Test codeowners validation #14
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
# We use pull_request_target such that the code owner validation works for PRs from forks, | |
# because we need repository secrets for that, which pull_request wouldn't allow from forks. | |
# However, it's very important that we don't run code from forks without sandboxing it, | |
# because that way anybody could potentially extract repository secrets! | |
# Furthermore, using pull_request_target doesn't require manually approving first-time contributors | |
pull_request_target: | |
jobs: | |
xrefcheck: | |
name: Check references | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
ref: refs/pull/${{ github.event.pull_request.number }}/merge | |
path: untrusted-pr | |
- uses: serokell/xrefcheck-action@v1 | |
with: | |
xrefcheck-args: "--root untrusted-pr" | |
codeowners: | |
name: Validate codeowners | |
runs-on: ubuntu-latest | |
steps: | |
- uses: cachix/install-nix-action@v26 | |
with: | |
nix_path: nixpkgs=channel:nixos-unstable | |
- uses: actions/checkout@v4 | |
with: | |
path: trusted-base | |
- uses: actions/checkout@v4 | |
with: | |
ref: refs/pull/${{ github.event.pull_request.number }}/merge | |
path: untrusted-pr | |
- uses: mszostok/[email protected] | |
with: | |
# GitHub access token is required only if the `owners` check is enabled | |
# See https://github.com/mszostok/codeowners-validator/blob/main/docs/gh-auth.md#public-repositories | |
github_access_token: "${{ secrets.OWNERS_VALIDATOR_GITHUB_SECRET }}" | |
# The repository path in which CODEOWNERS file should be validated." | |
repository_path: untrusted-pr | |
# The owner and repository name. For example, gh-codeowners/codeowners-samples. Used to check if GitHub team is in the given organization and has permission to the given repository." | |
owner_checker_repository: "${{ github.repository }}" | |
# "The comma-separated list of experimental checks that should be executed. By default, all experimental checks are turned off. Possible values: notowned,avoid-shadowing" | |
experimental_checks: "notowned,avoid-shadowing" | |
# Specifies whether CODEOWNERS may have unowned files. For example, `/infra/oncall-rotator/oncall-config.yml` doesn't have owner and this is not reported. | |
owner_checker_allow_unowned_patterns: "false" | |
# Specifies whether only teams are allowed as owners of files. | |
owner_checker_owners_must_be_teams: "false" | |
# The above validator doesn't currently ensure that people have write access: https://github.com/mszostok/codeowners-validator/issues/157 | |
# So we're doing it manually instead | |
- name: Check that codeowners have write access | |
# Important that we run the script from the base branch, | |
# because otherwise a PR from a fork could change it to extract the secret | |
run: trusted-base/scripts/unprivileged-owners.sh untrusted-pr ${{ github.repository }} | |
env: | |
GH_TOKEN: "${{ secrets.OWNERS_VALIDATOR_GITHUB_SECRET }}" |