diff --git a/.gitattributes b/.gitattributes index 01d363cbb1c12..32cd96ef9e2cf 100644 --- a/.gitattributes +++ b/.gitattributes @@ -16,3 +16,5 @@ nixos/doc/default.nix linguist-documentation=false nixos/modules/module-list.nix merge=union # pkgs/top-level/all-packages.nix merge=union + +ci/OWNERS linguist-language=CODEOWNERS diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index aa0fbd4bd67aa..eb8b282c7b36f 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,369 +1,4 @@ -# CODEOWNERS file +# Use ci/OWNERS instead # -# This file is used to describe who owns what in this repository. This file does not -# replace `meta.maintainers` but is instead used for other things than derivations -# and modules, like documentation, package sets, and other assets. -# -# For documentation on this file, see https://help.github.com/articles/about-codeowners/ -# Mentioned users will get code review requests. -# -# IMPORTANT NOTE: in order to actually get pinged, commit access is required. -# This also holds true for GitHub teams. Since almost none of our teams have write -# permissions, you need to list all members of the team with commit access individually. - -# CI -/.github/workflows @NixOS/Security @Mic92 @zowoq -/.github/workflows/check-nix-format.yml @infinisil -/ci @infinisil - -# Develompent support -/.editorconfig @Mic92 @zowoq -/shell.nix @infinisil @NixOS/Security - -# Libraries -/lib @infinisil -/lib/systems @alyssais @ericson2314 -/lib/generators.nix @infinisil @Profpatsch -/lib/cli.nix @infinisil @Profpatsch -/lib/debug.nix @infinisil @Profpatsch -/lib/asserts.nix @infinisil @Profpatsch -/lib/path.* @infinisil -/lib/fileset @infinisil -## Libraries / Module system -/lib/modules.nix @infinisil @roberth -/lib/types.nix @infinisil @roberth -/lib/options.nix @infinisil @roberth -/lib/tests/modules.sh @infinisil @roberth -/lib/tests/modules @infinisil @roberth - -# Nixpkgs Internals -/default.nix @Ericson2314 -/pkgs/top-level/default.nix @Ericson2314 -/pkgs/top-level/impure.nix @Ericson2314 -/pkgs/top-level/stage.nix @Ericson2314 -/pkgs/top-level/splice.nix @Ericson2314 -/pkgs/top-level/release-cross.nix @Ericson2314 -/pkgs/stdenv/generic @Ericson2314 -/pkgs/stdenv/generic/check-meta.nix @Ericson2314 -/pkgs/stdenv/cross @Ericson2314 -/pkgs/build-support/cc-wrapper @Ericson2314 -/pkgs/build-support/bintools-wrapper @Ericson2314 -/pkgs/build-support/setup-hooks @Ericson2314 -/pkgs/build-support/setup-hooks/auto-patchelf.sh @layus -/pkgs/build-support/setup-hooks/auto-patchelf.py @layus -/pkgs/pkgs-lib @infinisil -## Format generators/serializers -/pkgs/pkgs-lib/formats/libconfig @ckiee @h7x4 -/pkgs/pkgs-lib/formats/hocon @h7x4 - -# pkgs/by-name -/pkgs/test/check-by-name @infinisil -/pkgs/by-name/README.md @infinisil -/pkgs/top-level/by-name-overlay.nix @infinisil -/.github/workflows/check-by-name.yml @infinisil - -# Nixpkgs build-support -/pkgs/build-support/writers @lassulus @Profpatsch - -# Nixpkgs make-disk-image -/doc/build-helpers/images/makediskimage.section.md @raitobezarius -/nixos/lib/make-disk-image.nix @raitobezarius - -# Nix, the package manager -# @raitobezarius is not "code owner", but is listed here to be notified of changes -# pertaining to the Nix package manager. -# i.e. no authority over those files. -pkgs/tools/package-management/nix/ @NixOS/nix-team @raitobezarius -nixos/modules/installer/tools/nix-fallback-paths.nix @NixOS/nix-team @raitobezarius - -# Nixpkgs documentation -/maintainers/scripts/db-to-md.sh @jtojnar @ryantm -/maintainers/scripts/doc @jtojnar @ryantm - -# Contributor documentation -/CONTRIBUTING.md @infinisil -/.github/PULL_REQUEST_TEMPLATE.md @infinisil -/doc/contributing/ @infinisil -/doc/contributing/contributing-to-documentation.chapter.md @jtojnar @infinisil -/lib/README.md @infinisil -/doc/README.md @infinisil -/nixos/README.md @infinisil -/pkgs/README.md @infinisil -/maintainers/README.md @infinisil - -# User-facing development documentation -/doc/development.md @infinisil -/doc/development @infinisil - -# NixOS Internals -/nixos/default.nix @infinisil -/nixos/lib/from-env.nix @infinisil -/nixos/lib/eval-config.nix @infinisil -/nixos/modules/system/activation/bootspec.nix @grahamc @cole-h @raitobezarius -/nixos/modules/system/activation/bootspec.cue @grahamc @cole-h @raitobezarius - -# NixOS integration test driver -/nixos/lib/test-driver @tfc - -# NixOS QEMU virtualisation -/nixos/virtualisation/qemu-vm.nix @raitobezarius - -# Systemd -/nixos/modules/system/boot/systemd.nix @NixOS/systemd -/nixos/modules/system/boot/systemd @NixOS/systemd -/nixos/lib/systemd-*.nix @NixOS/systemd -/pkgs/os-specific/linux/systemd @NixOS/systemd - -# Systemd-boot -/nixos/modules/system/boot/loader/systemd-boot @JulienMalka - -# Images and installer media -/nixos/modules/installer/cd-dvd/ -/nixos/modules/installer/sd-card/ - -# Updaters -## update.nix -/maintainers/scripts/update.nix @jtojnar -/maintainers/scripts/update.py @jtojnar -## common-updater-scripts -/pkgs/common-updater/scripts/update-source-version @jtojnar - -# Python-related code and docs -/doc/languages-frameworks/python.section.md @mweinelt -/pkgs/development/interpreters/python/hooks - -# Haskell -/doc/languages-frameworks/haskell.section.md @sternenseemann @maralorn @ncfavier -/maintainers/scripts/haskell @sternenseemann @maralorn @ncfavier -/pkgs/development/compilers/ghc @sternenseemann @maralorn @ncfavier -/pkgs/development/haskell-modules @sternenseemann @maralorn @ncfavier -/pkgs/test/haskell @sternenseemann @maralorn @ncfavier -/pkgs/top-level/release-haskell.nix @sternenseemann @maralorn @ncfavier -/pkgs/top-level/haskell-packages.nix @sternenseemann @maralorn @ncfavier - -# Perl -/pkgs/development/interpreters/perl @stigtsp @zakame @marcusramberg -/pkgs/top-level/perl-packages.nix @stigtsp @zakame @marcusramberg -/pkgs/development/perl-modules @stigtsp @zakame @marcusramberg - -# R -/pkgs/applications/science/math/R @jbedo -/pkgs/development/r-modules @jbedo - -# Rust -/pkgs/development/compilers/rust @Mic92 @zowoq @winterqt @figsoda -/pkgs/build-support/rust @zowoq @winterqt @figsoda -/doc/languages-frameworks/rust.section.md @zowoq @winterqt @figsoda - -# C compilers -/pkgs/development/compilers/gcc -/pkgs/development/compilers/emscripten @raitobezarius -/doc/languages-frameworks/emscripten.section.md @raitobezarius - -# Audio -/nixos/modules/services/audio/botamusique.nix @mweinelt -/nixos/modules/services/audio/snapserver.nix @mweinelt -/nixos/tests/modules/services/audio/botamusique.nix @mweinelt -/nixos/tests/snapcast.nix @mweinelt - -# Browsers -/pkgs/applications/networking/browsers/firefox @mweinelt -/pkgs/applications/networking/browsers/chromium @emilylange -/nixos/tests/chromium.nix @emilylange - -# Certificate Authorities -pkgs/data/misc/cacert/ @ajs124 @lukegb @mweinelt -pkgs/development/libraries/nss/ @ajs124 @lukegb @mweinelt -pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt - -# Jetbrains -/pkgs/applications/editors/jetbrains @edwtjo - -# Licenses -/lib/licenses.nix @alyssais - -# Qt -/pkgs/development/libraries/qt-5 @K900 @NickCao @SuperSandro2000 @ttuegel -/pkgs/development/libraries/qt-6 @K900 @NickCao @SuperSandro2000 @ttuegel - -# KDE / Plasma 5 -/pkgs/applications/kde @K900 @NickCao @SuperSandro2000 @ttuegel -/pkgs/desktops/plasma-5 @K900 @NickCao @SuperSandro2000 @ttuegel -/pkgs/development/libraries/kde-frameworks @K900 @NickCao @SuperSandro2000 @ttuegel - -# KDE / Plasma 6 -/pkgs/kde @K900 @NickCao @SuperSandro2000 @ttuegel -/maintainers/scripts/kde @K900 @NickCao @SuperSandro2000 @ttuegel - -# PostgreSQL and related stuff -/pkgs/servers/sql/postgresql @thoughtpolice -/nixos/modules/services/databases/postgresql.xml @thoughtpolice -/nixos/modules/services/databases/postgresql.nix @thoughtpolice -/nixos/tests/postgresql.nix @thoughtpolice - -# Hardened profile & related modules -/nixos/modules/profiles/hardened.nix @joachifm -/nixos/modules/security/hidepid.nix @joachifm -/nixos/modules/security/lock-kernel-modules.nix @joachifm -/nixos/modules/security/misc.nix @joachifm -/nixos/tests/hardened.nix @joachifm -/pkgs/os-specific/linux/kernel/hardened-config.nix @joachifm - -# Home Automation -/nixos/modules/services/misc/home-assistant.nix @mweinelt -/nixos/modules/services/misc/zigbee2mqtt.nix @mweinelt -/nixos/tests/home-assistant.nix @mweinelt -/nixos/tests/zigbee2mqtt.nix @mweinelt -/pkgs/servers/home-assistant @mweinelt -/pkgs/tools/misc/esphome @mweinelt - -# Network Time Daemons -/pkgs/tools/networking/chrony @thoughtpolice -/pkgs/tools/networking/ntp @thoughtpolice -/pkgs/tools/networking/openntpd @thoughtpolice -/nixos/modules/services/networking/ntp @thoughtpolice - -# Network -/pkgs/tools/networking/octodns @Janik-Haag -/pkgs/tools/networking/kea/default.nix @mweinelt -/pkgs/tools/networking/babeld/default.nix @mweinelt -/nixos/modules/services/networking/babeld.nix @mweinelt -/nixos/modules/services/networking/kea.nix @mweinelt -/nixos/modules/services/networking/knot.nix @mweinelt -nixos/modules/services/networking/networkmanager.nix @Janik-Haag -/nixos/modules/services/monitoring/prometheus/exporters/kea.nix @mweinelt -/nixos/tests/babeld.nix @mweinelt -/nixos/tests/kea.nix @mweinelt -/nixos/tests/knot.nix @mweinelt -/nixos/tests/networking/* @Janik-Haag - -# Web servers -/doc/packages/nginx.section.md @raitobezarius -/pkgs/servers/http/nginx/ @raitobezarius -/nixos/modules/services/web-servers/nginx/ @raitobezarius - -# Dhall -/pkgs/development/dhall-modules @Gabriella439 @Profpatsch @ehmry -/pkgs/development/interpreters/dhall @Gabriella439 @Profpatsch @ehmry - -# Idris -/pkgs/development/idris-modules @Infinisil - -# Bazel -/pkgs/development/tools/build-managers/bazel @Profpatsch - -# NixOS modules for e-mail and dns services -/nixos/modules/services/mail/mailman.nix @peti -/nixos/modules/services/mail/postfix.nix @peti -/nixos/modules/services/networking/bind.nix @peti -/nixos/modules/services/mail/rspamd.nix @peti - -# Emacs -/pkgs/applications/editors/emacs/elisp-packages @adisbladis -/pkgs/applications/editors/emacs @adisbladis -/pkgs/top-level/emacs-packages.nix @adisbladis - -# Neovim -/pkgs/applications/editors/neovim @figsoda @teto - -# VimPlugins -/pkgs/applications/editors/vim/plugins @figsoda - -# VsCode Extensions -/pkgs/applications/editors/vscode/extensions - -# PHP interpreter, packages, extensions, tests and documentation -/doc/languages-frameworks/php.section.md @aanderse @drupol @globin @ma27 @talyz -/nixos/tests/php @aanderse @drupol @globin @ma27 @talyz -/pkgs/build-support/php/build-pecl.nix @aanderse @drupol @globin @ma27 @talyz -/pkgs/build-support/php @drupol -/pkgs/development/interpreters/php @jtojnar @aanderse @drupol @globin @ma27 @talyz -/pkgs/development/php-packages @aanderse @drupol @globin @ma27 @talyz -/pkgs/top-level/php-packages.nix @jtojnar @aanderse @drupol @globin @ma27 @talyz - -# Docker tools -/pkgs/build-support/docker @roberth -/nixos/tests/docker-tools* @roberth -/doc/build-helpers/images/dockertools.section.md @roberth - -# Blockchains -/pkgs/applications/blockchains @mmahut @RaghavSood - -# Go -/doc/languages-frameworks/go.section.md @kalbasit @Mic92 @zowoq -/pkgs/build-support/go @kalbasit @Mic92 @zowoq -/pkgs/development/compilers/go @kalbasit @Mic92 @zowoq - -# GNOME -/pkgs/desktops/gnome @jtojnar -/pkgs/desktops/gnome/extensions @jtojnar -/pkgs/build-support/make-hardcode-gsettings-patch @jtojnar - -# Cinnamon -/pkgs/desktops/cinnamon @mkg20001 - -# nim -/pkgs/development/compilers/nim @ehmry -/pkgs/development/nim-packages @ehmry -/pkgs/top-level/nim-packages.nix @ehmry - -# terraform providers -/pkgs/applications/networking/cluster/terraform-providers @zowoq - -# Forgejo -nixos/modules/services/misc/forgejo.nix @adamcstephens @bendlas @emilylange -pkgs/by-name/fo/forgejo/package.nix @adamcstephens @bendlas @emilylange - -# Dotnet -/pkgs/build-support/dotnet @corngood -/pkgs/development/compilers/dotnet @corngood -/pkgs/test/dotnet @corngood -/doc/languages-frameworks/dotnet.section.md @corngood - -# Node.js -/pkgs/build-support/node/build-npm-package @lilyinstarlight @winterqt -/pkgs/build-support/node/fetch-npm-deps @lilyinstarlight @winterqt -/doc/languages-frameworks/javascript.section.md @lilyinstarlight @winterqt - -# environment.noXlibs option aka NoX -/nixos/modules/config/no-x-libs.nix @SuperSandro2000 - -# OCaml -/pkgs/build-support/ocaml @ulrikstrid -/pkgs/development/compilers/ocaml @ulrikstrid -/pkgs/development/ocaml-modules @ulrikstrid - -# ZFS -pkgs/os-specific/linux/zfs/2_1.nix @raitobezarius -pkgs/os-specific/linux/zfs/generic.nix @raitobezarius -nixos/modules/tasks/filesystems/zfs.nix @raitobezarius -nixos/tests/zfs.nix @raitobezarius - -# Zig -/pkgs/development/compilers/zig @figsoda -/doc/hooks/zig.section.md @figsoda - -# Buildbot -nixos/modules/services/continuous-integration/buildbot @Mic92 @zowoq -nixos/tests/buildbot.nix @Mic92 @zowoq -pkgs/development/tools/continuous-integration/buildbot @Mic92 @zowoq - -# Pretix -pkgs/by-name/pr/pretix/ @mweinelt -pkgs/by-name/pr/pretalx/ @mweinelt -nixos/modules/services/web-apps/pretix.nix @mweinelt -nixos/modules/services/web-apps/pretalx.nix @mweinelt -nixos/tests/web-apps/pretix.nix @mweinelt -nixos/tests/web-apps/pretalx.nix @mweinelt - -# incus/lxc/lxd -nixos/maintainers/scripts/lxd/ @adamcstephens -nixos/modules/virtualisation/incus.nix @adamcstephens -nixos/modules/virtualisation/lxc* @adamcstephens -nixos/modules/virtualisation/lxd* @adamcstephens -nixos/tests/incus/ @adamcstephens -nixos/tests/lxd/ @adamcstephens -pkgs/by-name/in/incus/ @adamcstephens -pkgs/by-name/lx/lxc* @adamcstephens -pkgs/by-name/lx/lxd* @adamcstephens -pkgs/os-specific/linux/lxc/ @adamcstephens +# This file would be for the native code owner feature of GitHub, +# but is not being used because of its problems, see ci/OWNERS diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml new file mode 100644 index 0000000000000..56588d45c9cd8 --- /dev/null +++ b/.github/workflows/codeowners.yml @@ -0,0 +1,89 @@ +name: Codeowners + +# This workflow depends on a GitHub App with the following permissions: +# - Repository > Administration: read-only +# - Organization > Members: read-only +# - Repository > Pull Requests: read-write +# The App needs to be installed on this repository +# the OWNER_APP_ID repository variable needs to be set +# the OWNER_APP_PRIVATE_KEY repository secret needs to be set + +on: + pull_request_target: + types: [opened, ready_for_review, synchronize, reopened, edited] + +env: + OWNERS_FILE: ci/OWNERS + # Don't do anything on draft PRs + DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }} + +jobs: + # Check that code owners is valid + check: + name: Check + runs-on: ubuntu-latest + steps: + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + + - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 + if: github.repository_owner == 'NixOS' + with: + # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. + name: nixpkgs-ci + authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + + # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself. + # We later build and run code from the base branch with access to secrets, + # so it's important this is not the PRs code. + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + path: base + + - name: Build codeowners validator + run: nix-build base/ci -A codeownersValidator + + - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 + id: app-token + with: + app-id: ${{ vars.OWNER_APP_ID }} + private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} + + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + ref: refs/pull/${{ github.event.number }}/merge + path: pr + + - name: Validate codeowners + run: result/bin/codeowners-validator + env: + OWNERS_FILE: pr/${{ env.OWNERS_FILE }} + GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} + REPOSITORY_PATH: pr + OWNER_CHECKER_REPOSITORY: ${{ github.repository }} + # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody + EXPERIMENTAL_CHECKS: "avoid-shadowing" + + # Request reviews from code owners + request: + name: Request + runs-on: ubuntu-latest + steps: + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + + # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head. + # This is intentional, because we need to request the review of owners as declared in the base branch. + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + + - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 + id: app-token + with: + app-id: ${{ vars.OWNER_APP_ID }} + private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} + + - name: Build review request package + run: nix-build ci -A requestReviews + + - name: Request reviews + run: result/bin/request-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE" + env: + GH_TOKEN: ${{ steps.app-token.outputs.token }} diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index f40fb86ee5595..38ae730cd4c1f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -193,19 +193,12 @@ The last checkbox is about whether it fits the guidelines in this `CONTRIBUTING. [rebase]: #rebasing-between-branches-ie-from-master-to-staging From time to time, changes between branches must be rebased, for example, if the -number of new rebuilds they would cause is too large for the target branch. When -rebasing, care must be taken to include only the intended changes, otherwise -many CODEOWNERS will be inadvertently requested for review. To achieve this, -rebasing should not be performed directly on the target branch, but on the merge -base between the current and target branch. As an additional precautionary measure, -you should temporarily mark the PR as draft for the duration of the operation. -This reduces the probability of mass-pinging people. (OfBorg might still -request a couple of persons for reviews though.) +number of new rebuilds they would cause is too large for the target branch. In the following example, we assume that the current branch, called `feature`, is based on `master`, and we rebase it onto the merge base between -`master` and `staging` so that the PR can eventually be retargeted to -`staging` without causing a mess. The example uses `upstream` as the remote for `NixOS/nixpkgs.git` +`master` and `staging` so that the PR can be retargeted to +`staging`. The example uses `upstream` as the remote for `NixOS/nixpkgs.git` while `origin` is the remote you are pushing to. @@ -234,36 +227,6 @@ git status git push origin feature --force-with-lease ``` -#### Something went wrong and a lot of people were pinged - -It happens. Remember to be kind, especially to new contributors. -There is no way back, so the pull request should be closed and locked -(if possible). The changes should be re-submitted in a new PR, in which the people -originally involved in the conversation need to manually be pinged again. -No further discussion should happen on the original PR, as a lot of people -are now subscribed to it. - -The following message (or a version thereof) might be left when closing to -describe the situation, since closing and locking without any explanation -is kind of rude: - -```markdown -It looks like you accidentally mass-pinged a bunch of people, which are now subscribed -and getting notifications for everything in this pull request. Unfortunately, they -cannot be automatically unsubscribed from the issue (removing review request does not -unsubscribe), therefore development cannot continue in this pull request anymore. - -Please open a new pull request with your changes, link back to this one and ping the -people actually involved in here over there. - -In order to avoid this in the future, there are instructions for how to properly -rebase between branches in our [contribution guidelines](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#rebasing-between-branches-ie-from-master-to-staging). -Setting your pull request to draft prior to rebasing is strongly recommended. -In draft status, you can preview the list of people that are about to be requested -for review, which allows you to sidestep this issue. -This is not a bulletproof method though, as OfBorg still does review requests even on draft PRs. -``` - ## How to backport pull requests [pr-backport]: #how-to-backport-pull-requests diff --git a/ci/OWNERS b/ci/OWNERS new file mode 100644 index 0000000000000..8904c846e816f --- /dev/null +++ b/ci/OWNERS @@ -0,0 +1,370 @@ +# This file is used to describe who owns what in this repository. +# Users/teams will get review requests for PRs that change their files. +# +# This file does not replace `meta.maintainers` +# but is instead used for other things than derivations and modules, +# like documentation, package sets, and other assets. +# +# This file uses the same syntax as the natively supported CODEOWNERS file, +# see https://help.github.com/articles/about-codeowners/ for documentation. +# However it comes with some notable differences: +# - There is no need for user/team listed here to have write access. +# - No reviews will be requested for PRs that target the wrong base branch. +# +# Processing of this file is implemented in workflows/codeowners.yml + +# CI +/.github/workflows @NixOS/Security @Mic92 @zowoq +/.github/workflows/check-nix-format.yml @infinisil +/.github/workflows/codeowners.yml @infinisil +/ci/OWNERS @infinisil +/ci @infinisil @philiptaron @NixOS/Security + +# Develompent support +/.editorconfig @Mic92 @zowoq +/shell.nix @infinisil @NixOS/Security + +# Libraries +/lib @infinisil +/lib/systems @alyssais @ericson2314 +/lib/generators.nix @infinisil @Profpatsch +/lib/cli.nix @infinisil @Profpatsch +/lib/debug.nix @infinisil @Profpatsch +/lib/asserts.nix @infinisil @Profpatsch +/lib/path/* @infinisil +/lib/fileset @infinisil +## Libraries / Module system +/lib/modules.nix @infinisil @roberth +/lib/types.nix @infinisil @roberth +/lib/options.nix @infinisil @roberth +/lib/tests/modules.sh @infinisil @roberth +/lib/tests/modules @infinisil @roberth + +# Nixpkgs Internals +/default.nix @Ericson2314 +/pkgs/top-level/default.nix @Ericson2314 +/pkgs/top-level/impure.nix @Ericson2314 +/pkgs/top-level/stage.nix @Ericson2314 +/pkgs/top-level/splice.nix @Ericson2314 +/pkgs/top-level/release-cross.nix @Ericson2314 +/pkgs/stdenv/generic @Ericson2314 +/pkgs/stdenv/generic/check-meta.nix @Ericson2314 +/pkgs/stdenv/cross @Ericson2314 +/pkgs/build-support/cc-wrapper @Ericson2314 +/pkgs/build-support/bintools-wrapper @Ericson2314 +/pkgs/build-support/setup-hooks @Ericson2314 +/pkgs/build-support/setup-hooks/auto-patchelf.sh @layus +/pkgs/build-support/setup-hooks/auto-patchelf.py @layus +/pkgs/pkgs-lib @infinisil +## Format generators/serializers +/pkgs/pkgs-lib/formats/libconfig @ckiee @h7x4 +/pkgs/pkgs-lib/formats/hocon @h7x4 + +# pkgs/by-name +/pkgs/test/check-by-name @infinisil +/pkgs/by-name/README.md @infinisil +/pkgs/top-level/by-name-overlay.nix @infinisil +/.github/workflows/check-by-name.yml @infinisil + +# Nixpkgs build-support +/pkgs/build-support/writers @lassulus @Profpatsch + +# Nixpkgs make-disk-image +/doc/build-helpers/images/makediskimage.section.md @raitobezarius +/nixos/lib/make-disk-image.nix @raitobezarius + +# Nix, the package manager +# @raitobezarius is not "code owner", but is listed here to be notified of changes +# pertaining to the Nix package manager. +# i.e. no authority over those files. +pkgs/tools/package-management/nix/ @NixOS/nix-team @raitobezarius +nixos/modules/installer/tools/nix-fallback-paths.nix @NixOS/nix-team @raitobezarius + +# Nixpkgs documentation +/maintainers/scripts/db-to-md.sh @jtojnar @ryantm +/maintainers/scripts/doc @jtojnar @ryantm + +# Contributor documentation +/CONTRIBUTING.md @infinisil +/.github/PULL_REQUEST_TEMPLATE.md @infinisil +/doc/contributing/ @infinisil +/doc/contributing/contributing-to-documentation.chapter.md @jtojnar @infinisil +/lib/README.md @infinisil +/doc/README.md @infinisil +/nixos/README.md @infinisil +/pkgs/README.md @infinisil +/maintainers/README.md @infinisil + +# User-facing development documentation +/doc/development.md @infinisil +/doc/development @infinisil + +# NixOS Internals +/nixos/default.nix @infinisil +/nixos/lib/from-env.nix @infinisil +/nixos/lib/eval-config.nix @infinisil +/nixos/modules/system/activation/bootspec.nix @grahamc @cole-h @raitobezarius +/nixos/modules/system/activation/bootspec.cue @grahamc @cole-h @raitobezarius + +# NixOS integration test driver +/nixos/lib/test-driver @tfc + +# NixOS QEMU virtualisation +/nixos/modules/virtualisation/qemu-vm.nix @raitobezarius + +# Systemd +/nixos/modules/system/boot/systemd.nix @NixOS/systemd +/nixos/modules/system/boot/systemd @NixOS/systemd +/nixos/lib/systemd-*.nix @NixOS/systemd +/pkgs/os-specific/linux/systemd @NixOS/systemd + +# Systemd-boot +/nixos/modules/system/boot/loader/systemd-boot @JulienMalka + +# Images and installer media +/nixos/modules/installer/cd-dvd/ +/nixos/modules/installer/sd-card/ + +# Updaters +## update.nix +/maintainers/scripts/update.nix @jtojnar +/maintainers/scripts/update.py @jtojnar +## common-updater-scripts +/pkgs/common-updater/scripts/update-source-version @jtojnar + +# Python-related code and docs +/doc/languages-frameworks/python.section.md @mweinelt +/pkgs/development/interpreters/python/hooks + +# Haskell +/doc/languages-frameworks/haskell.section.md @sternenseemann @maralorn @ncfavier +/maintainers/scripts/haskell @sternenseemann @maralorn @ncfavier +/pkgs/development/compilers/ghc @sternenseemann @maralorn @ncfavier +/pkgs/development/haskell-modules @sternenseemann @maralorn @ncfavier +/pkgs/test/haskell @sternenseemann @maralorn @ncfavier +/pkgs/top-level/release-haskell.nix @sternenseemann @maralorn @ncfavier +/pkgs/top-level/haskell-packages.nix @sternenseemann @maralorn @ncfavier + +# Perl +/pkgs/development/interpreters/perl @stigtsp @zakame @marcusramberg +/pkgs/top-level/perl-packages.nix @stigtsp @zakame @marcusramberg +/pkgs/development/perl-modules @stigtsp @zakame @marcusramberg + +# R +/pkgs/applications/science/math/R @jbedo +/pkgs/development/r-modules @jbedo + +# Rust +/pkgs/development/compilers/rust @Mic92 @zowoq @winterqt @figsoda +/pkgs/build-support/rust @zowoq @winterqt @figsoda +/doc/languages-frameworks/rust.section.md @zowoq @winterqt @figsoda + +# C compilers +/pkgs/development/compilers/gcc +/pkgs/development/compilers/emscripten @raitobezarius +/doc/languages-frameworks/emscripten.section.md @raitobezarius + +# Audio +/nixos/modules/services/audio/botamusique.nix @mweinelt +/nixos/modules/services/audio/snapserver.nix @mweinelt +/nixos/tests/botamusique.nix @mweinelt +/nixos/tests/snapcast.nix @mweinelt + +# Browsers +/pkgs/applications/networking/browsers/firefox @mweinelt +/pkgs/applications/networking/browsers/chromium @emilylange +/nixos/tests/chromium.nix @emilylange + +# Certificate Authorities +pkgs/data/misc/cacert/ @ajs124 @lukegb @mweinelt +pkgs/development/libraries/nss/ @ajs124 @lukegb @mweinelt +pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt + +# Jetbrains +/pkgs/applications/editors/jetbrains @edwtjo + +# Licenses +/lib/licenses.nix @alyssais + +# Qt +/pkgs/development/libraries/qt-5 @K900 @NickCao @SuperSandro2000 @ttuegel +/pkgs/development/libraries/qt-6 @K900 @NickCao @SuperSandro2000 @ttuegel + +# KDE / Plasma 5 +/pkgs/applications/kde @K900 @NickCao @SuperSandro2000 @ttuegel +/pkgs/desktops/plasma-5 @K900 @NickCao @SuperSandro2000 @ttuegel +/pkgs/development/libraries/kde-frameworks @K900 @NickCao @SuperSandro2000 @ttuegel + +# KDE / Plasma 6 +/pkgs/kde @K900 @NickCao @SuperSandro2000 @ttuegel +/maintainers/scripts/kde @K900 @NickCao @SuperSandro2000 @ttuegel + +# PostgreSQL and related stuff +/pkgs/servers/sql/postgresql @thoughtpolice +/nixos/modules/services/databases/postgresql.md @thoughtpolice +/nixos/modules/services/databases/postgresql.nix @thoughtpolice +/nixos/tests/postgresql.nix @thoughtpolice + +# Hardened profile & related modules +/nixos/modules/profiles/hardened.nix @joachifm +/nixos/modules/security/lock-kernel-modules.nix @joachifm +/nixos/modules/security/misc.nix @joachifm +/nixos/tests/hardened.nix @joachifm +/pkgs/os-specific/linux/kernel/hardened/config.nix @joachifm + +# Home Automation +/nixos/modules/services/home-automation/home-assistant.nix @mweinelt +/nixos/modules/services/home-automation/zigbee2mqtt.nix @mweinelt +/nixos/tests/home-assistant.nix @mweinelt +/nixos/tests/zigbee2mqtt.nix @mweinelt +/pkgs/servers/home-assistant @mweinelt +/pkgs/tools/misc/esphome @mweinelt + +# Network Time Daemons +/pkgs/tools/networking/chrony @thoughtpolice +/pkgs/tools/networking/ntp @thoughtpolice +/pkgs/tools/networking/openntpd @thoughtpolice +/nixos/modules/services/networking/ntp @thoughtpolice + +# Network +/pkgs/tools/networking/octodns @Janik-Haag +/pkgs/tools/networking/kea/default.nix @mweinelt +/pkgs/tools/networking/babeld/default.nix @mweinelt +/nixos/modules/services/networking/babeld.nix @mweinelt +/nixos/modules/services/networking/kea.nix @mweinelt +/nixos/modules/services/networking/knot.nix @mweinelt +nixos/modules/services/networking/networkmanager.nix @Janik-Haag +/nixos/modules/services/monitoring/prometheus/exporters/kea.nix @mweinelt +/nixos/tests/babeld.nix @mweinelt +/nixos/tests/kea.nix @mweinelt +/nixos/tests/knot.nix @mweinelt +/nixos/tests/networking/* @Janik-Haag + +# Web servers +/doc/packages/nginx.section.md @raitobezarius +/pkgs/servers/http/nginx/ @raitobezarius +/nixos/modules/services/web-servers/nginx/ @raitobezarius + +# Dhall +/pkgs/development/dhall-modules @Gabriella439 @Profpatsch @ehmry +/pkgs/development/interpreters/dhall @Gabriella439 @Profpatsch @ehmry + +# Idris +/pkgs/development/idris-modules @Infinisil + +# Bazel +/pkgs/development/tools/build-managers/bazel @Profpatsch + +# NixOS modules for e-mail and dns services +/nixos/modules/services/mail/mailman.nix @peti +/nixos/modules/services/mail/postfix.nix @peti +/nixos/modules/services/networking/bind.nix @peti +/nixos/modules/services/mail/rspamd.nix @peti + +# Emacs +/pkgs/applications/editors/emacs/elisp-packages @adisbladis +/pkgs/applications/editors/emacs @adisbladis +/pkgs/top-level/emacs-packages.nix @adisbladis + +# Neovim +/pkgs/applications/editors/neovim @figsoda @teto + +# VimPlugins +/pkgs/applications/editors/vim/plugins @figsoda + +# VsCode Extensions +/pkgs/applications/editors/vscode/extensions + +# PHP interpreter, packages, extensions, tests and documentation +/doc/languages-frameworks/php.section.md @aanderse @drupol @globin @ma27 @talyz +/nixos/tests/php @aanderse @drupol @globin @ma27 @talyz +/pkgs/build-support/php/build-pecl.nix @aanderse @drupol @globin @ma27 @talyz +/pkgs/build-support/php @drupol +/pkgs/development/interpreters/php @jtojnar @aanderse @drupol @globin @ma27 @talyz +/pkgs/development/php-packages @aanderse @drupol @globin @ma27 @talyz +/pkgs/top-level/php-packages.nix @jtojnar @aanderse @drupol @globin @ma27 @talyz + +# Docker tools +/pkgs/build-support/docker @roberth +/nixos/tests/docker-tools* @roberth +/doc/build-helpers/images/dockertools.section.md @roberth + +# Blockchains +/pkgs/applications/blockchains @mmahut @RaghavSood + +# Go +/doc/languages-frameworks/go.section.md @kalbasit @Mic92 @zowoq +/pkgs/build-support/go @kalbasit @Mic92 @zowoq +/pkgs/development/compilers/go @kalbasit @Mic92 @zowoq + +# GNOME +/pkgs/desktops/gnome @jtojnar +/pkgs/desktops/gnome/extensions @jtojnar +/pkgs/build-support/make-hardcode-gsettings-patch @jtojnar + +# Cinnamon +/pkgs/desktops/cinnamon @mkg20001 + +# nim +/pkgs/development/compilers/nim @ehmry + +# terraform providers +/pkgs/applications/networking/cluster/terraform-providers @zowoq + +# Forgejo +nixos/modules/services/misc/forgejo.nix @adamcstephens @bendlas @emilylange +pkgs/by-name/fo/forgejo/package.nix @adamcstephens @bendlas @emilylange + +# Dotnet +/pkgs/build-support/dotnet @corngood +/pkgs/development/compilers/dotnet @corngood +/pkgs/test/dotnet @corngood +/doc/languages-frameworks/dotnet.section.md @corngood + +# Node.js +/pkgs/build-support/node/build-npm-package @lilyinstarlight @winterqt +/pkgs/build-support/node/fetch-npm-deps @lilyinstarlight @winterqt +/doc/languages-frameworks/javascript.section.md @lilyinstarlight @winterqt + +# environment.noXlibs option aka NoX +/nixos/modules/config/no-x-libs.nix @SuperSandro2000 + +# OCaml +/pkgs/build-support/ocaml @ulrikstrid +/pkgs/development/compilers/ocaml @ulrikstrid +/pkgs/development/ocaml-modules @ulrikstrid + +# ZFS +pkgs/os-specific/linux/zfs/2_1.nix @raitobezarius +pkgs/os-specific/linux/zfs/generic.nix @raitobezarius +nixos/modules/tasks/filesystems/zfs.nix @raitobezarius +nixos/tests/zfs.nix @raitobezarius + +# Zig +/pkgs/development/compilers/zig @figsoda +/doc/hooks/zig.section.md @figsoda + +# Buildbot +nixos/modules/services/continuous-integration/buildbot @Mic92 @zowoq +nixos/tests/buildbot.nix @Mic92 @zowoq +pkgs/development/tools/continuous-integration/buildbot @Mic92 @zowoq + +# Pretix +pkgs/by-name/pr/pretix/ @mweinelt +pkgs/by-name/pr/pretalx/ @mweinelt +nixos/modules/services/web-apps/pretix.nix @mweinelt +nixos/modules/services/web-apps/pretalx.nix @mweinelt +nixos/tests/web-apps/pretix.nix @mweinelt +nixos/tests/web-apps/pretalx.nix @mweinelt + +# incus/lxc/lxd +nixos/maintainers/scripts/lxd/ @adamcstephens +nixos/modules/virtualisation/incus.nix @adamcstephens +nixos/modules/virtualisation/lxc* @adamcstephens +nixos/modules/virtualisation/lxd* @adamcstephens +nixos/tests/incus/ @adamcstephens +nixos/tests/lxd/ @adamcstephens +pkgs/by-name/in/incus/ @adamcstephens +pkgs/by-name/lx/lxc* @adamcstephens +pkgs/by-name/lx/lxd* @adamcstephens +pkgs/os-specific/linux/lxc/ @adamcstephens diff --git a/ci/codeowners-validator/default.nix b/ci/codeowners-validator/default.nix new file mode 100644 index 0000000000000..5c2d5335c35ed --- /dev/null +++ b/ci/codeowners-validator/default.nix @@ -0,0 +1,31 @@ +{ + buildGoModule, + fetchFromGitHub, + fetchpatch, +}: +buildGoModule { + name = "codeowners-validator"; + src = fetchFromGitHub { + owner = "mszostok"; + repo = "codeowners-validator"; + rev = "f3651e3810802a37bd965e6a9a7210728179d076"; + hash = "sha256-5aSmmRTsOuPcVLWfDF6EBz+6+/Qpbj66udAmi1CLmWQ="; + }; + patches = [ + # https://github.com/mszostok/codeowners-validator/pull/222 + (fetchpatch { + name = "user-write-access-check"; + url = "https://github.com/mszostok/codeowners-validator/compare/f3651e3810802a37bd965e6a9a7210728179d076...840eeb88b4da92bda3e13c838f67f6540b9e8529.patch"; + hash = "sha256-t3Dtt8SP9nbO3gBrM0nRE7+G6N/ZIaczDyVHYAG/6mU="; + }) + # Undoes part of the above PR: We don't want to require write access + # to the repository, that's only needed for GitHub's native CODEOWNERS. + # Furthermore, it removes an unneccessary check from the code + # that breaks tokens generated for GitHub Apps. + ./permissions.patch + # Allows setting a custom CODEOWNERS path using the OWNERS_FILE env var + ./owners-file-name.patch + ]; + postPatch = "rm -r docs/investigation"; + vendorHash = "sha256-R+pW3xcfpkTRqfS2ETVOwG8PZr0iH5ewroiF7u8hcYI="; +} diff --git a/ci/codeowners-validator/owners-file-name.patch b/ci/codeowners-validator/owners-file-name.patch new file mode 100644 index 0000000000000..d8b87ba2f84a1 --- /dev/null +++ b/ci/codeowners-validator/owners-file-name.patch @@ -0,0 +1,15 @@ +diff --git a/pkg/codeowners/owners.go b/pkg/codeowners/owners.go +index 6910bd2..e0c95e9 100644 +--- a/pkg/codeowners/owners.go ++++ b/pkg/codeowners/owners.go +@@ -39,6 +39,10 @@ func NewFromPath(repoPath string) ([]Entry, error) { + // openCodeownersFile finds a CODEOWNERS file and returns content. + // see: https://help.github.com/articles/about-code-owners/#codeowners-file-location + func openCodeownersFile(dir string) (io.Reader, error) { ++ if file, ok := os.LookupEnv("OWNERS_FILE"); ok { ++ return fs.Open(file) ++ } ++ + var detectedFiles []string + for _, p := range []string{".", "docs", ".github"} { + pth := path.Join(dir, p) diff --git a/ci/codeowners-validator/permissions.patch b/ci/codeowners-validator/permissions.patch new file mode 100644 index 0000000000000..38f42f483995b --- /dev/null +++ b/ci/codeowners-validator/permissions.patch @@ -0,0 +1,36 @@ +diff --git a/internal/check/valid_owner.go b/internal/check/valid_owner.go +index a264bcc..610eda8 100644 +--- a/internal/check/valid_owner.go ++++ b/internal/check/valid_owner.go +@@ -16,7 +16,6 @@ import ( + const scopeHeader = "X-OAuth-Scopes" + + var reqScopes = map[github.Scope]struct{}{ +- github.ScopeReadOrg: {}, + } + + type ValidOwnerConfig struct { +@@ -223,10 +222,7 @@ func (v *ValidOwner) validateTeam(ctx context.Context, name string) *validateErr + for _, t := range v.repoTeams { + // GitHub normalizes name before comparison + if strings.EqualFold(t.GetSlug(), team) { +- if t.Permissions["push"] { +- return nil +- } +- return newValidateError("Team %q cannot review PRs on %q as neither it nor any parent team has write permissions.", team, v.orgRepoName) ++ return nil + } + } + +@@ -245,10 +241,7 @@ func (v *ValidOwner) validateGitHubUser(ctx context.Context, name string) *valid + for _, u := range v.repoUsers { + // GitHub normalizes name before comparison + if strings.EqualFold(u.GetLogin(), userName) { +- if u.Permissions["push"] { +- return nil +- } +- return newValidateError("User %q cannot review PRs on %q as they don't have write permissions.", userName, v.orgRepoName) ++ return nil + } + } + diff --git a/ci/default.nix b/ci/default.nix new file mode 100644 index 0000000000000..02b2e948d17b8 --- /dev/null +++ b/ci/default.nix @@ -0,0 +1,29 @@ +let + pinnedNixpkgs = builtins.fromJSON (builtins.readFile ./pinned-nixpkgs.json); +in +{ + system ? builtins.currentSystem, + + nixpkgs ? null, +}: +let + nixpkgs' = + if nixpkgs == null then + fetchTarball { + url = "https://github.com/NixOS/nixpkgs/archive/${pinnedNixpkgs.rev}.tar.gz"; + sha256 = pinnedNixpkgs.sha256; + } + else + nixpkgs; + + pkgs = import nixpkgs' { + inherit system; + config = { }; + overlays = [ ]; + }; +in +{ + inherit pkgs; + requestReviews = pkgs.callPackage ./request-reviews { }; + codeownersValidator = pkgs.callPackage ./codeowners-validator { }; +} diff --git a/ci/request-reviews/default.nix b/ci/request-reviews/default.nix new file mode 100644 index 0000000000000..b51d896539d88 --- /dev/null +++ b/ci/request-reviews/default.nix @@ -0,0 +1,43 @@ +{ + lib, + stdenvNoCC, + makeWrapper, + coreutils, + codeowners, + jq, + curl, + github-cli, + gitMinimal, +}: +stdenvNoCC.mkDerivation { + name = "request-reviews"; + src = lib.fileset.toSource { + root = ./.; + fileset = lib.fileset.unions [ + ./get-reviewers.sh + ./request-reviews.sh + ./verify-base-branch.sh + ./dev-branches.txt + ]; + }; + nativeBuildInputs = [ makeWrapper ]; + dontBuild = true; + installPhase = '' + mkdir -p $out/bin + mv dev-branches.txt $out/bin + for bin in *.sh; do + mv "$bin" "$out/bin" + wrapProgram "$out/bin/$bin" \ + --set PATH ${ + lib.makeBinPath [ + coreutils + codeowners + jq + curl + github-cli + gitMinimal + ] + } + done + ''; +} diff --git a/ci/request-reviews/dev-branches.txt b/ci/request-reviews/dev-branches.txt new file mode 100644 index 0000000000000..2282529881bab --- /dev/null +++ b/ci/request-reviews/dev-branches.txt @@ -0,0 +1,7 @@ +# Trusted development branches: +# These generally require PRs to update and are built by Hydra. +master +staging +release-* +staging-* +haskell-updates diff --git a/ci/request-reviews/get-reviewers.sh b/ci/request-reviews/get-reviewers.sh new file mode 100755 index 0000000000000..1107edd9e6f16 --- /dev/null +++ b/ci/request-reviews/get-reviewers.sh @@ -0,0 +1,126 @@ +#!/usr/bin/env bash + +# Get the code owners of the files changed by a PR, +# suitable to be consumed by the API endpoint to request reviews: +# https://docs.github.com/en/rest/pulls/review-requests?apiVersion=2022-11-28#request-reviewers-for-a-pull-request + +set -euo pipefail + +log() { + echo "$@" >&2 +} + +if (( "$#" < 7 )); then + log "Usage: $0 GIT_REPO OWNERS_FILE BASE_REPO BASE_REF HEAD_REF PR_NUMBER PR_AUTHOR" + exit 1 +fi + +gitRepo=$1 +ownersFile=$2 +baseRepo=$3 +baseRef=$4 +headRef=$5 +prNumber=$6 +prAuthor=$7 + +tmp=$(mktemp -d) +trap 'rm -rf "$tmp"' exit + +git -C "$gitRepo" diff --name-only --merge-base "$baseRef" "$headRef" > "$tmp/touched-files" +readarray -t touchedFiles < "$tmp/touched-files" +log "This PR touches ${#touchedFiles[@]} files" + +# Get the owners file from the base, because we don't want to allow PRs to +# remove code owners to avoid pinging them +git -C "$gitRepo" show "$baseRef":"$ownersFile" > "$tmp"/codeowners + +# Associative array with the user as the key for easy de-duplication +# Make sure to always lowercase keys to avoid duplicates with different casings +declare -A users=() + +for file in "${touchedFiles[@]}"; do + result=$(codeowners --file "$tmp"/codeowners "$file") + + read -r file owners <<< "$result" + if [[ "$owners" == "(unowned)" ]]; then + log "File $file is unowned" + continue + fi + log "File $file is owned by $owners" + + # Split up multiple owners, separated by arbitrary amounts of spaces + IFS=" " read -r -a entries <<< "$owners" + + for entry in "${entries[@]}"; do + # GitHub technically also supports Emails as code owners, + # but we can't easily support that, so let's not + if [[ ! "$entry" =~ @(.*) ]]; then + warn -e "\e[33mCodeowner \"$entry\" for file $file is not valid: Must start with \"@\"\e[0m" >&2 + # Don't fail, because the PR for which this script runs can't fix it, + # it has to be fixed in the base branch + continue + fi + # The first regex match is everything after the @ + entry=${BASH_REMATCH[1]} + + if [[ "$entry" =~ (.*)/(.*) ]]; then + # Teams look like $org/$team + org=${BASH_REMATCH[1]} + team=${BASH_REMATCH[2]} + + # Instead of requesting a review from the team itself, + # we request reviews from the individual users. + # This is because once somebody from a team reviewed the PR, + # the API doesn't expose that the team was already requested for a review, + # so we wouldn't be able to avoid rerequesting reviews + # without saving some some extra state somewhere + + # We could also consider implementing a more advanced heuristic + # in the future that e.g. only pings one team member, + # but escalates to somebody else if that member doesn't respond in time. + gh api \ + --cache=1h \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "/orgs/$org/teams/$team/members" \ + --jq '.[].login' > "$tmp/team-members" + readarray -t members < "$tmp/team-members" + log "Team $entry has these members: ${members[*]}" + + for user in "${members[@]}"; do + users[${user,,}]= + done + else + # Everything else is a user + users[${entry,,}]= + fi + done + +done + +# Cannot request a review from the author +if [[ -v users[${prAuthor,,}] ]]; then + log "One or more files are owned by the PR author, ignoring" + unset 'users[${prAuthor,,}]' +fi + +gh api \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "/repos/$baseRepo/pulls/$prNumber/reviews" \ + --jq '.[].user.login' > "$tmp/already-reviewed-by" + +# And we don't want to rerequest reviews from people who already reviewed +while read -r user; do + if [[ -v users[${user,,}] ]]; then + log "User $user is a code owner but has already left a review, ignoring" + unset 'users[${user,,}]' + fi +done < "$tmp/already-reviewed-by" + +# Turn it into a JSON for the GitHub API call to request PR reviewers +jq -n \ + --arg users "${!users[*]}" \ + '{ + reviewers: $users | split(" "), + }' diff --git a/ci/request-reviews/request-reviews.sh b/ci/request-reviews/request-reviews.sh new file mode 100755 index 0000000000000..b21354560242a --- /dev/null +++ b/ci/request-reviews/request-reviews.sh @@ -0,0 +1,95 @@ +#!/usr/bin/env bash + +# Requests reviews for a PR after verifying that the base branch is correct + +set -euo pipefail +tmp=$(mktemp -d) +trap 'rm -rf "$tmp"' exit +SCRIPT_DIR=$(dirname "$0") + +log() { + echo "$@" >&2 +} + +effect() { + if [[ -n "${DRY_MODE:-}" ]]; then + log "Skipping in dry mode:" "${@@Q}" + else + "$@" + fi +} + +if (( $# < 3 )); then + log "Usage: $0 GITHUB_REPO PR_NUMBER OWNERS_FILE" + exit 1 +fi +baseRepo=$1 +prNumber=$2 +ownersFile=$3 + +log "Fetching PR info" +prInfo=$(gh api \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "/repos/$baseRepo/pulls/$prNumber") + +baseBranch=$(jq -r .base.ref <<< "$prInfo") +log "Base branch: $baseBranch" +prRepo=$(jq -r .head.repo.full_name <<< "$prInfo") +log "PR repo: $prRepo" +prBranch=$(jq -r .head.ref <<< "$prInfo") +log "PR branch: $prBranch" +prAuthor=$(jq -r .user.login <<< "$prInfo") +log "PR author: $prAuthor" + +extraArgs=() +if pwdRepo=$(git rev-parse --show-toplevel 2>/dev/null); then + # Speedup for local runs + extraArgs+=(--reference-if-able "$pwdRepo") +fi + +log "Fetching Nixpkgs commit history" +# We only need the commit history, not the contents, so we can do a tree-less clone using tree:0 +# https://github.blog/open-source/git/get-up-to-speed-with-partial-clone-and-shallow-clone/#user-content-quick-summary +git clone --bare --filter=tree:0 --no-tags --origin upstream "${extraArgs[@]}" https://github.com/"$baseRepo".git "$tmp"/nixpkgs.git + +log "Fetching the PR commit history" +# Fetch the PR +git -C "$tmp/nixpkgs.git" remote add fork https://github.com/"$prRepo".git +# This remote config is the same as --filter=tree:0 when cloning +git -C "$tmp/nixpkgs.git" config remote.fork.partialclonefilter tree:0 +git -C "$tmp/nixpkgs.git" config remote.fork.promisor true + +git -C "$tmp/nixpkgs.git" fetch --no-tags fork "$prBranch" +headRef=$(git -C "$tmp/nixpkgs.git" rev-parse refs/remotes/fork/"$prBranch") + +log "Checking correctness of the base branch" +if ! "$SCRIPT_DIR"/verify-base-branch.sh "$tmp/nixpkgs.git" "$headRef" "$baseRepo" "$baseBranch" "$prRepo" "$prBranch" | tee "$tmp/invalid-base-error" >&2; then + log "Posting error as comment" + if ! response=$(effect gh api \ + --method POST \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "/repos/$baseRepo/issues/$prNumber/comments" \ + -F "body=@$tmp/invalid-base-error"); then + log "Failed to post the comment: $response" + fi + exit 1 +fi + +log "Getting code owners to request reviews from" +"$SCRIPT_DIR"/get-reviewers.sh "$tmp/nixpkgs.git" "$ownersFile" "$baseRepo" "$baseBranch" "$headRef" "$prNumber" "$prAuthor" > "$tmp/reviewers.json" + +log "Requesting reviews from: $(<"$tmp/reviewers.json")" + +if ! response=$(effect gh api \ + --method POST \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "/repos/$baseRepo/pulls/$prNumber/requested_reviewers" \ + --input "$tmp/reviewers.json"); then + log "Failed to request reviews: $response" + exit 1 +fi + +log "Successfully requested reviews" diff --git a/ci/request-reviews/verify-base-branch.sh b/ci/request-reviews/verify-base-branch.sh new file mode 100755 index 0000000000000..7be280db8d650 --- /dev/null +++ b/ci/request-reviews/verify-base-branch.sh @@ -0,0 +1,104 @@ +#!/usr/bin/env bash + +# Check that a PR doesn't include commits from other development branches. +# Fails with next steps if it does + +set -euo pipefail +tmp=$(mktemp -d) +trap 'rm -rf "$tmp"' exit +SCRIPT_DIR=$(dirname "$0") + +log() { + echo "$@" >&2 +} + +# Small helper to check whether an element is in a list +# Usage: `elementIn foo "${list[@]}"` +elementIn() { + local e match=$1 + shift + for e; do + if [[ "$e" == "$match" ]]; then + return 0 + fi + done + return 1 +} + +if (( $# < 6 )); then + log "Usage: $0 LOCAL_REPO HEAD_REF BASE_REPO BASE_BRANCH PR_REPO PR_BRANCH" + exit 1 +fi +localRepo=$1 +headRef=$2 +baseRepo=$3 +baseBranch=$4 +prRepo=$5 +prBranch=$6 + +# All development branches +devBranchPatterns=() +while read -r pattern; do + if [[ "$pattern" != '#'* ]]; then + devBranchPatterns+=("$pattern") + fi +done < "$SCRIPT_DIR/dev-branches.txt" + +git -C "$localRepo" branch --list --format "%(refname:short)" "${devBranchPatterns[@]}" > "$tmp/dev-branches" +readarray -t devBranches < "$tmp/dev-branches" + +if [[ "$baseRepo" == "$prRepo" ]] && elementIn "$prBranch" "${devBranches[@]}"; then + log "This PR merges $prBranch into $baseBranch, no commit check necessary" + exit 0 +fi + +# The current merge base of the PR +prMergeBase=$(git -C "$localRepo" merge-base "$baseBranch" "$headRef") +log "The PR's merge base with the base branch $baseBranch is $prMergeBase" + +# This is purely for debugging +git -C "$localRepo" rev-list --reverse "$baseBranch".."$headRef" > "$tmp/pr-commits" +log "The PR includes these $(wc -l < "$tmp/pr-commits") commits:" +cat <"$tmp/pr-commits" >&2 + +for testBranch in "${devBranches[@]}"; do + + if [[ -z "$(git -C "$localRepo" rev-list -1 --since="1 month ago" "$testBranch")" ]]; then + log "Not checking $testBranch, was inactive for the last month" + continue + fi + log "Checking if commits from $testBranch are included in the PR" + + # We need to check for any commits that are in the PR which are also in the test branch. + # We could check each commit from the PR individually, but that's unnecessarily slow. + # + # This does _almost_ what we want: `git rev-list --count headRef testBranch ^baseBranch`, + # except that it includes commits that are reachable from _either_ headRef or testBranch, + # instead of restricting it to ones reachable by both + + # Easily fixable though, because we can use `git merge-base testBranch headRef` + # to get the least common ancestor (aka merge base) commit reachable by both. + # If the branch being tested is indeed the right base branch, + # this is then also the commit from that branch that the PR is based on top of. + testMergeBase=$(git -C "$localRepo" merge-base "$testBranch" "$headRef") + + # And then use the `git rev-list --count`, but replacing the non-working + # `headRef testBranch` with the merge base of the two. + extraCommits=$(git -C "$localRepo" rev-list --count "$testMergeBase" ^"$baseBranch") + + if (( extraCommits != 0 )); then + log -e "\e[33m" + echo "The PR's base branch is set to $baseBranch, but $extraCommits commits from the $testBranch branch are included. Make sure you know the [right base branch for your changes](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#branch-conventions), then:" + echo "- If the changes should go to the $testBranch branch, [change the base branch](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-base-branch-of-a-pull-request) to $testBranch" + echo "- If the changes should go to the $baseBranch branch, rebase your PR onto the merge base with the $baseBranch branch:" + echo " \`\`\`bash" + echo " # git rebase --onto \$(git merge-base upstream/$baseBranch HEAD) \$(git merge-base upstream/$testBranch HEAD)" + echo " git rebase --onto $prMergeBase $testMergeBase" + echo " git push --force-with-lease" + echo " \`\`\`" + log -e "\e[m" + exit 1 + fi +done + +log "Base branch is correct, no commits from development branches are included" diff --git a/shell.nix b/shell.nix index d9e94eb2816d5..517e29c8b738f 100644 --- a/shell.nix +++ b/shell.nix @@ -4,22 +4,19 @@ # because every time you change any file and do another `nix develop`, # it would create another copy of the entire ~500MB tree in the store. # See https://github.com/NixOS/nix/pull/6530 for the future +# +# Note: We use a pinned Nixpkgs so that the tools are readily available even +# when making changes that would otherwise require a new build of those tools. +# If you'd like to test out changes to the tools themselves, you can pass +# +# nix-shell --arg nixpkgs ./. +# { system ? builtins.currentSystem, + nixpkgs ? null, }: let - pinnedNixpkgs = builtins.fromJSON (builtins.readFile ci/pinned-nixpkgs.json); - - nixpkgs = fetchTarball { - url = "https://github.com/NixOS/nixpkgs/archive/${pinnedNixpkgs.rev}.tar.gz"; - sha256 = pinnedNixpkgs.sha256; - }; - - pkgs = import nixpkgs { - inherit system; - config = {}; - overlays = []; - }; + inherit (import ./ci { inherit nixpkgs system; }) pkgs; in pkgs.mkShellNoCC { packages = [