name: Check

on:
  workflow_call:
    inputs:
      baseBranch:
        required: true
        type: string
      headBranch:
        required: true
        type: string
      mergedSha:
        required: true
        type: string
      targetSha:
        required: true
        type: string
    secrets:
      CACHIX_AUTH_TOKEN:
        required: true
      OWNER_RO_APP_PRIVATE_KEY:
        required: true

permissions: {}

defaults:
  run:
    shell: bash

jobs:
  no-channel-base:
    name: no channel base
    if: contains(fromJSON(inputs.baseBranch).type, 'channel')
    runs-on: ubuntu-24.04-arm
    steps:
      - run: |
          cat <<EOF
          The nixos-* and nixpkgs-* branches are pushed to by the channel
          release script and should not be merged into directly.

          Please target the equivalent release-* branch or master instead.
          EOF
          exit 1

  cherry-pick:
    if: |
      github.event_name == 'pull_request' ||
      (fromJSON(inputs.baseBranch).stable && !contains(fromJSON(inputs.headBranch).type, 'development'))
    permissions:
      pull-requests: write
    runs-on: ubuntu-24.04-arm
    timeout-minutes: 3
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          path: trusted
          sparse-checkout: |
            ci/github-script

      - name: Install dependencies
        run: npm install bottleneck

      - name: Log current API rate limits
        env:
          GH_TOKEN: ${{ github.token }}
        run: gh api /rate_limit | jq

      - name: Check cherry-picks
        id: check
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            require('./trusted/ci/github-script/commits.js')({
              github,
              context,
              core,
              dry: context.eventName == 'pull_request',
            })

      - name: Log current API rate limits
        env:
          GH_TOKEN: ${{ github.token }}
        run: gh api /rate_limit | jq

  # For checking code owners, this job depends on a GitHub App with the following permissions:
  # - Permissions:
  #   - Repository > Administration: read-only
  #   - Organization > Members: read-only
  # - Install App on this repository, setting these variables:
  #   - OWNER_RO_APP_ID (variable)
  #   - OWNER_RO_APP_PRIVATE_KEY (secret)
  #
  # This should not use the same app as the job to request reviewers, because this job requires
  # handling untrusted PR input.
  owners:
    runs-on: ubuntu-24.04-arm
    timeout-minutes: 5
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          sparse-checkout: .github/actions
      - name: Checkout merge and target commits
        uses: ./.github/actions/checkout
        with:
          merged-as-untrusted-at: ${{ inputs.mergedSha }}
          pinned-from: trusted
          target-as-trusted-at: ${{ inputs.targetSha }}

      - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31

      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
        with:
          # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
          name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
          extraPullNames: nixpkgs-ci
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
          pushFilter: -source$

      - name: Build codeowners validator
        run: nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/pinned -A codeownersValidator

      - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0
        if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID
        id: app-token
        with:
          app-id: ${{ vars.OWNER_RO_APP_ID }}
          private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
          permission-administration: read
          permission-members: read

      - name: Log current API rate limits
        if: steps.app-token.outputs.token
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
        run: gh api /rate_limit | jq

      - name: Validate codeowners
        if: steps.app-token.outputs.token
        env:
          OWNERS_FILE: nixpkgs/untrusted/ci/OWNERS
          GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
          REPOSITORY_PATH: nixpkgs/untrusted
          OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
          # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
          EXPERIMENTAL_CHECKS: "avoid-shadowing"
        run: result/bin/codeowners-validator

      - name: Log current API rate limits
        if: steps.app-token.outputs.token
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
        run: gh api /rate_limit | jq