# This workflow depends on two GitHub Apps with the following permissions: # - For checking code owners: # - Permissions: # - Repository > Administration: read-only # - Organization > Members: read-only # - Install App on this repository, setting these variables: # - OWNER_RO_APP_ID (variable) # - OWNER_RO_APP_PRIVATE_KEY (secret) # - For requesting code owners: # - Permissions: # - Repository > Administration: read-only # - Organization > Members: read-only # - Repository > Pull Requests: read-write # - Install App on this repository, setting these variables: # - OWNER_APP_ID (variable) # - OWNER_APP_PRIVATE_KEY (secret) # # This split is done because checking code owners requires handling untrusted PR input, # while requesting code owners requires PR write access, and those shouldn't be mixed. # # Note that the latter is also used for ./eval.yml requesting reviewers. name: Codeowners v2 on: pull_request_target: types: [opened, ready_for_review, synchronize, reopened, edited] permissions: {} env: OWNERS_FILE: ci/OWNERS # Don't do anything on draft PRs DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }} jobs: get-merge-commit: if: github.repository_owner == 'NixOS' uses: ./.github/workflows/get-merge-commit.yml # Check that code owners is valid check: name: Check runs-on: ubuntu-24.04 needs: get-merge-commit if: github.repository_owner == 'NixOS' && needs.get-merge-commit.outputs.mergedSha steps: - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31 - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. name: nixpkgs-ci authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself. # We later build and run code from the base branch with access to secrets, # so it's important this is not the PRs code. - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: base - name: Build codeowners validator run: nix-build base/ci -A codeownersValidator - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 id: app-token with: app-id: ${{ vars.OWNER_RO_APP_ID }} private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} permission-administration: read permission-members: read - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ needs.get-merge-commit.outputs.mergedSha }} path: pr - name: Validate codeowners run: result/bin/codeowners-validator env: OWNERS_FILE: pr/${{ env.OWNERS_FILE }} GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} REPOSITORY_PATH: pr OWNER_CHECKER_REPOSITORY: ${{ github.repository }} # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody EXPERIMENTAL_CHECKS: "avoid-shadowing" # Request reviews from code owners request: name: Request runs-on: ubuntu-24.04 if: github.repository_owner == 'NixOS' steps: - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31 # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head. # This is intentional, because we need to request the review of owners as declared in the base branch. - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 id: app-token with: app-id: ${{ vars.OWNER_APP_ID }} private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} permission-administration: read permission-members: read permission-pull-requests: write - name: Build review request package run: nix-build ci -A requestReviews - name: Request reviews run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE" env: GH_TOKEN: ${{ steps.app-token.outputs.token }}