pyrox.dev / nixpkgs
lol
fork atom

ci: Add codeowners validator

Silvan Mosberger 5695bf6c 369cfa02

options
unified split
Changed files
+83
ci
codeowners-validator
default.nix
owners-file-name.patch
permissions.patch
default.nix
+31
ci/codeowners-validator/default.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  buildGoModule,


     

       

       
3

       
+

       
  fetchFromGitHub,


     

       

       
4

       
+

       
  fetchpatch,


     

       

       
5

       
+

       
}:


     

       

       
6

       
+

       
buildGoModule {


     

       

       
7

       
+

       
  name = "codeowners-validator";


     

       

       
8

       
+

       
  src = fetchFromGitHub {


     

       

       
9

       
+

       
    owner = "mszostok";


     

       

       
10

       
+

       
    repo = "codeowners-validator";


     

       

       
11

       
+

       
    rev = "f3651e3810802a37bd965e6a9a7210728179d076";


     

       

       
12

       
+

       
    hash = "sha256-5aSmmRTsOuPcVLWfDF6EBz+6+/Qpbj66udAmi1CLmWQ=";


     

       

       
13

       
+

       
  };


     

       

       
14

       
+

       
  patches = [


     

       

       
15

       
+

       
    # https://github.com/mszostok/codeowners-validator/pull/222


     

       

       
16

       
+

       
    (fetchpatch {


     

       

       
17

       
+

       
      name = "user-write-access-check";


     

       

       
18

       
+

       
      url = "https://github.com/mszostok/codeowners-validator/compare/f3651e3810802a37bd965e6a9a7210728179d076...840eeb88b4da92bda3e13c838f67f6540b9e8529.patch";


     

       

       
19

       
+

       
      hash = "sha256-t3Dtt8SP9nbO3gBrM0nRE7+G6N/ZIaczDyVHYAG/6mU=";


     

       

       
20

       
+

       
    })


     

       

       
21

       
+

       
    # Undoes part of the above PR: We don't want to require write access


     

       

       
22

       
+

       
    # to the repository, that's only needed for GitHub's native CODEOWNERS.


     

       

       
23

       
+

       
    # Furthermore, it removes an unneccessary check from the code


     

       

       
24

       
+

       
    # that breaks tokens generated for GitHub Apps.


     

       

       
25

       
+

       
    ./permissions.patch


     

       

       
26

       
+

       
    # Allows setting a custom CODEOWNERS path using the OWNERS_FILE env var


     

       

       
27

       
+

       
    ./owners-file-name.patch


     

       

       
28

       
+

       
  ];


     

       

       
29

       
+

       
  postPatch = "rm -r docs/investigation";


     

       

       
30

       
+

       
  vendorHash = "sha256-R+pW3xcfpkTRqfS2ETVOwG8PZr0iH5ewroiF7u8hcYI=";


     

       

       
31

       
+

       
}
+15
ci/codeowners-validator/owners-file-name.patch 
···

       

       
1

       
+

       
diff --git a/pkg/codeowners/owners.go b/pkg/codeowners/owners.go


     

       

       
2

       
+

       
index 6910bd2..e0c95e9 100644


     

       

       
3

       
+

       
--- a/pkg/codeowners/owners.go


     

       

       
4

       
+

       
+++ b/pkg/codeowners/owners.go


     

       

       
5

       
+

       
@@ -39,6 +39,10 @@ func NewFromPath(repoPath string) ([]Entry, error) {


     

       

       
6

       
+

       
 // openCodeownersFile finds a CODEOWNERS file and returns content.


     

       

       
7

       
+

       
 // see: https://help.github.com/articles/about-code-owners/#codeowners-file-location


     

       

       
8

       
+

       
 func openCodeownersFile(dir string) (io.Reader, error) {


     

       

       
9

       
+

       
+	if file, ok := os.LookupEnv("OWNERS_FILE"); ok {


     

       

       
10

       
+

       
+		return fs.Open(file)


     

       

       
11

       
+

       
+	}


     

       

       
12

       
+

       
+


     

       

       
13

       
+

       
 	var detectedFiles []string


     

       

       
14

       
+

       
 	for _, p := range []string{".", "docs", ".github"} {


     

       

       
15

       
+

       
 		pth := path.Join(dir, p)
+36
ci/codeowners-validator/permissions.patch 
···

       

       
1

       
+

       
diff --git a/internal/check/valid_owner.go b/internal/check/valid_owner.go


     

       

       
2

       
+

       
index a264bcc..610eda8 100644


     

       

       
3

       
+

       
--- a/internal/check/valid_owner.go


     

       

       
4

       
+

       
+++ b/internal/check/valid_owner.go


     

       

       
5

       
+

       
@@ -16,7 +16,6 @@ import (


     

       

       
6

       
+

       
 const scopeHeader = "X-OAuth-Scopes"


     

       

       
7

       
+

       
 


     

       

       
8

       
+

       
 var reqScopes = map[github.Scope]struct{}{


     

       

       
9

       
+

       
-	github.ScopeReadOrg: {},


     

       

       
10

       
+

       
 }


     

       

       
11

       
+

       
 


     

       

       
12

       
+

       
 type ValidOwnerConfig struct {


     

       

       
13

       
+

       
@@ -223,10 +222,7 @@ func (v *ValidOwner) validateTeam(ctx context.Context, name string) *validateErr


     

       

       
14

       
+

       
 	for _, t := range v.repoTeams {


     

       

       
15

       
+

       
 		// GitHub normalizes name before comparison


     

       

       
16

       
+

       
 		if strings.EqualFold(t.GetSlug(), team) {


     

       

       
17

       
+

       
-			if t.Permissions["push"] {


     

       

       
18

       
+

       
-				return nil


     

       

       
19

       
+

       
-			}


     

       

       
20

       
+

       
-			return newValidateError("Team %q cannot review PRs on %q as neither it nor any parent team has write permissions.", team, v.orgRepoName)


     

       

       
21

       
+

       
+			return nil


     

       

       
22

       
+

       
 		}


     

       

       
23

       
+

       
 	}


     

       

       
24

       
+

       
 


     

       

       
25

       
+

       
@@ -245,10 +241,7 @@ func (v *ValidOwner) validateGitHubUser(ctx context.Context, name string) *valid


     

       

       
26

       
+

       
 	for _, u := range v.repoUsers {


     

       

       
27

       
+

       
 		// GitHub normalizes name before comparison


     

       

       
28

       
+

       
 		if strings.EqualFold(u.GetLogin(), userName) {


     

       

       
29

       
+

       
-			if u.Permissions["push"] {


     

       

       
30

       
+

       
-				return nil


     

       

       
31

       
+

       
-			}


     

       

       
32

       
+

       
-			return newValidateError("User %q cannot review PRs on %q as they don't have write permissions.", userName, v.orgRepoName)


     

       

       
33

       
+

       
+			return nil


     

       

       
34

       
+

       
 		}


     

       

       
35

       
+

       
 	}


     

       

       
36

       
+
+1
ci/default.nix 
···

       
25

       
25

       
 

       
{


     

       
26

       
26

       
 

       
  inherit pkgs;


     

       
27

       
27

       
 

       
  requestReviews = pkgs.callPackage ./request-reviews { };


     

       

       
28

       
+

       
  codeownersValidator = pkgs.callPackage ./codeowners-validator { };


     

       
28

       
29

       
 

       
}