workflows/codeowners: init

.github/CODEOWNERS

@@ -15,6 +15,7 @@
 /.github/workflows @NixOS/Security @Mic92 @zowoq
 /.github/workflows/check-nix-format.yml @infinisil
 /.github/workflows/nixpkgs-vet.yml @infinisil @philiptaron
+/.github/workflows/codeowners.yml @infinisil
 /ci @infinisil @philiptaron @NixOS/Security
 
 # Development support

.github/workflows/codeowners.yml

@@ -0,0 +1,88 @@
+name: Codeowners
+
+# This workflow depends on a GitHub App with the following permissions:
+# - Repository > Administration: read-only
+# - Organization > Members: read-only
+# - Repository > Pull Requests: read-write
+# The App needs to be installed on this repository
+# the OWNER_APP_ID repository variable needs to be set
+# the OWNER_APP_PRIVATE_KEY repository secret needs to be set
+
+on:
+  pull_request_target:
+    types: [opened, ready_for_review, synchronize, reopened, edited]
+
+env:
+  # TODO: Once confirmed that this works by seeing that the action would request
+  # reviews from the same people (or refuse for wrong base branches),
+  # move all entries from CODEOWNERS to OWNERS and change this value here
+  # OWNERS_FILE: .github/OWNERS
+  OWNERS_FILE: .github/CODEOWNERS
+  # Also remove this
+  DRY_MODE: 1
+
+jobs:
+  # Check that code owners is valid
+  check:
+    name: Check
+    runs-on: ubuntu-latest
+    steps:
+    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+
+    # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
+    # We later build and run code from the base branch with access to secrets,
+    # so it's important this is not the PRs code.
+    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      with:
+        path: base
+
+    - name: Build codeowners validator
+      run: nix-build base/ci -A codeownersValidator
+
+    - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+      id: app-token
+      with:
+        app-id: ${{ vars.OWNER_APP_ID }}
+        private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
+
+    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      with:
+        ref: refs/pull/${{ github.event.number }}/merge
+        path: pr
+
+    - name: Validate codeowners
+      run: result/bin/codeowners-validator
+      env:
+        OWNERS_FILE: pr/${{ env.OWNERS_FILE }}
+        GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
+        REPOSITORY_PATH: pr
+        OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
+        # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
+        EXPERIMENTAL_CHECKS: "avoid-shadowing"
+
+  # Request reviews from code owners
+  request:
+    name: Request
+    runs-on: ubuntu-latest
+    steps:
+    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+
+    # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
+    # This is intentional, because we need to request the review of owners as declared in the base branch.
+    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+
+    - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+      id: app-token
+      with:
+        app-id: ${{ vars.OWNER_APP_ID }}
+        private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
+
+    - name: Build review request package
+      run: nix-build ci -A requestReviews
+
+    - name: Request reviews
+      run: result/bin/request-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
+      env:
+        GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        # Don't do anything on draft PRs
+        DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}