diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml index 130d4d9..bc70633 100644 --- a/.github/workflows/review.yml +++ b/.github/workflows/review.yml @@ -11,14 +11,26 @@ jobs: update: runs-on: ubuntu-latest steps: + - uses: cachix/install-nix-action@v26 + - uses: actions/checkout@v4 + with: + path: repo + + - name: Generate issue body + run: repo/scripts/review-body.sh repo ${{ github.repository }} > body + env: + # This token has read-only admin access to see who has write access to this repo + GH_TOKEN: "${{ secrets.OWNERS_VALIDATOR_GITHUB_SECRET }}" + - run: | gh api \ --method POST \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ - /repos/"$GITHUB_REPOSITORY"/issues \ + /repos/${{ github.repository }}/issues \ -f title="[$(date +'%Y %B')] Regular manual review " \ - -f body="$(./scripts/review-body.sh)" + -F body=@body env: + # This token has write access to only issues to create one GH_TOKEN: ${{ github.token }} diff --git a/scripts/review-body.sh b/scripts/review-body.sh index c9e8758..2b68d59 100755 --- a/scripts/review-body.sh +++ b/scripts/review-body.sh @@ -1,9 +1,21 @@ -#!/usr/bin/env bash +#!/usr/bin/env nix-shell +#!nix-shell -i bash --pure --keep GH_TOKEN -I nixpkgs=channel:nixpkgs-unstable -p codeowners github-cli gitMinimal + set -euo pipefail # This script outputs the contents of the regular review issue, see ./github/workflows/review.yml -rev=$(git rev-parse HEAD) +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + +if (( $# != 2 )); then + echo "Usage: $0 PATH OWNER/REPO" + exit 1 +fi + +root=$1 +repo=$2 + +rev=$(git -C "$root" rev-parse HEAD) echo "Because the documentation in this repository may slowly deviate from reality, this monthly issue is created to regularly review the files. @@ -30,4 +42,11 @@ while read -r file users; do continue fi echo "- [ ] \`$file\`: $users" -done < .github/CODEOWNERS +done < "$root"/.github/CODEOWNERS + +echo "" + +# Check that all code owners have write permissions +# `|| true` because this script fails when there are code owners without permissions, +# which is useful to fail PRs, but not here +bash "$SCRIPT_DIR"/unprivileged-owners.sh "$root" "$repo" || true