nixpkgs/.github/workflows/codeowners-v2.yml

name: Codeowners v2

# This workflow depends on two GitHub Apps with the following permissions:
# - For checking code owners:
#   - Permissions:
#     - Repository > Administration: read-only
#     - Organization > Members: read-only
#   - Install App on this repository, setting these variables:
#     - OWNER_RO_APP_ID (variable)
#     - OWNER_RO_APP_PRIVATE_KEY (secret)
# - For requesting code owners:
#   - Permissions:
#     - Repository > Administration: read-only
#     - Organization > Members: read-only
#     - Repository > Pull Requests: read-write
#   - Install App on this repository, setting these variables:
#     - OWNER_APP_ID (variable)
#     - OWNER_APP_PRIVATE_KEY (secret)
#
# This split is done because checking code owners requires handling untrusted PR input,
# while requesting code owners requires PR write access, and those shouldn't be mixed.

on:
  pull_request_target:
    types: [opened, ready_for_review, synchronize, reopened, edited]

# We don't need any default GitHub token
permissions: {}

env:
  OWNERS_FILE: ci/OWNERS
  # Don't do anything on draft PRs
  DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}

jobs:
  # Check that code owners is valid
  check:
    name: Check
    runs-on: ubuntu-latest
    steps:
    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30

    - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
      if: github.repository_owner == 'NixOS'
      with:
        # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
        name: nixpkgs-ci
        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'

    # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
    # We later build and run code from the base branch with access to secrets,
    # so it's important this is not the PRs code.
    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        path: base

    - name: Build codeowners validator
      run: nix-build base/ci -A codeownersValidator

    - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
      id: app-token
      with:
        app-id: ${{ vars.OWNER_RO_APP_ID }}
        private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}

    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        ref: refs/pull/${{ github.event.number }}/merge
        path: pr

    - name: Validate codeowners
      run: result/bin/codeowners-validator
      env:
        OWNERS_FILE: pr/${{ env.OWNERS_FILE }}
        GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
        REPOSITORY_PATH: pr
        OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
        # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
        EXPERIMENTAL_CHECKS: "avoid-shadowing"

  # Request reviews from code owners
  request:
    name: Request
    runs-on: ubuntu-latest
    steps:
    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30

    # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
    # This is intentional, because we need to request the review of owners as declared in the base branch.
    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

    - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
      id: app-token
      with:
        app-id: ${{ vars.OWNER_APP_ID }}
        private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}

    - name: Build review request package
      run: nix-build ci -A requestReviews

    - name: Request reviews
      run: result/bin/request-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
      env:
        GH_TOKEN: ${{ steps.app-token.outputs.token }}