diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners-v2.yml similarity index 73% rename from .github/workflows/codeowners.yml rename to .github/workflows/codeowners-v2.yml index 56588d45c9cd8..862681fb53b8e 100644 --- a/.github/workflows/codeowners.yml +++ b/.github/workflows/codeowners-v2.yml @@ -1,17 +1,32 @@ -name: Codeowners +name: Codeowners v2 -# This workflow depends on a GitHub App with the following permissions: -# - Repository > Administration: read-only -# - Organization > Members: read-only -# - Repository > Pull Requests: read-write -# The App needs to be installed on this repository -# the OWNER_APP_ID repository variable needs to be set -# the OWNER_APP_PRIVATE_KEY repository secret needs to be set +# This workflow depends on two GitHub Apps with the following permissions: +# - For checking code owners: +# - Permissions: +# - Repository > Administration: read-only +# - Organization > Members: read-only +# - Install App on this repository, setting these variables: +# - OWNER_RO_APP_ID (variable) +# - OWNER_RO_APP_PRIVATE_KEY (secret) +# - For requesting code owners: +# - Permissions: +# - Repository > Administration: read-only +# - Organization > Members: read-only +# - Repository > Pull Requests: read-write +# - Install App on this repository, setting these variables: +# - OWNER_APP_ID (variable) +# - OWNER_APP_PRIVATE_KEY (secret) +# +# This split is done because checking code owners requires handling untrusted PR input, +# while requesting code owners requires PR write access, and those shouldn't be mixed. on: pull_request_target: types: [opened, ready_for_review, synchronize, reopened, edited] +# We don't need any default GitHub token +permissions: {} + env: OWNERS_FILE: ci/OWNERS # Don't do anything on draft PRs @@ -45,8 +60,8 @@ jobs: - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 id: app-token with: - app-id: ${{ vars.OWNER_APP_ID }} - private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} + app-id: ${{ vars.OWNER_RO_APP_ID }} + private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: diff --git a/.github/workflows/editorconfig.yml b/.github/workflows/editorconfig-v2.yml similarity index 95% rename from .github/workflows/editorconfig.yml rename to .github/workflows/editorconfig-v2.yml index b2b96722993bb..e9cb35fbfb8d3 100644 --- a/.github/workflows/editorconfig.yml +++ b/.github/workflows/editorconfig-v2.yml @@ -1,6 +1,8 @@ -name: "Checking EditorConfig" +name: "Checking EditorConfig v2" -permissions: read-all +permissions: + pull-requests: read + contents: read on: # avoids approving first time contributors diff --git a/.github/workflows/manual-nixos.yml b/.github/workflows/manual-nixos-v2.yml similarity index 94% rename from .github/workflows/manual-nixos.yml rename to .github/workflows/manual-nixos-v2.yml index a72b1adfeac03..49871d61bdfb9 100644 --- a/.github/workflows/manual-nixos.yml +++ b/.github/workflows/manual-nixos-v2.yml @@ -1,6 +1,7 @@ -name: "Build NixOS manual" +name: "Build NixOS manual v2" -permissions: read-all +permissions: + contents: read on: pull_request_target: diff --git a/.github/workflows/manual-nixpkgs.yml b/.github/workflows/manual-nixpkgs-v2.yml similarity index 94% rename from .github/workflows/manual-nixpkgs.yml rename to .github/workflows/manual-nixpkgs-v2.yml index 52aefa8472ed2..35409d8e106a7 100644 --- a/.github/workflows/manual-nixpkgs.yml +++ b/.github/workflows/manual-nixpkgs-v2.yml @@ -1,6 +1,7 @@ -name: "Build Nixpkgs manual" +name: "Build Nixpkgs manual v2" -permissions: read-all +permissions: + contents: read on: pull_request_target: diff --git a/.github/workflows/nix-parse.yml b/.github/workflows/nix-parse-v2.yml similarity index 93% rename from .github/workflows/nix-parse.yml rename to .github/workflows/nix-parse-v2.yml index ffccf9d53de11..09cd162817ba5 100644 --- a/.github/workflows/nix-parse.yml +++ b/.github/workflows/nix-parse-v2.yml @@ -1,6 +1,8 @@ -name: "Check whether nix files are parseable" +name: "Check whether nix files are parseable v2" -permissions: read-all +permissions: + pull-requests: read + contents: read on: # avoids approving first time contributors diff --git a/ci/OWNERS b/ci/OWNERS index 8904c846e816f..ad39700dde7c0 100644 --- a/ci/OWNERS +++ b/ci/OWNERS @@ -11,12 +11,12 @@ # - There is no need for user/team listed here to have write access. # - No reviews will be requested for PRs that target the wrong base branch. # -# Processing of this file is implemented in workflows/codeowners.yml +# Processing of this file is implemented in workflows/codeowners-v2.yml # CI /.github/workflows @NixOS/Security @Mic92 @zowoq /.github/workflows/check-nix-format.yml @infinisil -/.github/workflows/codeowners.yml @infinisil +/.github/workflows/codeowners-v2.yml @infinisil /ci/OWNERS @infinisil /ci @infinisil @philiptaron @NixOS/Security