Use GitHub App for codeowner validation and remove hacky script #27
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
# We use pull_request_target such that the code owner validation works for PRs from forks, | |
# because we need repository secrets for that, which pull_request wouldn't allow from forks. | |
# However, it's very important that we don't run code from forks without sandboxing it, | |
# because that way anybody could potentially extract repository secrets! | |
# Furthermore, using pull_request_target doesn't require manually approving first-time contributors | |
pull_request_target: | |
jobs: | |
xrefcheck: | |
name: Check references | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
ref: refs/pull/${{ github.event.pull_request.number }}/merge | |
path: untrusted-pr | |
- uses: serokell/xrefcheck-action@v1 | |
with: | |
xrefcheck-args: "--root untrusted-pr" | |
codeowners: | |
name: Validate codeowners | |
runs-on: ubuntu-latest | |
steps: | |
- uses: cachix/install-nix-action@v26 | |
- uses: actions/checkout@v4 | |
with: | |
path: trusted-base | |
- name: Build codeowners validator | |
# We run the result of this with access to secrets later, so it's important to trust this! | |
run: nix-build trusted-base -A packages.codeowners-validator | |
- uses: actions/checkout@v4 | |
with: | |
ref: refs/pull/${{ github.event.pull_request.number }}/merge | |
path: untrusted-pr | |
- name: Validate codeowners | |
run: result/bin/codeowners-validator | |
env: | |
# See https://github.com/mszostok/codeowners-validator/blob/main/docs/gh-auth.md#public-repositories | |
# And https://github.com/mszostok/codeowners-validator/pull/222#issuecomment-2079521185 | |
GITHUB_APP_ID: ${{ secrets.APP_ID }} | |
GITHUB_APP_INSTALLATION_ID: ${{ secrets.APP_INSTALLATION_ID }} | |
GITHUB_APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }} | |
REPOSITORY_PATH: untrusted-pr | |
OWNER_CHECKER_REPOSITORY: ${{ github.repository }} | |
EXPERIMENTAL_CHECKS: "notowned,avoid-shadowing" | |
OWNER_CHECKER_ALLOW_UNOWNED_PATTERNS: "false" | |
OWNER_CHECKER_OWNERS_MUST_BE_TEAMS: "false" |