Validate CODEOWNERS

NixOS · Apr 23, 2024 · 8dda28d · 8dda28d
1 parent be29eb5
commit 8dda28d
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 4 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -21,4 +21,37 @@ jobs:
       with:
         xrefcheck-args: "--root untrusted-pr"
 
-# TODO: Use https://github.com/marketplace/actions/github-codeowners-validator
+  codeowners:
+    name: Validate codeowners
+    runs-on: ubuntu-latest
+    steps:
+
+    - uses: actions/checkout@v4
+      with:
+        path: trusted-base
+
+    - uses: actions/checkout@v4
+      with:
+        ref: refs/pull/${{ github.event.pull_request.number }}/merge
+        path: untrusted-pr
+
+    - uses: mszostok/[email protected]
+      with:
+        # GitHub access token is required only if the `owners` check is enabled
+        # See https://github.com/mszostok/codeowners-validator/blob/main/docs/gh-auth.md#public-repositories
+        github_access_token: "${{ secrets.OWNERS_VALIDATOR_GITHUB_SECRET }}"
+
+        # The repository path in which CODEOWNERS file should be validated."
+        repository_path: untrusted-pr
+
+        # The owner and repository name. For example, gh-codeowners/codeowners-samples. Used to check if GitHub team is in the given organization and has permission to the given repository."
+        owner_checker_repository: "${{ github.repository }}"
+
+        # "The comma-separated list of experimental checks that should be executed. By default, all experimental checks are turned off. Possible values: notowned,avoid-shadowing"
+        experimental_checks: "notowned,avoid-shadowing"
+
+        # Specifies whether CODEOWNERS may have unowned files. For example, `/infra/oncall-rotator/oncall-config.yml` doesn't have owner and this is not reported.
+        owner_checker_allow_unowned_patterns: "false"
+
+        # Specifies whether only teams are allowed as owners of files.
+        owner_checker_owners_must_be_teams: "false"
diff --git a/doc/org-repo.md b/doc/org-repo.md
@@ -4,9 +4,7 @@ This repository itself is the entry point for documentation on official resource
 
 Everybody in the [CODEOWNERS](../.github/CODEOWNERS) file has write permission to this repository.
 This allows people to get automatic review requests and merge PRs for the files that concern them.
-
-TODO: Enable branch protection to require reviews by code owners.
-TODO: Ensure that all files have a code owner
+PRs can only be merged if a codeowner for the respective files approves it, and all files need to have a codeowner entry.
 
 Furthermore, the code owners for the CODEOWNERS file should have permission to give more people write access to this repository.
 These people get requested for reviews when new people add themselves to CODEOWNERS, allowing them to give write access when merged.