Loading .github/workflows/check.yml +80 −0 Original line number Diff line number Diff line Loading @@ -9,6 +9,17 @@ on: headBranch: required: true type: string mergedSha: required: true type: string targetSha: required: true type: string secrets: CACHIX_AUTH_TOKEN: required: true OWNER_RO_APP_PRIVATE_KEY: required: true permissions: {} Loading Loading @@ -70,3 +81,72 @@ jobs: env: GH_TOKEN: ${{ github.token }} run: gh api /rate_limit | jq # For checking code owners, this job depends on a GitHub App with the following permissions: # - Permissions: # - Repository > Administration: read-only # - Organization > Members: read-only # - Install App on this repository, setting these variables: # - OWNER_RO_APP_ID (variable) # - OWNER_RO_APP_PRIVATE_KEY (secret) # # This should not use the same app as the job to request reviewers, because this job requires # handling untrusted PR input. owners: runs-on: ubuntu-24.04-arm timeout-minutes: 5 steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: sparse-checkout: .github/actions - name: Check if the PR can be merged and checkout the merge and target commits uses: ./.github/actions/get-merge-commit with: mergedSha: ${{ inputs.mergedSha }} merged-as-untrusted: true pinnedFrom: trusted targetSha: ${{ inputs.targetSha }} target-as-trusted: true - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. name: nixpkgs-ci authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - name: Build codeowners validator run: nix-build trusted/ci --arg nixpkgs ./pinned -A codeownersValidator - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0 if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID id: app-token with: app-id: ${{ vars.OWNER_RO_APP_ID }} private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} permission-administration: read permission-members: read - name: Log current API rate limits if: steps.app-token.outputs.token env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh api /rate_limit | jq - name: Validate codeowners if: steps.app-token.outputs.token env: OWNERS_FILE: untrusted/ci/OWNERS GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} REPOSITORY_PATH: untrusted OWNER_CHECKER_REPOSITORY: ${{ github.repository }} # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody EXPERIMENTAL_CHECKS: "avoid-shadowing" run: result/bin/codeowners-validator - name: Log current API rate limits if: steps.app-token.outputs.token env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh api /rate_limit | jq .github/workflows/codeowners-v2.ymldeleted 100644 → 0 +0 −151 Original line number Diff line number Diff line # This workflow depends on two GitHub Apps with the following permissions: # - For checking code owners: # - Permissions: # - Repository > Administration: read-only # - Organization > Members: read-only # - Install App on this repository, setting these variables: # - OWNER_RO_APP_ID (variable) # - OWNER_RO_APP_PRIVATE_KEY (secret) # - For requesting code owners: # - Permissions: # - Repository > Administration: read-only # - Organization > Members: read-only # - Repository > Pull Requests: read-write # - Install App on this repository, setting these variables: # - OWNER_APP_ID (variable) # - OWNER_APP_PRIVATE_KEY (secret) # # This split is done because checking code owners requires handling untrusted PR input, # while requesting code owners requires PR write access, and those shouldn't be mixed. # # Note that the latter is also used for ./eval.yml requesting reviewers. name: Codeowners v2 on: pull_request: paths: - .github/workflows/codeowners-v2.yml pull_request_target: types: [opened, ready_for_review, synchronize, reopened] concurrency: group: codeowners-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }} cancel-in-progress: true permissions: {} defaults: run: shell: bash env: OWNERS_FILE: ci/OWNERS # Don't do anything on draft PRs DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }} jobs: # Check that code owners is valid check: name: Check runs-on: ubuntu-24.04-arm timeout-minutes: 5 steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: sparse-checkout: | .github/actions ci/github-script - name: Check if the PR can be merged and checkout the merge and target commits uses: ./.github/actions/get-merge-commit with: merged-as-untrusted: true target-as-trusted: true - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. name: nixpkgs-ci authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - name: Build codeowners validator run: nix-build trusted/ci -A codeownersValidator - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0 if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID id: app-token with: app-id: ${{ vars.OWNER_RO_APP_ID }} private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} permission-administration: read permission-members: read - name: Log current API rate limits if: steps.app-token.outputs.token env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh api /rate_limit | jq - name: Validate codeowners if: steps.app-token.outputs.token env: OWNERS_FILE: untrusted/${{ env.OWNERS_FILE }} GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} REPOSITORY_PATH: untrusted OWNER_CHECKER_REPOSITORY: ${{ github.repository }} # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody EXPERIMENTAL_CHECKS: "avoid-shadowing" run: result/bin/codeowners-validator - name: Log current API rate limits if: steps.app-token.outputs.token env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh api /rate_limit | jq # Request reviews from code owners request: name: Request runs-on: ubuntu-24.04-arm timeout-minutes: 5 steps: - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head. # This is intentional, because we need to request the review of owners as declared in the base branch. - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: path: trusted - name: Build review request package run: nix-build trusted/ci -A requestReviews - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0 if: github.event_name == 'pull_request_target' && vars.OWNER_APP_ID id: app-token with: app-id: ${{ vars.OWNER_APP_ID }} private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} permission-administration: read permission-members: read permission-pull-requests: write - name: Log current API rate limits if: steps.app-token.outputs.token env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh api /rate_limit | jq - name: Request reviews if: steps.app-token.outputs.token env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE" - name: Log current API rate limits if: steps.app-token.outputs.token env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh api /rate_limit | jq .github/workflows/pr.yml +5 −0 Original line number Diff line number Diff line Loading @@ -87,9 +87,14 @@ jobs: permissions: # cherry-picks pull-requests: write secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} OWNER_RO_APP_PRIVATE_KEY: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} with: baseBranch: ${{ needs.prepare.outputs.baseBranch }} headBranch: ${{ needs.prepare.outputs.headBranch }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} lint: name: Lint Loading .github/workflows/reviewers.yml +32 −5 Original line number Diff line number Diff line Loading @@ -4,9 +4,6 @@ name: Reviewers on: pull_request: paths: - .github/workflows/reviewers.yml pull_request_target: types: [ready_for_review] workflow_call: Loading Loading @@ -41,8 +38,16 @@ jobs: - name: Build the requestReviews derivation run: nix-build trusted/ci -A requestReviews # See ./codeowners-v2.yml, reuse the same App because we need the same permissions # Can't use the token received from permissions above, because it can't get enough permissions # For requesting reviewers, this job depends on a GitHub App with the following permissions: # - Permissions: # - Repository > Administration: read-only # - Organization > Members: read-only # - Repository > Pull Requests: read-write # - Install App on this repository, setting these variables: # - OWNER_APP_ID (variable) # - OWNER_APP_PRIVATE_KEY (secret) # # Can't use the token received from permissions above, because it can't get enough permissions. - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0 if: github.event_name == 'pull_request_target' && vars.OWNER_APP_ID id: app-token Loading @@ -53,6 +58,28 @@ jobs: permission-members: read permission-pull-requests: write - name: Log current API rate limits (app-token) if: ${{ steps.app-token.outputs.token }} env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh api /rate_limit | jq - name: Requesting code owner reviews if: steps.app-token.outputs.token env: GH_TOKEN: ${{ steps.app-token.outputs.token }} REPOSITORY: ${{ github.repository }} NUMBER: ${{ github.event.number }} # Don't do anything on draft PRs DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }} run: result/bin/request-code-owner-reviews.sh "$REPOSITORY" "$NUMBER" ci/OWNERS - name: Log current API rate limits (app-token) if: ${{ steps.app-token.outputs.token }} env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh api /rate_limit | jq - name: Log current API rate limits (github.token) env: GH_TOKEN: ${{ github.token }} Loading Loading
.github/workflows/check.yml +80 −0 Original line number Diff line number Diff line Loading @@ -9,6 +9,17 @@ on: headBranch: required: true type: string mergedSha: required: true type: string targetSha: required: true type: string secrets: CACHIX_AUTH_TOKEN: required: true OWNER_RO_APP_PRIVATE_KEY: required: true permissions: {} Loading Loading @@ -70,3 +81,72 @@ jobs: env: GH_TOKEN: ${{ github.token }} run: gh api /rate_limit | jq # For checking code owners, this job depends on a GitHub App with the following permissions: # - Permissions: # - Repository > Administration: read-only # - Organization > Members: read-only # - Install App on this repository, setting these variables: # - OWNER_RO_APP_ID (variable) # - OWNER_RO_APP_PRIVATE_KEY (secret) # # This should not use the same app as the job to request reviewers, because this job requires # handling untrusted PR input. owners: runs-on: ubuntu-24.04-arm timeout-minutes: 5 steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: sparse-checkout: .github/actions - name: Check if the PR can be merged and checkout the merge and target commits uses: ./.github/actions/get-merge-commit with: mergedSha: ${{ inputs.mergedSha }} merged-as-untrusted: true pinnedFrom: trusted targetSha: ${{ inputs.targetSha }} target-as-trusted: true - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. name: nixpkgs-ci authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - name: Build codeowners validator run: nix-build trusted/ci --arg nixpkgs ./pinned -A codeownersValidator - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0 if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID id: app-token with: app-id: ${{ vars.OWNER_RO_APP_ID }} private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} permission-administration: read permission-members: read - name: Log current API rate limits if: steps.app-token.outputs.token env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh api /rate_limit | jq - name: Validate codeowners if: steps.app-token.outputs.token env: OWNERS_FILE: untrusted/ci/OWNERS GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} REPOSITORY_PATH: untrusted OWNER_CHECKER_REPOSITORY: ${{ github.repository }} # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody EXPERIMENTAL_CHECKS: "avoid-shadowing" run: result/bin/codeowners-validator - name: Log current API rate limits if: steps.app-token.outputs.token env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh api /rate_limit | jq
.github/workflows/codeowners-v2.ymldeleted 100644 → 0 +0 −151 Original line number Diff line number Diff line # This workflow depends on two GitHub Apps with the following permissions: # - For checking code owners: # - Permissions: # - Repository > Administration: read-only # - Organization > Members: read-only # - Install App on this repository, setting these variables: # - OWNER_RO_APP_ID (variable) # - OWNER_RO_APP_PRIVATE_KEY (secret) # - For requesting code owners: # - Permissions: # - Repository > Administration: read-only # - Organization > Members: read-only # - Repository > Pull Requests: read-write # - Install App on this repository, setting these variables: # - OWNER_APP_ID (variable) # - OWNER_APP_PRIVATE_KEY (secret) # # This split is done because checking code owners requires handling untrusted PR input, # while requesting code owners requires PR write access, and those shouldn't be mixed. # # Note that the latter is also used for ./eval.yml requesting reviewers. name: Codeowners v2 on: pull_request: paths: - .github/workflows/codeowners-v2.yml pull_request_target: types: [opened, ready_for_review, synchronize, reopened] concurrency: group: codeowners-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }} cancel-in-progress: true permissions: {} defaults: run: shell: bash env: OWNERS_FILE: ci/OWNERS # Don't do anything on draft PRs DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }} jobs: # Check that code owners is valid check: name: Check runs-on: ubuntu-24.04-arm timeout-minutes: 5 steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: sparse-checkout: | .github/actions ci/github-script - name: Check if the PR can be merged and checkout the merge and target commits uses: ./.github/actions/get-merge-commit with: merged-as-untrusted: true target-as-trusted: true - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. name: nixpkgs-ci authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - name: Build codeowners validator run: nix-build trusted/ci -A codeownersValidator - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0 if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID id: app-token with: app-id: ${{ vars.OWNER_RO_APP_ID }} private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} permission-administration: read permission-members: read - name: Log current API rate limits if: steps.app-token.outputs.token env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh api /rate_limit | jq - name: Validate codeowners if: steps.app-token.outputs.token env: OWNERS_FILE: untrusted/${{ env.OWNERS_FILE }} GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} REPOSITORY_PATH: untrusted OWNER_CHECKER_REPOSITORY: ${{ github.repository }} # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody EXPERIMENTAL_CHECKS: "avoid-shadowing" run: result/bin/codeowners-validator - name: Log current API rate limits if: steps.app-token.outputs.token env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh api /rate_limit | jq # Request reviews from code owners request: name: Request runs-on: ubuntu-24.04-arm timeout-minutes: 5 steps: - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head. # This is intentional, because we need to request the review of owners as declared in the base branch. - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: path: trusted - name: Build review request package run: nix-build trusted/ci -A requestReviews - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0 if: github.event_name == 'pull_request_target' && vars.OWNER_APP_ID id: app-token with: app-id: ${{ vars.OWNER_APP_ID }} private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} permission-administration: read permission-members: read permission-pull-requests: write - name: Log current API rate limits if: steps.app-token.outputs.token env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh api /rate_limit | jq - name: Request reviews if: steps.app-token.outputs.token env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE" - name: Log current API rate limits if: steps.app-token.outputs.token env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh api /rate_limit | jq
.github/workflows/pr.yml +5 −0 Original line number Diff line number Diff line Loading @@ -87,9 +87,14 @@ jobs: permissions: # cherry-picks pull-requests: write secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} OWNER_RO_APP_PRIVATE_KEY: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} with: baseBranch: ${{ needs.prepare.outputs.baseBranch }} headBranch: ${{ needs.prepare.outputs.headBranch }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} lint: name: Lint Loading
.github/workflows/reviewers.yml +32 −5 Original line number Diff line number Diff line Loading @@ -4,9 +4,6 @@ name: Reviewers on: pull_request: paths: - .github/workflows/reviewers.yml pull_request_target: types: [ready_for_review] workflow_call: Loading Loading @@ -41,8 +38,16 @@ jobs: - name: Build the requestReviews derivation run: nix-build trusted/ci -A requestReviews # See ./codeowners-v2.yml, reuse the same App because we need the same permissions # Can't use the token received from permissions above, because it can't get enough permissions # For requesting reviewers, this job depends on a GitHub App with the following permissions: # - Permissions: # - Repository > Administration: read-only # - Organization > Members: read-only # - Repository > Pull Requests: read-write # - Install App on this repository, setting these variables: # - OWNER_APP_ID (variable) # - OWNER_APP_PRIVATE_KEY (secret) # # Can't use the token received from permissions above, because it can't get enough permissions. - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0 if: github.event_name == 'pull_request_target' && vars.OWNER_APP_ID id: app-token Loading @@ -53,6 +58,28 @@ jobs: permission-members: read permission-pull-requests: write - name: Log current API rate limits (app-token) if: ${{ steps.app-token.outputs.token }} env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh api /rate_limit | jq - name: Requesting code owner reviews if: steps.app-token.outputs.token env: GH_TOKEN: ${{ steps.app-token.outputs.token }} REPOSITORY: ${{ github.repository }} NUMBER: ${{ github.event.number }} # Don't do anything on draft PRs DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }} run: result/bin/request-code-owner-reviews.sh "$REPOSITORY" "$NUMBER" ci/OWNERS - name: Log current API rate limits (app-token) if: ${{ steps.app-token.outputs.token }} env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh api /rate_limit | jq - name: Log current API rate limits (github.token) env: GH_TOKEN: ${{ github.token }} Loading
