# This workflow depends on two GitHub Apps with the following permissions: # - For checking code owners: # - Permissions: # - Repository > Administration: read-only # - Organization > Members: read-only # - Install App on this repository, setting these variables: # - OWNER_RO_APP_ID (variable) # - OWNER_RO_APP_PRIVATE_KEY (secret) # - For requesting code owners: # - Permissions: # - Repository > Administration: read-only # - Organization > Members: read-only # - Repository > Pull Requests: read-write # - Install App on this repository, setting these variables: # - OWNER_APP_ID (variable) # - OWNER_APP_PRIVATE_KEY (secret) # # This split is done because checking code owners requires handling untrusted PR input, # while requesting code owners requires PR write access, and those shouldn't be mixed. # # Note that the latter is also used for ./eval.yml requesting reviewers. name: Codeowners v2 on: pull_request: paths: - .github/workflows/codeowners-v2.yml pull_request_target: types: [opened, ready_for_review, synchronize, reopened] permissions: {} env: OWNERS_FILE: ci/OWNERS # Don't do anything on draft PRs DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }} jobs: # Check that code owners is valid check: name: Check runs-on: ubuntu-24.04-arm if: github.repository_owner == 'NixOS' steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: sparse-checkout: .github/actions - name: Check if the PR can be merged and checkout the merge and target commits uses: ./.github/actions/get-merge-commit with: merged-as-untrusted: true target-as-trusted: true - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31 - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. name: nixpkgs-ci authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - name: Build codeowners validator run: nix-build trusted/ci -A codeownersValidator - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 if: vars.OWNER_RO_APP_ID id: app-token with: app-id: ${{ vars.OWNER_RO_APP_ID }} private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} permission-administration: read permission-members: read - name: Validate codeowners if: steps.app-token.outputs.token env: OWNERS_FILE: untrusted/${{ env.OWNERS_FILE }} GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} REPOSITORY_PATH: untrusted OWNER_CHECKER_REPOSITORY: ${{ github.repository }} # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody EXPERIMENTAL_CHECKS: "avoid-shadowing" run: result/bin/codeowners-validator # Request reviews from code owners request: name: Request runs-on: ubuntu-24.04-arm if: github.repository_owner == 'NixOS' steps: - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31 # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head. # This is intentional, because we need to request the review of owners as declared in the base branch. - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: trusted - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 if: vars.OWNER_APP_ID id: app-token with: app-id: ${{ vars.OWNER_APP_ID }} private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} permission-administration: read permission-members: read permission-pull-requests: write - name: Build review request package run: nix-build trusted/ci -A requestReviews - name: Request reviews if: steps.app-token.outputs.token env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"