Unverified Commit ecf10b08 authored by Philip Taron's avatar Philip Taron Committed by GitHub
Browse files

Alternate more flexible code owners mechanism, soon to avoid mass pings (#336261)

parents f69111eb 93dcd42f

.github/CODEOWNERS

+2 −0
Original line number Diff line number Diff line
@@ -15,6 +15,8 @@ 
/.github/workflows @NixOS/Security @Mic92 @zowoq

/.github/workflows/check-nix-format.yml @infinisil

/.github/workflows/nixpkgs-vet.yml @infinisil @philiptaron

/.github/workflows/codeowners.yml @infinisil

/.github/OWNERS @infinisil

/ci @infinisil @philiptaron @NixOS/Security



# Development support

.github/OWNERS

0 → 100644
+19 −0
Original line number Diff line number Diff line 
#

# Currently unused! Use CODEOWNERS for now, see workflows/codeowners.yml

#

####################

#

# This file is used to describe who owns what in this repository.

# Users/teams will get review requests for PRs that change their files.

#

# This file does not replace `meta.maintainers`

# but is instead used for other things than derivations and modules,

# like documentation, package sets, and other assets.

#

# This file uses the same syntax as the natively supported CODEOWNERS file,

# see https://help.github.com/articles/about-codeowners/ for documentation.

# However it comes with some notable differences:

# - There is no need for user/team listed here to have write access.

# - No reviews will be requested for PRs that target the wrong base branch.

#

# Processing of this file is implemented in workflows/codeowners.yml

.github/workflows/codeowners.yml

0 → 100644
+88 −0
Original line number Diff line number Diff line 
name: Codeowners



# This workflow depends on a GitHub App with the following permissions:

# - Repository > Administration: read-only

# - Organization > Members: read-only

# - Repository > Pull Requests: read-write

# The App needs to be installed on this repository

# the OWNER_APP_ID repository variable needs to be set

# the OWNER_APP_PRIVATE_KEY repository secret needs to be set



on:

  pull_request_target:

    types: [opened, ready_for_review, synchronize, reopened, edited]



env:

  # TODO: Once confirmed that this works by seeing that the action would request

  # reviews from the same people (or refuse for wrong base branches),

  # move all entries from CODEOWNERS to OWNERS and change this value here

  # OWNERS_FILE: .github/OWNERS

  OWNERS_FILE: .github/CODEOWNERS

  # Also remove this

  DRY_MODE: 1



jobs:

  # Check that code owners is valid

  check:

    name: Check

    runs-on: ubuntu-latest

    steps:

    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30



    # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.

    # We later build and run code from the base branch with access to secrets,

    # so it's important this is not the PRs code.

    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

      with:

        path: base



    - name: Build codeowners validator

      run: nix-build base/ci -A codeownersValidator



    - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0

      id: app-token

      with:

        app-id: ${{ vars.OWNER_APP_ID }}

        private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}



    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

      with:

        ref: refs/pull/${{ github.event.number }}/merge

        path: pr



    - name: Validate codeowners

      run: result/bin/codeowners-validator

      env:

        OWNERS_FILE: pr/${{ env.OWNERS_FILE }}

        GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}

        REPOSITORY_PATH: pr

        OWNER_CHECKER_REPOSITORY: ${{ github.repository }}

        # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody

        EXPERIMENTAL_CHECKS: "avoid-shadowing"



  # Request reviews from code owners

  request:

    name: Request

    runs-on: ubuntu-latest

    steps:

    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30



    # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.

    # This is intentional, because we need to request the review of owners as declared in the base branch.

    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0



    - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0

      id: app-token

      with:

        app-id: ${{ vars.OWNER_APP_ID }}

        private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}



    - name: Build review request package

      run: nix-build ci -A requestReviews



    - name: Request reviews

      run: result/bin/request-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"

      env:

        GH_TOKEN: ${{ steps.app-token.outputs.token }}

        # Don't do anything on draft PRs

        DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}

ci/codeowners-validator/default.nix

0 → 100644
+31 −0
Original line number Diff line number Diff line 
{

  buildGoModule,

  fetchFromGitHub,

  fetchpatch,

}:

buildGoModule {

  name = "codeowners-validator";

  src = fetchFromGitHub {

    owner = "mszostok";

    repo = "codeowners-validator";

    rev = "f3651e3810802a37bd965e6a9a7210728179d076";

    hash = "sha256-5aSmmRTsOuPcVLWfDF6EBz+6+/Qpbj66udAmi1CLmWQ=";

  };

  patches = [

    # https://github.com/mszostok/codeowners-validator/pull/222

    (fetchpatch {

      name = "user-write-access-check";

      url = "https://github.com/mszostok/codeowners-validator/compare/f3651e3810802a37bd965e6a9a7210728179d076...840eeb88b4da92bda3e13c838f67f6540b9e8529.patch";

      hash = "sha256-t3Dtt8SP9nbO3gBrM0nRE7+G6N/ZIaczDyVHYAG/6mU=";

    })

    # Undoes part of the above PR: We don't want to require write access

    # to the repository, that's only needed for GitHub's native CODEOWNERS.

    # Furthermore, it removes an unneccessary check from the code

    # that breaks tokens generated for GitHub Apps.

    ./permissions.patch

    # Allows setting a custom CODEOWNERS path using the OWNERS_FILE env var

    ./owners-file-name.patch

  ];

  postPatch = "rm -r docs/investigation";

  vendorHash = "sha256-R+pW3xcfpkTRqfS2ETVOwG8PZr0iH5ewroiF7u8hcYI=";

}

ci/codeowners-validator/owners-file-name.patch

0 → 100644
+15 −0
Original line number Diff line number Diff line 
diff --git a/pkg/codeowners/owners.go b/pkg/codeowners/owners.go

index 6910bd2..e0c95e9 100644

--- a/pkg/codeowners/owners.go

+++ b/pkg/codeowners/owners.go

@@ -39,6 +39,10 @@ func NewFromPath(repoPath string) ([]Entry, error) {

 // openCodeownersFile finds a CODEOWNERS file and returns content.

 // see: https://help.github.com/articles/about-code-owners/#codeowners-file-location

 func openCodeownersFile(dir string) (io.Reader, error) {

+	if file, ok := os.LookupEnv("OWNERS_FILE"); ok {

+		return fs.Open(file)

+	}

+

 	var detectedFiles []string

 	for _, p := range []string{".", "docs", ".github"} {

 		pth := path.Join(dir, p)