From 956d0a744d2fa17a392bb04b2a25d10aef642813 Mon Sep 17 00:00:00 2001
From: Wolfgang Walther <walther@technowledgy.de>
Date: Fri, 22 Aug 2025 18:44:19 +0200
Subject: [PATCH] workflows/check: allow owners to fail when ci/OWNERS is
 untouched

The owners check is not reproducible, because it depends on the state of
the NixOS org on GitHub. Owners can rename their accounts or they can
leave the organisation and access to Nixpkgs can be removed from teams.
All of this breaks the owners check for reasons unrelated to the PR at
hand.

This PR makes the check for the owners file conditionally required: Only
when the ci/OWNERS file is actually modified a failed check will block
merging the PR. When that's not the case, the check will still fail
visibily in the checklist, but the failure can be ignored.

This is especially relevant for the Merge Queue, which should not be
entirely blocked whenever any of these events happen.

Also, it allows passing the checks in a fork when testing, where the
owners check will *always* fail, because the respective teams and
members are never part of the "user org" that a fork is.
---
 .github/workflows/check.yml | 4 ++++
 .github/workflows/pr.yml    | 1 +
 ci/github-script/prepare.js | 6 ++++--
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index ded8bad536c4..9192264266a1 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -12,6 +12,9 @@ on:
       mergedSha:
         required: true
         type: string
+      ownersCanFail:
+        required: true
+        type: boolean
       targetSha:
         required: true
         type: string
@@ -94,6 +97,7 @@ jobs:
   # handling untrusted PR input.
   owners:
     runs-on: ubuntu-24.04-arm
+    continue-on-error: ${{ inputs.ownersCanFail }}
     timeout-minutes: 5
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 936a9173e7c4..81f0f1d0f507 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -61,6 +61,7 @@ jobs:
       headBranch: ${{ needs.prepare.outputs.headBranch }}
       mergedSha: ${{ needs.prepare.outputs.mergedSha }}
       targetSha: ${{ needs.prepare.outputs.targetSha }}
+      ownersCanFail: ${{ !contains(fromJSON(needs.prepare.outputs.touched), 'owners') }}
 
   lint:
     name: Lint
diff --git a/ci/github-script/prepare.js b/ci/github-script/prepare.js
index fb000cb6820a..0fcec880f376 100644
--- a/ci/github-script/prepare.js
+++ b/ci/github-script/prepare.js
@@ -76,8 +76,10 @@ module.exports = async ({ github, context, core }) => {
       })
     ).map((file) => file.filename)
 
-    if (files.includes('ci/pinned.json')) core.setOutput('touched', ['pinned'])
-    else core.setOutput('touched', [])
+    const touched = []
+    if (files.includes('ci/pinned.json')) touched.push('pinned')
+    if (files.includes('ci/OWNERS')) touched.push('owners')
+    core.setOutput('touched', touched)
 
     return
   }