[Backport release-25.05] workflows/codeowners: move into PR workflow

.github/workflows/check.yml

@@ -9,6 +9,17 @@ on:
       headBranch:
         required: true
         type: string
+      mergedSha:
+        required: true
+        type: string
+      targetSha:
+        required: true
+        type: string
+    secrets:
+      CACHIX_AUTH_TOKEN:
+        required: true
+      OWNER_RO_APP_PRIVATE_KEY:
+        required: true
 
 permissions: {}
 
@@ -70,3 +81,72 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
         run: gh api /rate_limit | jq
+
+  # For checking code owners, this job depends on a GitHub App with the following permissions:
+  # - Permissions:
+  #   - Repository > Administration: read-only
+  #   - Organization > Members: read-only
+  # - Install App on this repository, setting these variables:
+  #   - OWNER_RO_APP_ID (variable)
+  #   - OWNER_RO_APP_PRIVATE_KEY (secret)
+  #
+  # This should not use the same app as the job to request reviewers, because this job requires
+  # handling untrusted PR input.
+  owners:
+    runs-on: ubuntu-24.04-arm
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          sparse-checkout: .github/actions
+      - name: Check if the PR can be merged and checkout the merge and target commits
+        uses: ./.github/actions/get-merge-commit
+        with:
+          mergedSha: ${{ inputs.mergedSha }}
+          merged-as-untrusted: true
+          pinnedFrom: trusted
+          targetSha: ${{ inputs.targetSha }}
+          target-as-trusted: true
+
+      - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
+
+      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
+        with:
+          # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
+          name: nixpkgs-ci
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+
+      - name: Build codeowners validator
+        run: nix-build trusted/ci --arg nixpkgs ./pinned -A codeownersValidator
+
+      - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0
+        if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID
+        id: app-token
+        with:
+          app-id: ${{ vars.OWNER_RO_APP_ID }}
+          private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
+          permission-administration: read
+          permission-members: read
+
+      - name: Log current API rate limits
+        if: steps.app-token.outputs.token
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: gh api /rate_limit | jq
+
+      - name: Validate codeowners
+        if: steps.app-token.outputs.token
+        env:
+          OWNERS_FILE: untrusted/ci/OWNERS
+          GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
+          REPOSITORY_PATH: untrusted
+          OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
+          # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
+          EXPERIMENTAL_CHECKS: "avoid-shadowing"
+        run: result/bin/codeowners-validator
+
+      - name: Log current API rate limits
+        if: steps.app-token.outputs.token
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: gh api /rate_limit | jq

.github/workflows/pr.yml

@@ -87,9 +87,14 @@ jobs:
     permissions:
       # cherry-picks
       pull-requests: write
+    secrets:
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      OWNER_RO_APP_PRIVATE_KEY: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
     with:
       baseBranch: ${{ needs.prepare.outputs.baseBranch }}
       headBranch: ${{ needs.prepare.outputs.headBranch }}
+      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
+      targetSha: ${{ needs.prepare.outputs.targetSha }}
 
   lint:
     name: Lint

.github/workflows/reviewers.yml

@@ -4,9 +4,6 @@
 name: Reviewers
 
 on:
-  pull_request:
-    paths:
-      - .github/workflows/reviewers.yml
   pull_request_target:
     types: [ready_for_review]
   workflow_call:
@@ -41,8 +38,16 @@ jobs:
       - name: Build the requestReviews derivation
         run: nix-build trusted/ci -A requestReviews
 
-      # See ./codeowners-v2.yml, reuse the same App because we need the same permissions
-      # Can't use the token received from permissions above, because it can't get enough permissions
+      # For requesting reviewers, this job depends on a GitHub App with the following permissions:
+      # - Permissions:
+      #   - Repository > Administration: read-only
+      #   - Organization > Members: read-only
+      #   - Repository > Pull Requests: read-write
+      # - Install App on this repository, setting these variables:
+      #   - OWNER_APP_ID (variable)
+      #   - OWNER_APP_PRIVATE_KEY (secret)
+      #
+      # Can't use the token received from permissions above, because it can't get enough permissions.
       - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0
         if: github.event_name == 'pull_request_target' && vars.OWNER_APP_ID
         id: app-token
@@ -53,6 +58,28 @@ jobs:
           permission-members: read
           permission-pull-requests: write
 
+      - name: Log current API rate limits (app-token)
+        if: ${{ steps.app-token.outputs.token }}
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: gh api /rate_limit | jq
+
+      - name: Requesting code owner reviews
+        if: steps.app-token.outputs.token
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          REPOSITORY: ${{ github.repository }}
+          NUMBER: ${{ github.event.number }}
+          # Don't do anything on draft PRs
+          DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
+        run: result/bin/request-code-owner-reviews.sh "$REPOSITORY" "$NUMBER" ci/OWNERS
+
+      - name: Log current API rate limits (app-token)
+        if: ${{ steps.app-token.outputs.token }}
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: gh api /rate_limit | jq
+
       - name: Log current API rate limits (github.token)
         env:
           GH_TOKEN: ${{ github.token }}