Skip to content

Update governance documentation #42

Update governance documentation

Update governance documentation #42

Workflow file for this run

name: CI
on:
# We use pull_request_target such that the code owner validation works for PRs from forks,
# because we need repository secrets for that, which pull_request wouldn't allow from forks.
# However, it's very important that we don't run code from forks without sandboxing it,
# because that way anybody could potentially extract repository secrets!
# Furthermore, using pull_request_target doesn't require manually approving first-time contributors
pull_request_target:
jobs:
xrefcheck:
name: Check references
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: refs/pull/${{ github.event.pull_request.number }}/merge
path: untrusted-pr
- uses: serokell/xrefcheck-action@v1
with:
xrefcheck-args: "--root untrusted-pr"
codeowners:
name: Validate codeowners
runs-on: ubuntu-latest
steps:
- uses: cachix/install-nix-action@v26
- uses: actions/checkout@v4
with:
path: trusted-base
- name: Build codeowners validator
# We run the result of this with access to secrets later, so it's important to trust this!
run: nix-build trusted-base -A packages.codeowners-validator
- uses: actions/checkout@v4
with:
ref: refs/pull/${{ github.event.pull_request.number }}/merge
path: untrusted-pr
- name: Validate codeowners
run: result/bin/codeowners-validator
env:
# See https://github.com/mszostok/codeowners-validator/blob/main/docs/gh-auth.md#public-repositories
# And https://github.com/mszostok/codeowners-validator/pull/222#issuecomment-2079521185
# The same App is also used in ./review.yml
GITHUB_APP_ID: ${{ secrets.APP_ID }}
GITHUB_APP_INSTALLATION_ID: ${{ secrets.APP_INSTALLATION_ID }}
GITHUB_APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
REPOSITORY_PATH: untrusted-pr
OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
EXPERIMENTAL_CHECKS: "notowned,avoid-shadowing"
OWNER_CHECKER_ALLOW_UNOWNED_PATTERNS: "false"
OWNER_CHECKER_OWNERS_MUST_BE_TEAMS: "false"