Merge master into staging-next

/.github/workflows @NixOS/Security @Mic92 @zowoq

/.github/workflows/check-nix-format.yml @infinisil

/.github/workflows/nixpkgs-vet.yml @infinisil @philiptaron

/.github/workflows/codeowners.yml @infinisil

/.github/OWNERS @infinisil

/ci @infinisil @philiptaron @NixOS/Security

# Development support

/lib/cli.nix                @infinisil @Profpatsch

/lib/debug.nix              @infinisil @Profpatsch

/lib/asserts.nix            @infinisil @Profpatsch

/lib/path.*                 @infinisil

/lib/path/*                 @infinisil

/lib/fileset                @infinisil

## Libraries / Module system

/lib/modules.nix            @infinisil @roberth

/nixos/lib/test-driver  @tfc

# NixOS QEMU virtualisation

/nixos/virtualisation/qemu-vm.nix           @raitobezarius

/nixos/modules/virtualisation/qemu-vm.nix           @raitobezarius

# ACME

/nixos/modules/security/acme                @arianvp @flokli @aanderse @emilazy # no merge permission: @m1cr0man

# Audio

/nixos/modules/services/audio/botamusique.nix @mweinelt

/nixos/modules/services/audio/snapserver.nix @mweinelt

/nixos/tests/modules/services/audio/botamusique.nix @mweinelt

/nixos/tests/botamusique.nix @mweinelt

/nixos/tests/snapcast.nix @mweinelt

# Browsers

# PostgreSQL and related stuff

/pkgs/servers/sql/postgresql @thoughtpolice

/nixos/modules/services/databases/postgresql.xml @thoughtpolice

/nixos/modules/services/databases/postgresql.md @thoughtpolice

/nixos/modules/services/databases/postgresql.nix @thoughtpolice

/nixos/tests/postgresql.nix @thoughtpolice

# Hardened profile & related modules

/nixos/modules/profiles/hardened.nix @joachifm

/nixos/modules/security/hidepid.nix @joachifm

/nixos/modules/security/lock-kernel-modules.nix @joachifm

/nixos/modules/security/misc.nix @joachifm

/nixos/tests/hardened.nix @joachifm

/pkgs/os-specific/linux/kernel/hardened-config.nix @joachifm

/pkgs/os-specific/linux/kernel/hardened/config.nix @joachifm

# Home Automation

/nixos/modules/services/misc/home-assistant.nix @mweinelt

/nixos/modules/services/misc/zigbee2mqtt.nix @mweinelt

/nixos/modules/services/home-automation/home-assistant.nix @mweinelt

/nixos/modules/services/home-automation/zigbee2mqtt.nix @mweinelt

/nixos/tests/home-assistant.nix @mweinelt

/nixos/tests/zigbee2mqtt.nix @mweinelt

/pkgs/servers/home-assistant @mweinelt

# nim

/pkgs/development/compilers/nim   @ehmry

/pkgs/development/nim-packages    @ehmry

/pkgs/top-level/nim-packages.nix  @ehmry

# terraform providers

/pkgs/applications/networking/cluster/terraform-providers @zowoq

#

# Currently unused! Use CODEOWNERS for now, see workflows/codeowners.yml

#

####################

#

# This file is used to describe who owns what in this repository.

# Users/teams will get review requests for PRs that change their files.

#

# This file does not replace `meta.maintainers`

# but is instead used for other things than derivations and modules,

# like documentation, package sets, and other assets.

#

# This file uses the same syntax as the natively supported CODEOWNERS file,

# see https://help.github.com/articles/about-codeowners/ for documentation.

# However it comes with some notable differences:

# - There is no need for user/team listed here to have write access.

# - No reviews will be requested for PRs that target the wrong base branch.

#

# Processing of this file is implemented in workflows/codeowners.yml

name: Codeowners

# This workflow depends on a GitHub App with the following permissions:

# - Repository > Administration: read-only

# - Organization > Members: read-only

# - Repository > Pull Requests: read-write

# The App needs to be installed on this repository

# the OWNER_APP_ID repository variable needs to be set

# the OWNER_APP_PRIVATE_KEY repository secret needs to be set

on:

  pull_request_target:

    types: [opened, ready_for_review, synchronize, reopened, edited]

env:

  # TODO: Once confirmed that this works by seeing that the action would request

  # reviews from the same people (or refuse for wrong base branches),

  # move all entries from CODEOWNERS to OWNERS and change this value here

  # OWNERS_FILE: .github/OWNERS

  OWNERS_FILE: .github/CODEOWNERS

  # Also remove this

  DRY_MODE: 1

jobs:

  # Check that code owners is valid

  check:

    name: Check

    runs-on: ubuntu-latest

    steps:

    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30

    # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.

    # We later build and run code from the base branch with access to secrets,

    # so it's important this is not the PRs code.

    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

      with:

        path: base

    - name: Build codeowners validator

      run: nix-build base/ci -A codeownersValidator

    - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0

      id: app-token

      with:

        app-id: ${{ vars.OWNER_APP_ID }}

        private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}

    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

      with:

        ref: refs/pull/${{ github.event.number }}/merge

        path: pr

    - name: Validate codeowners

      run: result/bin/codeowners-validator

      env:

        OWNERS_FILE: pr/${{ env.OWNERS_FILE }}

        GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}

        REPOSITORY_PATH: pr

        OWNER_CHECKER_REPOSITORY: ${{ github.repository }}

        # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody

        EXPERIMENTAL_CHECKS: "avoid-shadowing"

  # Request reviews from code owners

  request:

    name: Request

    runs-on: ubuntu-latest

    steps:

    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30

    # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.

    # This is intentional, because we need to request the review of owners as declared in the base branch.

    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

    - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0

      id: app-token

      with:

        app-id: ${{ vars.OWNER_APP_ID }}

        private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}

    - name: Build review request package

      run: nix-build ci -A requestReviews

    - name: Request reviews

      run: result/bin/request-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"

      env:

        GH_TOKEN: ${{ steps.app-token.outputs.token }}

        # Don't do anything on draft PRs

        DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}

{

  buildGoModule,

  fetchFromGitHub,

  fetchpatch,

}:

buildGoModule {

  name = "codeowners-validator";

  src = fetchFromGitHub {

    owner = "mszostok";

    repo = "codeowners-validator";

    rev = "f3651e3810802a37bd965e6a9a7210728179d076";

    hash = "sha256-5aSmmRTsOuPcVLWfDF6EBz+6+/Qpbj66udAmi1CLmWQ=";

  };

  patches = [

    # https://github.com/mszostok/codeowners-validator/pull/222

    (fetchpatch {

      name = "user-write-access-check";

      url = "https://github.com/mszostok/codeowners-validator/compare/f3651e3810802a37bd965e6a9a7210728179d076...840eeb88b4da92bda3e13c838f67f6540b9e8529.patch";

      hash = "sha256-t3Dtt8SP9nbO3gBrM0nRE7+G6N/ZIaczDyVHYAG/6mU=";

    })

    # Undoes part of the above PR: We don't want to require write access

    # to the repository, that's only needed for GitHub's native CODEOWNERS.

    # Furthermore, it removes an unneccessary check from the code

    # that breaks tokens generated for GitHub Apps.

    ./permissions.patch

    # Allows setting a custom CODEOWNERS path using the OWNERS_FILE env var

    ./owners-file-name.patch

  ];

  postPatch = "rm -r docs/investigation";

  vendorHash = "sha256-R+pW3xcfpkTRqfS2ETVOwG8PZr0iH5ewroiF7u8hcYI=";

}

diff --git a/pkg/codeowners/owners.go b/pkg/codeowners/owners.go

index 6910bd2..e0c95e9 100644

--- a/pkg/codeowners/owners.go

+++ b/pkg/codeowners/owners.go

@@ -39,6 +39,10 @@ func NewFromPath(repoPath string) ([]Entry, error) {

 // openCodeownersFile finds a CODEOWNERS file and returns content.

 // see: https://help.github.com/articles/about-code-owners/#codeowners-file-location

 func openCodeownersFile(dir string) (io.Reader, error) {

+	if file, ok := os.LookupEnv("OWNERS_FILE"); ok {

+		return fs.Open(file)

+	}

+

 	var detectedFiles []string

 	for _, p := range []string{".", "docs", ".github"} {

 		pth := path.Join(dir, p)