nixpkgs/.github/workflows/codeowners-v2.yml at 7f4dd7e2ff0e4be10a549db6241b7fb253ff7b04 · NixOS/nixpkgs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
name: Codeowners v2

on:
  pull_request:
    paths:
      - .github/workflows/codeowners-v2.yml
  pull_request_target:
    types: [opened, ready_for_review, synchronize, reopened]

concurrency:
  group: codeowners-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
  cancel-in-progress: true

permissions: {}

defaults:
  run:
    shell: bash

jobs:
  # Request reviews from code owners
  # For requesting code owners, this job depends on a GitHub App with the following permissions:
  # - Permissions:
  #   - Repository > Administration: read-only
  #   - Organization > Members: read-only
  #   - Repository > Pull Requests: read-write
  # - Install App on this repository, setting these variables:
  #   - OWNER_APP_ID (variable)
  #   - OWNER_APP_PRIVATE_KEY (secret)
  #
  # Note that this app is also used for ./eval.yml requesting reviewers.
  request:
    name: Request
    runs-on: ubuntu-24.04-arm
    timeout-minutes: 5
    steps:
      - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31

      # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
      # This is intentional, because we need to request the review of owners as declared in the base branch.
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          path: trusted

      - name: Build review request package
        run: nix-build trusted/ci -A requestReviews

      - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0
        if: github.event_name == 'pull_request_target' && vars.OWNER_APP_ID
        id: app-token
        with:
          app-id: ${{ vars.OWNER_APP_ID }}
          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
          permission-administration: read
          permission-members: read
          permission-pull-requests: write

      - name: Log current API rate limits
        if: steps.app-token.outputs.token
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
        run: gh api /rate_limit | jq

      - name: Request reviews
        if: steps.app-token.outputs.token
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
          # Don't do anything on draft PRs
          DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
        run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} ci/OWNERS

      - name: Log current API rate limits
        if: steps.app-token.outputs.token
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
        run: gh api /rate_limit | jq