workflows/codeowners: Dry mode for now #469
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Codeowners | |
# This workflow depends on a GitHub App with the following permissions: | |
# - Repository > Administration: read-only | |
# - Organization > Members: read-only | |
# - Repository > Pull Requests: read-write | |
# The App needs to be installed on this repository | |
# the OWNER_APP_ID repository variable needs to be set | |
# the OWNER_APP_PRIVATE_KEY repository secret needs to be set | |
on: | |
pull_request_target: | |
types: [opened, ready_for_review, synchronize, reopened, edited] | |
env: | |
# TODO: Once confirmed that this works by seeing that the action would request | |
# reviews from the same people (or refuse for wrong base branches), | |
# move all entries from CODEOWNERS to OWNERS, remove these two lines and uncomment the ones below | |
OWNERS_FILE: .github/CODEOWNERS | |
DRY_MODE: 1 | |
# OWNERS_FILE: .github/OWNERS | |
# # Don't do anything on draft PRs | |
# DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }} | |
jobs: | |
# Check that code owners is valid | |
check: | |
name: Check | |
runs-on: ubuntu-latest | |
steps: | |
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 | |
# Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself. | |
# We later build and run code from the base branch with access to secrets, | |
# so it's important this is not the PRs code. | |
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
path: base | |
- name: Build codeowners validator | |
run: nix-build base/ci -A codeownersValidator | |
- uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 | |
id: app-token | |
with: | |
app-id: ${{ vars.OWNER_APP_ID }} | |
private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} | |
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
ref: refs/pull/${{ github.event.number }}/merge | |
path: pr | |
- name: Validate codeowners | |
run: result/bin/codeowners-validator | |
env: | |
OWNERS_FILE: pr/${{ env.OWNERS_FILE }} | |
GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} | |
REPOSITORY_PATH: pr | |
OWNER_CHECKER_REPOSITORY: ${{ github.repository }} | |
# Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody | |
EXPERIMENTAL_CHECKS: "avoid-shadowing" | |
# Request reviews from code owners | |
request: | |
name: Request | |
runs-on: ubuntu-latest | |
steps: | |
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 | |
# Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head. | |
# This is intentional, because we need to request the review of owners as declared in the base branch. | |
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
- uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 | |
id: app-token | |
with: | |
app-id: ${{ vars.OWNER_APP_ID }} | |
private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} | |
- name: Build review request package | |
run: nix-build ci -A requestReviews | |
- name: Request reviews | |
run: result/bin/request-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE" | |
env: | |
GH_TOKEN: ${{ steps.app-token.outputs.token }} |