mirror of
https://github.com/CHN-beta/nixpkgs.git
synced 2026-01-12 02:40:31 +08:00
a55f7ddced
By consistently checking out nixpkgs into the same location in every
workflow, it's easier to reason about the different workflows at once.
We also use crystal-clear names to make clear, which checkouts are
considered trusted, because they only contain target-branch-code and
which checkouts are untrusted, because they contain code from the head
branch. By naming the checkout directories trusted/untrusted, it's
obvious at the call-site.
One example of where we likely did the wrong thing is the nixpkgs-vet
workflow: Fetching the toolVersion from the untrusted checkout opens the
door for an injection into the download URL, thus code could be
downloaded from anywhere. This is not a problem, because this workflow
does not run with elevated privileges, but it's a scary oversight
nonetheless.
(cherry picked from commit 6720d25429)
129 lines
4.8 KiB
YAML
129 lines
4.8 KiB
YAML
# This workflow depends on two GitHub Apps with the following permissions:
|
|
# - For checking code owners:
|
|
# - Permissions:
|
|
# - Repository > Administration: read-only
|
|
# - Organization > Members: read-only
|
|
# - Install App on this repository, setting these variables:
|
|
# - OWNER_RO_APP_ID (variable)
|
|
# - OWNER_RO_APP_PRIVATE_KEY (secret)
|
|
# - For requesting code owners:
|
|
# - Permissions:
|
|
# - Repository > Administration: read-only
|
|
# - Organization > Members: read-only
|
|
# - Repository > Pull Requests: read-write
|
|
# - Install App on this repository, setting these variables:
|
|
# - OWNER_APP_ID (variable)
|
|
# - OWNER_APP_PRIVATE_KEY (secret)
|
|
#
|
|
# This split is done because checking code owners requires handling untrusted PR input,
|
|
# while requesting code owners requires PR write access, and those shouldn't be mixed.
|
|
#
|
|
# Note that the latter is also used for ./eval.yml requesting reviewers.
|
|
|
|
name: Codeowners v2
|
|
|
|
on:
|
|
pull_request:
|
|
paths:
|
|
- .github/workflows/codeowners-v2.yml
|
|
pull_request_target:
|
|
types: [opened, ready_for_review, synchronize, reopened]
|
|
|
|
permissions: {}
|
|
|
|
env:
|
|
OWNERS_FILE: ci/OWNERS
|
|
# Don't do anything on draft PRs
|
|
DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
|
|
|
|
jobs:
|
|
# Check that code owners is valid
|
|
check:
|
|
name: Check
|
|
runs-on: ubuntu-24.04-arm
|
|
if: github.repository_owner == 'NixOS'
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
sparse-checkout: .github/actions
|
|
- name: Check if the PR can be merged and get the test merge commit
|
|
uses: ./.github/actions/get-merge-commit
|
|
id: get-merge-commit
|
|
|
|
- uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
|
|
|
|
- uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
|
|
with:
|
|
# This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
|
|
name: nixpkgs-ci
|
|
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
|
|
|
|
# Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
|
|
# We later build and run code from the base branch with access to secrets,
|
|
# so it's important this is not the PRs code.
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
ref: ${{ steps.get-merge-commit.outputs.targetSha }}
|
|
path: trusted
|
|
|
|
- name: Build codeowners validator
|
|
run: nix-build trusted/ci -A codeownersValidator
|
|
|
|
- uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
|
|
if: vars.OWNER_RO_APP_ID
|
|
id: app-token
|
|
with:
|
|
app-id: ${{ vars.OWNER_RO_APP_ID }}
|
|
private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
|
|
permission-administration: read
|
|
permission-members: read
|
|
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
|
|
path: untrusted
|
|
|
|
- name: Validate codeowners
|
|
if: steps.app-token.outputs.token
|
|
env:
|
|
OWNERS_FILE: untrusted/${{ env.OWNERS_FILE }}
|
|
GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
|
|
REPOSITORY_PATH: untrusted
|
|
OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
|
|
# Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
|
|
EXPERIMENTAL_CHECKS: "avoid-shadowing"
|
|
run: result/bin/codeowners-validator
|
|
|
|
# Request reviews from code owners
|
|
request:
|
|
name: Request
|
|
runs-on: ubuntu-24.04-arm
|
|
if: github.repository_owner == 'NixOS'
|
|
steps:
|
|
- uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
|
|
|
|
# Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
|
|
# This is intentional, because we need to request the review of owners as declared in the base branch.
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
path: trusted
|
|
|
|
- uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
|
|
if: vars.OWNER_APP_ID
|
|
id: app-token
|
|
with:
|
|
app-id: ${{ vars.OWNER_APP_ID }}
|
|
private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
|
|
permission-administration: read
|
|
permission-members: read
|
|
permission-pull-requests: write
|
|
|
|
- name: Build review request package
|
|
run: nix-build trusted/ci -A requestReviews
|
|
|
|
- name: Request reviews
|
|
if: steps.app-token.outputs.token
|
|
env:
|
|
GH_TOKEN: ${{ steps.app-token.outputs.token }}
|
|
run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
|