Skip to content

Test codeowners validation #11

Test codeowners validation

Test codeowners validation #11

Workflow file for this run

name: CI
on:
# We use pull_request_target such that the code owner validation works for PRs from forks,
# because we need repository secrets for that, which pull_request wouldn't allow from forks.
# However, it's very important that we don't run code from forks without sandboxing it,
# because that way anybody could potentially extract repository secrets!
# Furthermore, using pull_request_target doesn't require manually approving first-time contributors
pull_request_target:
jobs:
xrefcheck:
name: Check references
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: refs/pull/${{ github.event.pull_request.number }}/merge
path: untrusted-pr
- uses: serokell/xrefcheck-action@v1
with:
xrefcheck-args: "--root untrusted-pr"
codeowners:
name: Validate codeowners
runs-on: ubuntu-latest
steps:
- uses: cachix/install-nix-action@v26
- uses: actions/checkout@v4
with:
path: trusted-base
- uses: actions/checkout@v4
with:
ref: refs/pull/${{ github.event.pull_request.number }}/merge
path: untrusted-pr
- uses: mszostok/[email protected]
with:
# GitHub access token is required only if the `owners` check is enabled
# See https://github.com/mszostok/codeowners-validator/blob/main/docs/gh-auth.md#public-repositories
github_access_token: "${{ secrets.OWNERS_VALIDATOR_GITHUB_SECRET }}"
# The repository path in which CODEOWNERS file should be validated."
repository_path: untrusted-pr
# The owner and repository name. For example, gh-codeowners/codeowners-samples. Used to check if GitHub team is in the given organization and has permission to the given repository."
owner_checker_repository: "${{ github.repository }}"
# "The comma-separated list of experimental checks that should be executed. By default, all experimental checks are turned off. Possible values: notowned,avoid-shadowing"
experimental_checks: "notowned,avoid-shadowing"
# Specifies whether CODEOWNERS may have unowned files. For example, `/infra/oncall-rotator/oncall-config.yml` doesn't have owner and this is not reported.
owner_checker_allow_unowned_patterns: "false"
# Specifies whether only teams are allowed as owners of files.
owner_checker_owners_must_be_teams: "false"
# The above validator doesn't currently ensure that people have write access: https://github.com/mszostok/codeowners-validator/issues/157
# So we're doing it manually instead
- name: Check that codeowners have write access
# Important that we run the script from the base branch,
# because otherwise a PR from a fork could change it to extract the secret
run: trusted-base/scripts/unprivileged-owners.sh untrusted-pr ${{ github.repository }}
env:
GH_TOKEN: "${{ secrets.OWNERS_VALIDATOR_GITHUB_SECRET }}"