Update README.md #49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Codeowners v2 | |
# This workflow depends on two GitHub Apps with the following permissions: | |
# - For checking code owners: | |
# - Permissions: | |
# - Repository > Administration: read-only | |
# - Organization > Members: read-only | |
# - Install App on this repository, setting these variables: | |
# - OWNER_RO_APP_ID (variable) | |
# - OWNER_RO_APP_PRIVATE_KEY (secret) | |
# - For requesting code owners: | |
# - Permissions: | |
# - Repository > Administration: read-only | |
# - Organization > Members: read-only | |
# - Repository > Pull Requests: read-write | |
# - Install App on this repository, setting these variables: | |
# - OWNER_APP_ID (variable) | |
# - OWNER_APP_PRIVATE_KEY (secret) | |
# | |
# This split is done because checking code owners requires handling untrusted PR input, | |
# while requesting code owners requires PR write access, and those shouldn't be mixed. | |
on: | |
pull_request_target: | |
types: [opened, ready_for_review, synchronize, reopened, edited] | |
# We don't need any default GitHub token | |
permissions: {} | |
env: | |
OWNERS_FILE: ci/OWNERS | |
# Don't do anything on draft PRs | |
DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }} | |
jobs: | |
# Check that code owners is valid | |
check: | |
name: Check | |
runs-on: ubuntu-latest | |
steps: | |
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 | |
- uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 | |
if: github.repository_owner == 'NixOS' | |
with: | |
# This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. | |
name: nixpkgs-ci | |
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
# Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself. | |
# We later build and run code from the base branch with access to secrets, | |
# so it's important this is not the PRs code. | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
path: base | |
- name: Build codeowners validator | |
run: nix-build base/ci -A codeownersValidator | |
- uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 | |
id: app-token | |
with: | |
app-id: ${{ vars.OWNER_RO_APP_ID }} | |
private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
ref: refs/pull/${{ github.event.number }}/merge | |
path: pr | |
- name: Validate codeowners | |
run: result/bin/codeowners-validator | |
env: | |
OWNERS_FILE: pr/${{ env.OWNERS_FILE }} | |
GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} | |
REPOSITORY_PATH: pr | |
OWNER_CHECKER_REPOSITORY: ${{ github.repository }} | |
# Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody | |
EXPERIMENTAL_CHECKS: "avoid-shadowing" | |
# Request reviews from code owners | |
request: | |
name: Request | |
runs-on: ubuntu-latest | |
steps: | |
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 | |
# Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head. | |
# This is intentional, because we need to request the review of owners as declared in the base branch. | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 | |
id: app-token | |
with: | |
app-id: ${{ vars.OWNER_APP_ID }} | |
private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} | |
- name: Build review request package | |
run: nix-build ci -A requestReviews | |
- name: Request reviews | |
run: result/bin/request-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE" | |
env: | |
GH_TOKEN: ${{ steps.app-token.outputs.token }} |