# This workflow depends on two GitHub Apps with the following permissions:
# - For checking code owners:
#   - Permissions:
#     - Repository > Administration: read-only
#     - Organization > Members: read-only
#   - Install App on this repository, setting these variables:
#     - OWNER_RO_APP_ID (variable)
#     - OWNER_RO_APP_PRIVATE_KEY (secret)
# - For requesting code owners:
#   - Permissions:
#     - Repository > Administration: read-only
#     - Organization > Members: read-only
#     - Repository > Pull Requests: read-write
#   - Install App on this repository, setting these variables:
#     - OWNER_APP_ID (variable)
#     - OWNER_APP_PRIVATE_KEY (secret)
#
# This split is done because checking code owners requires handling untrusted PR input,
# while requesting code owners requires PR write access, and those shouldn't be mixed.
#
# Note that the latter is also used for ./eval.yml requesting reviewers.

name: Codeowners v2

on:
  pull_request:
    paths:
      - .github/workflows/codeowners-v2.yml
  pull_request_target:
    types: [opened, ready_for_review, synchronize, reopened]

concurrency:
  group: codeowners-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
  cancel-in-progress: true

permissions: {}

defaults:
  run:
    shell: bash

env:
  OWNERS_FILE: ci/OWNERS
  # Don't do anything on draft PRs
  DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}

jobs:
  # Check that code owners is valid
  check:
    name: Check
    runs-on: ubuntu-24.04-arm
    timeout-minutes: 5
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          sparse-checkout: .github/actions
      - name: Check if the PR can be merged and checkout the merge and target commits
        uses: ./.github/actions/get-merge-commit
        with:
          merged-as-untrusted: true
          target-as-trusted: true

      - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31

      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
        with:
          # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
          name: nixpkgs-ci
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'

      - name: Build codeowners validator
        run: nix-build trusted/ci -A codeownersValidator

      - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0
        if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID
        id: app-token
        with:
          app-id: ${{ vars.OWNER_RO_APP_ID }}
          private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
          permission-administration: read
          permission-members: read

      - name: Log current API rate limits
        if: steps.app-token.outputs.token
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
        run: gh api /rate_limit | jq

      - name: Validate codeowners
        if: steps.app-token.outputs.token
        env:
          OWNERS_FILE: untrusted/${{ env.OWNERS_FILE }}
          GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
          REPOSITORY_PATH: untrusted
          OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
          # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
          EXPERIMENTAL_CHECKS: "avoid-shadowing"
        run: result/bin/codeowners-validator

      - name: Log current API rate limits
        if: steps.app-token.outputs.token
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
        run: gh api /rate_limit | jq

  # Request reviews from code owners
  request:
    name: Request
    runs-on: ubuntu-24.04-arm
    timeout-minutes: 5
    steps:
      - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31

      # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
      # This is intentional, because we need to request the review of owners as declared in the base branch.
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          path: trusted

      - name: Build review request package
        run: nix-build trusted/ci -A requestReviews

      - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0
        if: github.event_name == 'pull_request_target' && vars.OWNER_APP_ID
        id: app-token
        with:
          app-id: ${{ vars.OWNER_APP_ID }}
          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
          permission-administration: read
          permission-members: read
          permission-pull-requests: write

      - name: Log current API rate limits
        if: steps.app-token.outputs.token
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
        run: gh api /rate_limit | jq

      - name: Request reviews
        if: steps.app-token.outputs.token
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
        run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"

      - name: Log current API rate limits
        if: steps.app-token.outputs.token
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
        run: gh api /rate_limit | jq