.token)
        env:
          GH_TOKEN: ${{ github.token }}