Loading .github/CODEOWNERS +1 −0 Original line number Diff line number Diff line Loading @@ -15,6 +15,7 @@ /.github/workflows @NixOS/Security @Mic92 @zowoq /.github/workflows/check-nix-format.yml @infinisil /.github/workflows/nixpkgs-vet.yml @infinisil @philiptaron /.github/workflows/codeowners.yml @infinisil /ci @infinisil @philiptaron @NixOS/Security # Development support Loading .github/workflows/codeowners.yml 0 → 100644 +88 −0 Original line number Diff line number Diff line name: Codeowners # This workflow depends on a GitHub App with the following permissions: # - Repository > Administration: read-only # - Organization > Members: read-only # - Repository > Pull Requests: read-write # The App needs to be installed on this repository # the OWNER_APP_ID repository variable needs to be set # the OWNER_APP_PRIVATE_KEY repository secret needs to be set on: pull_request_target: types: [opened, ready_for_review, synchronize, reopened, edited] env: # TODO: Once confirmed that this works by seeing that the action would request # reviews from the same people (or refuse for wrong base branches), # move all entries from CODEOWNERS to OWNERS and change this value here # OWNERS_FILE: .github/OWNERS OWNERS_FILE: .github/CODEOWNERS # Also remove this DRY_MODE: 1 jobs: # Check that code owners is valid check: name: Check runs-on: ubuntu-latest steps: - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself. # We later build and run code from the base branch with access to secrets, # so it's important this is not the PRs code. - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: path: base - name: Build codeowners validator run: nix-build base/ci -A codeownersValidator - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 id: app-token with: app-id: ${{ vars.OWNER_APP_ID }} private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: ref: refs/pull/${{ github.event.number }}/merge path: pr - name: Validate codeowners run: result/bin/codeowners-validator env: OWNERS_FILE: pr/${{ env.OWNERS_FILE }} GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} REPOSITORY_PATH: pr OWNER_CHECKER_REPOSITORY: ${{ github.repository }} # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody EXPERIMENTAL_CHECKS: "avoid-shadowing" # Request reviews from code owners request: name: Request runs-on: ubuntu-latest steps: - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head. # This is intentional, because we need to request the review of owners as declared in the base branch. - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 id: app-token with: app-id: ${{ vars.OWNER_APP_ID }} private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} - name: Build review request package run: nix-build ci -A requestReviews - name: Request reviews run: result/bin/request-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE" env: GH_TOKEN: ${{ steps.app-token.outputs.token }} # Don't do anything on draft PRs DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }} Loading
.github/CODEOWNERS +1 −0 Original line number Diff line number Diff line Loading @@ -15,6 +15,7 @@ /.github/workflows @NixOS/Security @Mic92 @zowoq /.github/workflows/check-nix-format.yml @infinisil /.github/workflows/nixpkgs-vet.yml @infinisil @philiptaron /.github/workflows/codeowners.yml @infinisil /ci @infinisil @philiptaron @NixOS/Security # Development support Loading
.github/workflows/codeowners.yml 0 → 100644 +88 −0 Original line number Diff line number Diff line name: Codeowners # This workflow depends on a GitHub App with the following permissions: # - Repository > Administration: read-only # - Organization > Members: read-only # - Repository > Pull Requests: read-write # The App needs to be installed on this repository # the OWNER_APP_ID repository variable needs to be set # the OWNER_APP_PRIVATE_KEY repository secret needs to be set on: pull_request_target: types: [opened, ready_for_review, synchronize, reopened, edited] env: # TODO: Once confirmed that this works by seeing that the action would request # reviews from the same people (or refuse for wrong base branches), # move all entries from CODEOWNERS to OWNERS and change this value here # OWNERS_FILE: .github/OWNERS OWNERS_FILE: .github/CODEOWNERS # Also remove this DRY_MODE: 1 jobs: # Check that code owners is valid check: name: Check runs-on: ubuntu-latest steps: - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself. # We later build and run code from the base branch with access to secrets, # so it's important this is not the PRs code. - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: path: base - name: Build codeowners validator run: nix-build base/ci -A codeownersValidator - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 id: app-token with: app-id: ${{ vars.OWNER_APP_ID }} private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: ref: refs/pull/${{ github.event.number }}/merge path: pr - name: Validate codeowners run: result/bin/codeowners-validator env: OWNERS_FILE: pr/${{ env.OWNERS_FILE }} GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} REPOSITORY_PATH: pr OWNER_CHECKER_REPOSITORY: ${{ github.repository }} # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody EXPERIMENTAL_CHECKS: "avoid-shadowing" # Request reviews from code owners request: name: Request runs-on: ubuntu-latest steps: - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head. # This is intentional, because we need to request the review of owners as declared in the base branch. - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 id: app-token with: app-id: ${{ vars.OWNER_APP_ID }} private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} - name: Build review request package run: nix-build ci -A requestReviews - name: Request reviews run: result/bin/request-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE" env: GH_TOKEN: ${{ steps.app-token.outputs.token }} # Don't do anything on draft PRs DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
