pyrox.dev / nixpkgs
lol
fork atom

workflows/check: don't check github api for owners file

This removes the "owners" check from codeowners-validator. With it, all
tokens and permissions can be removed, because these were only needed to
make these requests.

This solves the problem of codeowners-validator not supporting our new
nested team structure for nixpkgs-maintainers. To make the onboarding of
new teams easier, we moved all teams "under" the nixpkgs-maintainers
team. This makes them inherit the right privileges (triage) for Nixpkgs.

However, this inheritance is not recognized by codeowners-validator,
thus it assumes that these teams don't have access to Nixpkgs. This then
fails the owners check immediately.

Removing the owners check also has a few other advantages:
- This check depends on external state: If a user is renamed or a team
removed, the check will fail. This makes it a bad check for required
status checks or merge queues - the check might fail randomly,
independent of the current PR.
- Running this check in a fork will never work, because the respective
users and teams don't have access to the fork's repo.

Both of this required us to set `continue-on-error: true` most of the
time.

Wolfgang Walther f7d6d11e 8353fec8

options
unified split
Changed files
+4 -48
.github
workflows
check.yml
pr.yml
test.yml
ci
github-script
prepare.js
+4 -42
.github/workflows/check.yml 
···

       
12

       
12

       
 

       
      mergedSha:


     

       
13

       
13

       
 

       
        required: true


     

       
14

       
14

       
 

       
        type: string


     

       
15

       

       
-

       
      ownersCanFail:


     

       
16

       

       
-

       
        required: true


     

       
17

       

       
-

       
        type: boolean


     

       
18

       
15

       
 

       
      targetSha:


     

       
19

       
16

       
 

       
        required: true


     

       
20

       
17

       
 

       
        type: string


     

       
21

       
18

       
 

       
    secrets:


     

       
22

       
19

       
 

       
      CACHIX_AUTH_TOKEN:


     

       
23

       

       
-

       
        required: true


     

       
24

       

       
-

       
      OWNER_RO_APP_PRIVATE_KEY:


     

       
25

       
20

       
 

       
        required: true


     

       
26

       
21

       
 

       



     

       
27

       
22

       
 

       
permissions: {}


     
···

       
72

       
67

       
 

       
          GH_TOKEN: ${{ github.token }}


     

       
73

       
68

       
 

       
        run: gh api /rate_limit | jq


     

       
74

       
69

       
 

       



     

       
75

       

       
-

       
  # For checking code owners, this job depends on a GitHub App with the following permissions:


     

       
76

       

       
-

       
  # - Permissions:


     

       
77

       

       
-

       
  #   - Repository > Administration: read-only


     

       
78

       

       
-

       
  #   - Organization > Members: read-only


     

       
79

       

       
-

       
  # - Install App on this repository, setting these variables:


     

       
80

       

       
-

       
  #   - OWNER_RO_APP_ID (variable)


     

       
81

       

       
-

       
  #   - OWNER_RO_APP_PRIVATE_KEY (secret)


     

       
82

       

       
-

       
  #


     

       
83

       

       
-

       
  # This should not use the same app as the job to request reviewers, because this job requires


     

       
84

       

       
-

       
  # handling untrusted PR input.


     

       
85

       
70

       
 

       
  owners:


     

       
86

       
71

       
 

       
    runs-on: ubuntu-24.04-arm


     

       
87

       

       
-

       
    continue-on-error: ${{ inputs.ownersCanFail }}


     

       
88

       
72

       
 

       
    timeout-minutes: 5


     

       
89

       
73

       
 

       
    steps:


     

       
90

       
74

       
 

       
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0


     
···

       
94

       
78

       
 

       
        uses: ./.github/actions/checkout


     

       
95

       
79

       
 

       
        with:


     

       
96

       
80

       
 

       
          merged-as-untrusted-at: ${{ inputs.mergedSha }}


     

       
97

       

       
-

       
          target-as-trusted-at: ${{ inputs.targetSha }}


     

       
98

       
81

       
 

       



     

       
99

       
82

       
 

       
      - uses: cachix/install-nix-action@a809471b5c7c913aa67bec8f459a11a0decc3fce # v31


     

       
100

       
83

       
 

       



     
···

       
107

       
90

       
 

       
          pushFilter: -source$


     

       
108

       
91

       
 

       



     

       
109

       
92

       
 

       
      - name: Build codeowners validator


     

       
110

       

       
-

       
        run: nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A codeownersValidator


     

       
111

       

       
-

       



     

       
112

       

       
-

       
      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4


     

       
113

       

       
-

       
        if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID


     

       
114

       

       
-

       
        id: app-token


     

       
115

       

       
-

       
        with:


     

       
116

       

       
-

       
          app-id: ${{ vars.OWNER_RO_APP_ID }}


     

       
117

       

       
-

       
          private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}


     

       
118

       

       
-

       
          permission-administration: read


     

       
119

       

       
-

       
          permission-members: read


     

       
120

       

       
-

       



     

       
121

       

       
-

       
      - name: Log current API rate limits


     

       
122

       

       
-

       
        if: steps.app-token.outputs.token


     

       
123

       

       
-

       
        env:


     

       
124

       

       
-

       
          GH_TOKEN: ${{ steps.app-token.outputs.token }}


     

       
125

       

       
-

       
        run: gh api /rate_limit | jq


     

       

       
93

       
+

       
        run: nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A codeownersValidator


     

       
126

       
94

       
 

       



     

       
127

       
95

       
 

       
      - name: Validate codeowners


     

       
128

       

       
-

       
        if: steps.app-token.outputs.token


     

       
129

       
96

       
 

       
        env:


     

       
130

       
97

       
 

       
          OWNERS_FILE: nixpkgs/untrusted/ci/OWNERS


     

       
131

       

       
-

       
          GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}


     

       
132

       
98

       
 

       
          REPOSITORY_PATH: nixpkgs/untrusted


     

       
133

       

       
-

       
          OWNER_CHECKER_REPOSITORY: ${{ github.repository }}


     

       

       
99

       
+

       
          # Omits "owners", which checks whether GitHub handles exist, but fails with nested team


     

       

       
100

       
+

       
          # structures.


     

       

       
101

       
+

       
          CHECKS: "duppatterns,files,syntax"


     

       
134

       
102

       
 

       
          # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody


     

       
135

       
103

       
 

       
          EXPERIMENTAL_CHECKS: "avoid-shadowing"


     

       
136

       
104

       
 

       
        run: result/bin/codeowners-validator


     

       
137

       

       
-

       



     

       
138

       

       
-

       
      - name: Log current API rate limits


     

       
139

       

       
-

       
        if: steps.app-token.outputs.token


     

       
140

       

       
-

       
        env:


     

       
141

       

       
-

       
          GH_TOKEN: ${{ steps.app-token.outputs.token }}


     

       
142

       

       
-

       
        run: gh api /rate_limit | jq
-4
.github/workflows/pr.yml 
···

       
11

       
11

       
 

       
      OWNER_APP_PRIVATE_KEY:


     

       
12

       
12

       
 

       
        # The Test workflow should not actually request reviews from owners.


     

       
13

       
13

       
 

       
        required: false


     

       
14

       

       
-

       
      OWNER_RO_APP_PRIVATE_KEY:


     

       
15

       

       
-

       
        required: true


     

       
16

       
14

       
 

       



     

       
17

       
15

       
 

       
concurrency:


     

       
18

       
16

       
 

       
  group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}


     
···

       
59

       
57

       
 

       
      pull-requests: write


     

       
60

       
58

       
 

       
    secrets:


     

       
61

       
59

       
 

       
      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}


     

       
62

       

       
-

       
      OWNER_RO_APP_PRIVATE_KEY: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}


     

       
63

       
60

       
 

       
    with:


     

       
64

       
61

       
 

       
      baseBranch: ${{ needs.prepare.outputs.baseBranch }}


     

       
65

       
62

       
 

       
      headBranch: ${{ needs.prepare.outputs.headBranch }}


     

       
66

       
63

       
 

       
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}


     

       
67

       
64

       
 

       
      targetSha: ${{ needs.prepare.outputs.targetSha }}


     

       
68

       

       
-

       
      ownersCanFail: ${{ !contains(fromJSON(needs.prepare.outputs.touched), 'owners') }}


     

       
69

       
65

       
 

       



     

       
70

       
66

       
 

       
  lint:


     

       
71

       
67

       
 

       
    name: Lint
-1
.github/workflows/test.yml 
···

       
98

       
98

       
 

       
    secrets:


     

       
99

       
99

       
 

       
      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}


     

       
100

       
100

       
 

       
      NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}


     

       
101

       

       
-

       
      OWNER_RO_APP_PRIVATE_KEY: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}


     

       
102

       
101

       
 

       



     

       
103

       
102

       
 

       
  push:


     

       
104

       
103

       
 

       
    if: needs.prepare.outputs.push
-1
ci/github-script/prepare.js 
···

       
221

       
221

       
 

       



     

       
222

       
222

       
 

       
    const touched = []


     

       
223

       
223

       
 

       
    if (files.includes('ci/pinned.json')) touched.push('pinned')


     

       
224

       

       
-

       
    if (files.includes('ci/OWNERS')) touched.push('owners')


     

       
225

       
224

       
 

       
    core.setOutput('touched', touched)


     

       
226

       
225

       
 

       



     

       
227

       
226

       
 

       
    return