From b112355dd3e92393a2312456c4c3d80fdec3029e Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Mon, 29 Jul 2024 00:19:46 +0200 Subject: [PATCH 01/18] shell.nix: Enable e.g. --arg nixpkgs ./. This allows shell.nix to be run with the latest tools instead of the pinned ones when desired, which is probably not very often, but useful nonetheless. (cherry picked from commit b07c44198798fdd9f51c9ba34dc4811b857e56d4) --- shell.nix | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/shell.nix b/shell.nix index d9e94eb2816d..9913ff5dbc7d 100644 --- a/shell.nix +++ b/shell.nix @@ -4,17 +4,25 @@ # because every time you change any file and do another `nix develop`, # it would create another copy of the entire ~500MB tree in the store. # See https://github.com/NixOS/nix/pull/6530 for the future -{ - system ? builtins.currentSystem, -}: +# +# Note: We use a pinned Nixpkgs so that the tools are readily available even +# when making changes that would otherwise require a new build of those tools. +# If you'd like to test out changes to the tools themselves, you can pass +# +# nix-shell --arg nixpkgs ./. +# let pinnedNixpkgs = builtins.fromJSON (builtins.readFile ci/pinned-nixpkgs.json); +in +{ + system ? builtins.currentSystem, - nixpkgs = fetchTarball { + nixpkgs ? fetchTarball { url = "https://github.com/NixOS/nixpkgs/archive/${pinnedNixpkgs.rev}.tar.gz"; sha256 = pinnedNixpkgs.sha256; - }; - + }, +}: +let pkgs = import nixpkgs { inherit system; config = {}; From 4bedbf85a97b307cdb53b42f89e256fa1e7f5b55 Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Tue, 1 Oct 2024 05:59:38 +0200 Subject: [PATCH 02/18] ci: Add default.nix with exposed pkgs Allows reusing it in more places (cherry picked from commit 1700d0058809db5fa3bf64cdde79c1f417d760ea) --- ci/default.nix | 27 +++++++++++++++++++++++++++ shell.nix | 15 ++------------- 2 files changed, 29 insertions(+), 13 deletions(-) create mode 100644 ci/default.nix diff --git a/ci/default.nix b/ci/default.nix new file mode 100644 index 000000000000..fb5ca04fe728 --- /dev/null +++ b/ci/default.nix @@ -0,0 +1,27 @@ +let + pinnedNixpkgs = builtins.fromJSON (builtins.readFile ./pinned-nixpkgs.json); +in +{ + system ? builtins.currentSystem, + + nixpkgs ? null, +}: +let + nixpkgs' = + if nixpkgs == null then + fetchTarball { + url = "https://github.com/NixOS/nixpkgs/archive/${pinnedNixpkgs.rev}.tar.gz"; + sha256 = pinnedNixpkgs.sha256; + } + else + nixpkgs; + + pkgs = import nixpkgs' { + inherit system; + config = { }; + overlays = [ ]; + }; +in +{ + inherit pkgs; +} diff --git a/shell.nix b/shell.nix index 9913ff5dbc7d..517e29c8b738 100644 --- a/shell.nix +++ b/shell.nix @@ -11,23 +11,12 @@ # # nix-shell --arg nixpkgs ./. # -let - pinnedNixpkgs = builtins.fromJSON (builtins.readFile ci/pinned-nixpkgs.json); -in { system ? builtins.currentSystem, - - nixpkgs ? fetchTarball { - url = "https://github.com/NixOS/nixpkgs/archive/${pinnedNixpkgs.rev}.tar.gz"; - sha256 = pinnedNixpkgs.sha256; - }, + nixpkgs ? null, }: let - pkgs = import nixpkgs { - inherit system; - config = {}; - overlays = []; - }; + inherit (import ./ci { inherit nixpkgs system; }) pkgs; in pkgs.mkShellNoCC { packages = [ From 2eb82ca07428e2a41cd64a83862d3a936ef62173 Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Fri, 4 Oct 2024 01:49:44 +0200 Subject: [PATCH 03/18] ci: Add review request scripts Also post a comment in case base branch is wrong This guides newcomers in how to smoothly handle the potentially scary situation of having thousands of commits listed in a PR. While CI shows the same, people might not even look at CI if the PR looks botched. (cherry picked from commit 369cfa02da5b3e2b3c99ab33e09553c63d00ef71) --- ci/default.nix | 1 + ci/request-reviews/default.nix | 43 ++++++++++ ci/request-reviews/dev-branches.txt | 7 ++ ci/request-reviews/get-reviewers.sh | 87 +++++++++++++++++++ ci/request-reviews/request-reviews.sh | 97 +++++++++++++++++++++ ci/request-reviews/verify-base-branch.sh | 103 +++++++++++++++++++++++ 6 files changed, 338 insertions(+) create mode 100644 ci/request-reviews/default.nix create mode 100644 ci/request-reviews/dev-branches.txt create mode 100755 ci/request-reviews/get-reviewers.sh create mode 100755 ci/request-reviews/request-reviews.sh create mode 100755 ci/request-reviews/verify-base-branch.sh diff --git a/ci/default.nix b/ci/default.nix index fb5ca04fe728..8a4341048f67 100644 --- a/ci/default.nix +++ b/ci/default.nix @@ -24,4 +24,5 @@ let in { inherit pkgs; + requestReviews = pkgs.callPackage ./request-reviews { }; } diff --git a/ci/request-reviews/default.nix b/ci/request-reviews/default.nix new file mode 100644 index 000000000000..b51d896539d8 --- /dev/null +++ b/ci/request-reviews/default.nix @@ -0,0 +1,43 @@ +{ + lib, + stdenvNoCC, + makeWrapper, + coreutils, + codeowners, + jq, + curl, + github-cli, + gitMinimal, +}: +stdenvNoCC.mkDerivation { + name = "request-reviews"; + src = lib.fileset.toSource { + root = ./.; + fileset = lib.fileset.unions [ + ./get-reviewers.sh + ./request-reviews.sh + ./verify-base-branch.sh + ./dev-branches.txt + ]; + }; + nativeBuildInputs = [ makeWrapper ]; + dontBuild = true; + installPhase = '' + mkdir -p $out/bin + mv dev-branches.txt $out/bin + for bin in *.sh; do + mv "$bin" "$out/bin" + wrapProgram "$out/bin/$bin" \ + --set PATH ${ + lib.makeBinPath [ + coreutils + codeowners + jq + curl + github-cli + gitMinimal + ] + } + done + ''; +} diff --git a/ci/request-reviews/dev-branches.txt b/ci/request-reviews/dev-branches.txt new file mode 100644 index 000000000000..2282529881ba --- /dev/null +++ b/ci/request-reviews/dev-branches.txt @@ -0,0 +1,7 @@ +# Trusted development branches: +# These generally require PRs to update and are built by Hydra. +master +staging +release-* +staging-* +haskell-updates diff --git a/ci/request-reviews/get-reviewers.sh b/ci/request-reviews/get-reviewers.sh new file mode 100755 index 000000000000..d5cd9e0a4fd4 --- /dev/null +++ b/ci/request-reviews/get-reviewers.sh @@ -0,0 +1,87 @@ +#!/usr/bin/env bash + +# Get the code owners of the files changed by a PR, +# suitable to be consumed by the API endpoint to request reviews: +# https://docs.github.com/en/rest/pulls/review-requests?apiVersion=2022-11-28#request-reviewers-for-a-pull-request + +set -euo pipefail + +log() { + echo "$@" >&2 +} + +if (( "$#" < 5 )); then + log "Usage: $0 GIT_REPO BASE_REF HEAD_REF OWNERS_FILE PR_AUTHOR" + exit 1 +fi + +gitRepo=$1 +baseRef=$2 +headRef=$3 +ownersFile=$4 +prAuthor=$5 + +tmp=$(mktemp -d) +trap 'rm -rf "$tmp"' exit + +git -C "$gitRepo" diff --name-only --merge-base "$baseRef" "$headRef" > "$tmp/touched-files" +readarray -t touchedFiles < "$tmp/touched-files" +log "This PR touches ${#touchedFiles[@]} files" + +# Get the owners file from the base, because we don't want to allow PRs to +# remove code owners to avoid pinging them +git -C "$gitRepo" show "$baseRef":"$ownersFile" > "$tmp"/codeowners + +# Associative arrays with the team/user as the key for easy deduplication +declare -A teams users + +for file in "${touchedFiles[@]}"; do + result=$(codeowners --file "$tmp"/codeowners "$file") + + read -r file owners <<< "$result" + if [[ "$owners" == "(unowned)" ]]; then + log "File $file is unowned" + continue + fi + log "File $file is owned by $owners" + + # Split up multiple owners, separated by arbitrary amounts of spaces + IFS=" " read -r -a entries <<< "$owners" + + for entry in "${entries[@]}"; do + # GitHub technically also supports Emails as code owners, + # but we can't easily support that, so let's not + if [[ ! "$entry" =~ @(.*) ]]; then + warn -e "\e[33mCodeowner \"$entry\" for file $file is not valid: Must start with \"@\"\e[0m" >&2 + # Don't fail, because the PR for which this script runs can't fix it, + # it has to be fixed in the base branch + continue + fi + # The first regex match is everything after the @ + entry=${BASH_REMATCH[1]} + if [[ "$entry" =~ .*/(.*) ]]; then + # Teams look like $org/$team, where we only need $team for the API + # call to request reviews from teams + teams[${BASH_REMATCH[1]}]= + else + # Everything else is a user + users[$entry]= + fi + done + +done + +# Cannot request a review from the author +if [[ -v users[$prAuthor] ]]; then + log "One or more files are owned by the PR author, ignoring" + unset 'users[$prAuthor]' +fi + +# Turn it into a JSON for the GitHub API call to request PR reviewers +jq -n \ + --arg users "${!users[*]}" \ + --arg teams "${!teams[*]}" \ + '{ + reviewers: $users | split(" "), + team_reviewers: $teams | split(" ") + }' diff --git a/ci/request-reviews/request-reviews.sh b/ci/request-reviews/request-reviews.sh new file mode 100755 index 000000000000..d62ab309bcc8 --- /dev/null +++ b/ci/request-reviews/request-reviews.sh @@ -0,0 +1,97 @@ +#!/usr/bin/env bash + +# Requests reviews for a PR after verifying that the base branch is correct + +set -euo pipefail +tmp=$(mktemp -d) +trap 'rm -rf "$tmp"' exit +SCRIPT_DIR=$(dirname "$0") + +log() { + echo "$@" >&2 +} + +effect() { + if [[ -n "${DRY_MODE:-}" ]]; then + log "Skipping in dry mode:" "${@@Q}" + else + "$@" + fi +} + +if (( $# < 3 )); then + log "Usage: $0 GITHUB_REPO PR_NUMBER OWNERS_FILE" + exit 1 +fi +baseRepo=$1 +prNumber=$2 +ownersFile=$3 + +log "Fetching PR info" +prInfo=$(gh api \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "/repos/$baseRepo/pulls/$prNumber") + +baseBranch=$(jq -r .base.ref <<< "$prInfo") +log "Base branch: $baseBranch" +prRepo=$(jq -r .head.repo.full_name <<< "$prInfo") +log "PR repo: $prRepo" +prBranch=$(jq -r .head.ref <<< "$prInfo") +log "PR branch: $prBranch" +prAuthor=$(jq -r .user.login <<< "$prInfo") +log "PR author: $prAuthor" + +extraArgs=() +if pwdRepo=$(git rev-parse --show-toplevel 2>/dev/null); then + # Speedup for local runs + extraArgs+=(--reference-if-able "$pwdRepo") +fi + +log "Fetching Nixpkgs commit history" +# We only need the commit history, not the contents, so we can do a tree-less clone using tree:0 +# https://github.blog/open-source/git/get-up-to-speed-with-partial-clone-and-shallow-clone/#user-content-quick-summary +git clone --bare --filter=tree:0 --no-tags --origin upstream "${extraArgs[@]}" https://github.com/"$baseRepo".git "$tmp"/nixpkgs.git + +log "Fetching the PR commit history" +# Fetch the PR +git -C "$tmp/nixpkgs.git" remote add fork https://github.com/"$prRepo".git +# This remote config is the same as --filter=tree:0 when cloning +git -C "$tmp/nixpkgs.git" config remote.fork.partialclonefilter tree:0 +git -C "$tmp/nixpkgs.git" config remote.fork.promisor true + +# This should not conflict with any refs in Nixpkgs +headRef=refs/remotes/fork/pr +# Only fetch into a remote ref, because the local ref namespace is used by Nixpkgs, don't want any conflicts +git -C "$tmp/nixpkgs.git" fetch --no-tags fork "$prBranch":"$headRef" + +log "Checking correctness of the base branch" +if ! "$SCRIPT_DIR"/verify-base-branch.sh "$tmp/nixpkgs.git" "$headRef" "$baseRepo" "$baseBranch" "$prRepo" "$prBranch" | tee "$tmp/invalid-base-error" >&2; then + log "Posting error as comment" + if ! response=$(effect gh api \ + --method POST \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "/repos/$baseRepo/issues/$prNumber/comments" \ + -F "body=@$tmp/invalid-base-error"); then + log "Failed to post the comment: $response" + fi + exit 1 +fi + +log "Getting code owners to request reviews from" +"$SCRIPT_DIR"/get-reviewers.sh "$tmp/nixpkgs.git" "$baseBranch" "$headRef" "$ownersFile" "$prAuthor" > "$tmp/reviewers.json" + +log "Requesting reviews from: $(<"$tmp/reviewers.json")" + +if ! response=$(effect gh api \ + --method POST \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "/repos/$baseRepo/pulls/$prNumber/requested_reviewers" \ + --input "$tmp/reviewers.json"); then + log "Failed to request reviews: $response" + exit 1 +fi + +log "Successfully requested reviews" diff --git a/ci/request-reviews/verify-base-branch.sh b/ci/request-reviews/verify-base-branch.sh new file mode 100755 index 000000000000..17d721c5ddd1 --- /dev/null +++ b/ci/request-reviews/verify-base-branch.sh @@ -0,0 +1,103 @@ +#!/usr/bin/env bash + +# Check that a PR doesn't include commits from other development branches. +# Fails with next steps if it does + +set -euo pipefail +tmp=$(mktemp -d) +trap 'rm -rf "$tmp"' exit +SCRIPT_DIR=$(dirname "$0") + +log() { + echo "$@" >&2 +} + +# Small helper to check whether an element is in a list +# Usage: `elementIn foo "${list[@]}"` +elementIn() { + local e match=$1 + shift + for e; do + if [[ "$e" == "$match" ]]; then + return 0 + fi + done + return 1 +} + +if (( $# < 6 )); then + log "Usage: $0 LOCAL_REPO HEAD_REF BASE_REPO BASE_BRANCH PR_REPO PR_BRANCH" + exit 1 +fi +localRepo=$1 +headRef=$2 +baseRepo=$3 +baseBranch=$4 +prRepo=$5 +prBranch=$6 + +# All development branches +devBranchPatterns=() +while read -r pattern; do + if [[ "$pattern" != '#'* ]]; then + devBranchPatterns+=("$pattern") + fi +done < "$SCRIPT_DIR/dev-branches.txt" + +git -C "$localRepo" branch --list --format "%(refname:short)" "${devBranchPatterns[@]}" > "$tmp/dev-branches" +readarray -t devBranches < "$tmp/dev-branches" + +if [[ "$baseRepo" == "$prRepo" ]] && elementIn "$prBranch" "${devBranches[@]}"; then + log "This PR merges $prBranch into $baseBranch, no commit check necessary" + exit 0 +fi + +# The current merge base of the PR +prMergeBase=$(git -C "$localRepo" merge-base "$baseBranch" "$headRef") +log "The PR's merge base with the base branch $baseBranch is $prMergeBase" + +# This is purely for debugging +git -C "$localRepo" rev-list --reverse "$baseBranch".."$headRef" > "$tmp/pr-commits" +log "The PR includes these $(wc -l < "$tmp/pr-commits") commits:" +cat <"$tmp/pr-commits" >&2 + +for testBranch in "${devBranches[@]}"; do + + if [[ -z "$(git -C "$localRepo" rev-list -1 --since="1 month ago" "$testBranch")" ]]; then + log "Not checking $testBranch, was inactive for the last month" + continue + fi + log "Checking if commits from $testBranch are included in the PR" + + # We need to check for any commits that are in the PR which are also in the test branch. + # We could check each commit from the PR individually, but that's unnecessarily slow. + # + # This does _almost_ what we want: `git rev-list --count headRef testBranch ^baseBranch`, + # except that it includes commits that are reachable from _either_ headRef or testBranch, + # instead of restricting it to ones reachable by both + + # Easily fixable though, because we can use `git merge-base testBranch headRef` + # to get the least common ancestor (aka merge base) commit reachable by both. + # If the branch being tested is indeed the right base branch, + # this is then also the commit from that branch that the PR is based on top of. + testMergeBase=$(git -C "$localRepo" merge-base "$testBranch" "$headRef") + + # And then use the `git rev-list --count`, but replacing the non-working + # `headRef testBranch` with the merge base of the two. + extraCommits=$(git -C "$localRepo" rev-list --count "$testMergeBase" ^"$baseBranch") + + if (( extraCommits != 0 )); then + log -e "\e[33m" + echo "The PR's base branch is set to $baseBranch, but $extraCommits commits from the $testBranch branch are included. Make sure you know the [right base branch for your changes](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#branch-conventions), then:" + echo "- If the changes should go to the $testBranch branch, [change the base branch](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-base-branch-of-a-pull-request) to $testBranch" + echo "- If the changes should go to the $baseBranch branch, rebase your PR onto the merge base with the $testBranch branch:" + echo " \`\`\`" + echo " git rebase --onto $prMergeBase $testMergeBase" + echo " git push --force-with-lease" + echo " \`\`\`" + log -e "\e[m" + exit 1 + fi +done + +log "Base branch is correct, no commits from development branches are included" From 1a317c035cb4f11b8679a3565774132891faa600 Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Fri, 4 Oct 2024 01:50:36 +0200 Subject: [PATCH 04/18] ci: Add codeowners validator (cherry picked from commit 5695bf6cfe406d84b514310b23bf9b2dcd5caec2) --- ci/codeowners-validator/default.nix | 31 ++++++++++++++++ .../owners-file-name.patch | 15 ++++++++ ci/codeowners-validator/permissions.patch | 36 +++++++++++++++++++ ci/default.nix | 1 + 4 files changed, 83 insertions(+) create mode 100644 ci/codeowners-validator/default.nix create mode 100644 ci/codeowners-validator/owners-file-name.patch create mode 100644 ci/codeowners-validator/permissions.patch diff --git a/ci/codeowners-validator/default.nix b/ci/codeowners-validator/default.nix new file mode 100644 index 000000000000..5c2d5335c35e --- /dev/null +++ b/ci/codeowners-validator/default.nix @@ -0,0 +1,31 @@ +{ + buildGoModule, + fetchFromGitHub, + fetchpatch, +}: +buildGoModule { + name = "codeowners-validator"; + src = fetchFromGitHub { + owner = "mszostok"; + repo = "codeowners-validator"; + rev = "f3651e3810802a37bd965e6a9a7210728179d076"; + hash = "sha256-5aSmmRTsOuPcVLWfDF6EBz+6+/Qpbj66udAmi1CLmWQ="; + }; + patches = [ + # https://github.com/mszostok/codeowners-validator/pull/222 + (fetchpatch { + name = "user-write-access-check"; + url = "https://github.com/mszostok/codeowners-validator/compare/f3651e3810802a37bd965e6a9a7210728179d076...840eeb88b4da92bda3e13c838f67f6540b9e8529.patch"; + hash = "sha256-t3Dtt8SP9nbO3gBrM0nRE7+G6N/ZIaczDyVHYAG/6mU="; + }) + # Undoes part of the above PR: We don't want to require write access + # to the repository, that's only needed for GitHub's native CODEOWNERS. + # Furthermore, it removes an unneccessary check from the code + # that breaks tokens generated for GitHub Apps. + ./permissions.patch + # Allows setting a custom CODEOWNERS path using the OWNERS_FILE env var + ./owners-file-name.patch + ]; + postPatch = "rm -r docs/investigation"; + vendorHash = "sha256-R+pW3xcfpkTRqfS2ETVOwG8PZr0iH5ewroiF7u8hcYI="; +} diff --git a/ci/codeowners-validator/owners-file-name.patch b/ci/codeowners-validator/owners-file-name.patch new file mode 100644 index 000000000000..d8b87ba2f84a --- /dev/null +++ b/ci/codeowners-validator/owners-file-name.patch @@ -0,0 +1,15 @@ +diff --git a/pkg/codeowners/owners.go b/pkg/codeowners/owners.go +index 6910bd2..e0c95e9 100644 +--- a/pkg/codeowners/owners.go ++++ b/pkg/codeowners/owners.go +@@ -39,6 +39,10 @@ func NewFromPath(repoPath string) ([]Entry, error) { + // openCodeownersFile finds a CODEOWNERS file and returns content. + // see: https://help.github.com/articles/about-code-owners/#codeowners-file-location + func openCodeownersFile(dir string) (io.Reader, error) { ++ if file, ok := os.LookupEnv("OWNERS_FILE"); ok { ++ return fs.Open(file) ++ } ++ + var detectedFiles []string + for _, p := range []string{".", "docs", ".github"} { + pth := path.Join(dir, p) diff --git a/ci/codeowners-validator/permissions.patch b/ci/codeowners-validator/permissions.patch new file mode 100644 index 000000000000..38f42f483995 --- /dev/null +++ b/ci/codeowners-validator/permissions.patch @@ -0,0 +1,36 @@ +diff --git a/internal/check/valid_owner.go b/internal/check/valid_owner.go +index a264bcc..610eda8 100644 +--- a/internal/check/valid_owner.go ++++ b/internal/check/valid_owner.go +@@ -16,7 +16,6 @@ import ( + const scopeHeader = "X-OAuth-Scopes" + + var reqScopes = map[github.Scope]struct{}{ +- github.ScopeReadOrg: {}, + } + + type ValidOwnerConfig struct { +@@ -223,10 +222,7 @@ func (v *ValidOwner) validateTeam(ctx context.Context, name string) *validateErr + for _, t := range v.repoTeams { + // GitHub normalizes name before comparison + if strings.EqualFold(t.GetSlug(), team) { +- if t.Permissions["push"] { +- return nil +- } +- return newValidateError("Team %q cannot review PRs on %q as neither it nor any parent team has write permissions.", team, v.orgRepoName) ++ return nil + } + } + +@@ -245,10 +241,7 @@ func (v *ValidOwner) validateGitHubUser(ctx context.Context, name string) *valid + for _, u := range v.repoUsers { + // GitHub normalizes name before comparison + if strings.EqualFold(u.GetLogin(), userName) { +- if u.Permissions["push"] { +- return nil +- } +- return newValidateError("User %q cannot review PRs on %q as they don't have write permissions.", userName, v.orgRepoName) ++ return nil + } + } + diff --git a/ci/default.nix b/ci/default.nix index 8a4341048f67..02b2e948d17b 100644 --- a/ci/default.nix +++ b/ci/default.nix @@ -25,4 +25,5 @@ in { inherit pkgs; requestReviews = pkgs.callPackage ./request-reviews { }; + codeownersValidator = pkgs.callPackage ./codeowners-validator { }; } From 5de26baf9fe7059861ce48b2485a96092b583601 Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Fri, 4 Oct 2024 01:51:53 +0200 Subject: [PATCH 05/18] workflows/codeowners: init (cherry picked from commit 87a2986c1ab8ee64769c377e58c49113c2eecba6) --- .github/CODEOWNERS | 1 + .github/workflows/codeowners.yml | 88 ++++++++++++++++++++++++++++++++ 2 files changed, 89 insertions(+) create mode 100644 .github/workflows/codeowners.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index aa0fbd4bd67a..cbf7ecbb3385 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -14,6 +14,7 @@ # CI /.github/workflows @NixOS/Security @Mic92 @zowoq /.github/workflows/check-nix-format.yml @infinisil +/.github/workflows/codeowners.yml @infinisil /ci @infinisil # Develompent support diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml new file mode 100644 index 000000000000..f4c6f23a0aef --- /dev/null +++ b/.github/workflows/codeowners.yml @@ -0,0 +1,88 @@ +name: Codeowners + +# This workflow depends on a GitHub App with the following permissions: +# - Repository > Administration: read-only +# - Organization > Members: read-only +# - Repository > Pull Requests: read-write +# The App needs to be installed on this repository +# the OWNER_APP_ID repository variable needs to be set +# the OWNER_APP_PRIVATE_KEY repository secret needs to be set + +on: + pull_request_target: + types: [opened, ready_for_review, synchronize, reopened, edited] + +env: + # TODO: Once confirmed that this works by seeing that the action would request + # reviews from the same people (or refuse for wrong base branches), + # move all entries from CODEOWNERS to OWNERS and change this value here + # OWNERS_FILE: .github/OWNERS + OWNERS_FILE: .github/CODEOWNERS + # Also remove this + DRY_MODE: 1 + +jobs: + # Check that code owners is valid + check: + name: Check + runs-on: ubuntu-latest + steps: + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + + # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself. + # We later build and run code from the base branch with access to secrets, + # so it's important this is not the PRs code. + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + path: base + + - name: Build codeowners validator + run: nix-build base/ci -A codeownersValidator + + - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 + id: app-token + with: + app-id: ${{ vars.OWNER_APP_ID }} + private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} + + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + ref: refs/pull/${{ github.event.number }}/merge + path: pr + + - name: Validate codeowners + run: result/bin/codeowners-validator + env: + OWNERS_FILE: pr/${{ env.OWNERS_FILE }} + GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} + REPOSITORY_PATH: pr + OWNER_CHECKER_REPOSITORY: ${{ github.repository }} + # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody + EXPERIMENTAL_CHECKS: "avoid-shadowing" + + # Request reviews from code owners + request: + name: Request + runs-on: ubuntu-latest + steps: + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + + # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head. + # This is intentional, because we need to request the review of owners as declared in the base branch. + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + + - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 + id: app-token + with: + app-id: ${{ vars.OWNER_APP_ID }} + private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} + + - name: Build review request package + run: nix-build ci -A requestReviews + + - name: Request reviews + run: result/bin/request-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE" + env: + GH_TOKEN: ${{ steps.app-token.outputs.token }} + # Don't do anything on draft PRs + DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }} From 2211c1011f29566746ecec0f6c9916908d4fafec Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Fri, 4 Oct 2024 01:52:04 +0200 Subject: [PATCH 06/18] OWNERS: placeholder init (cherry picked from commit 93dcd42f2b208390491099ec5db481e31a47097e) --- .github/CODEOWNERS | 1 + .github/OWNERS | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 .github/OWNERS diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index cbf7ecbb3385..862d9caf894a 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -15,6 +15,7 @@ /.github/workflows @NixOS/Security @Mic92 @zowoq /.github/workflows/check-nix-format.yml @infinisil /.github/workflows/codeowners.yml @infinisil +/.github/OWNERS @infinisil /ci @infinisil # Develompent support diff --git a/.github/OWNERS b/.github/OWNERS new file mode 100644 index 000000000000..94f0ef5b6934 --- /dev/null +++ b/.github/OWNERS @@ -0,0 +1,19 @@ +# +# Currently unused! Use CODEOWNERS for now, see workflows/codeowners.yml +# +#################### +# +# This file is used to describe who owns what in this repository. +# Users/teams will get review requests for PRs that change their files. +# +# This file does not replace `meta.maintainers` +# but is instead used for other things than derivations and modules, +# like documentation, package sets, and other assets. +# +# This file uses the same syntax as the natively supported CODEOWNERS file, +# see https://help.github.com/articles/about-codeowners/ for documentation. +# However it comes with some notable differences: +# - There is no need for user/team listed here to have write access. +# - No reviews will be requested for PRs that target the wrong base branch. +# +# Processing of this file is implemented in workflows/codeowners.yml From 2e923fb2f619e6e51f2f959853a6d61f3b23af08 Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Tue, 8 Oct 2024 23:15:16 +0200 Subject: [PATCH 07/18] CODEOWNERS: Fix non-matching patterns Since https://github.com/NixOS/nixpkgs/pull/336261 we have CI that checks that the codeowners file is valid: https://github.com/NixOS/nixpkgs/actions/runs/11243668280/job/31260095472#step:7:34 Which files are correct (or whether they were removed) was determined using the Git history and some grepping (cherry picked from commit dd2808213c548c50720955fee3d79d13b10bd4a9) --- .github/CODEOWNERS | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 862d9caf894a..a7ac5952bd49 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -29,7 +29,7 @@ /lib/cli.nix @infinisil @Profpatsch /lib/debug.nix @infinisil @Profpatsch /lib/asserts.nix @infinisil @Profpatsch -/lib/path.* @infinisil +/lib/path/* @infinisil /lib/fileset @infinisil ## Libraries / Module system /lib/modules.nix @infinisil @roberth @@ -108,7 +108,7 @@ nixos/modules/installer/tools/nix-fallback-paths.nix @NixOS/nix-team @raitobeza /nixos/lib/test-driver @tfc # NixOS QEMU virtualisation -/nixos/virtualisation/qemu-vm.nix @raitobezarius +/nixos/modules/virtualisation/qemu-vm.nix @raitobezarius # Systemd /nixos/modules/system/boot/systemd.nix @NixOS/systemd @@ -165,7 +165,7 @@ nixos/modules/installer/tools/nix-fallback-paths.nix @NixOS/nix-team @raitobeza # Audio /nixos/modules/services/audio/botamusique.nix @mweinelt /nixos/modules/services/audio/snapserver.nix @mweinelt -/nixos/tests/modules/services/audio/botamusique.nix @mweinelt +/nixos/tests/botamusique.nix @mweinelt /nixos/tests/snapcast.nix @mweinelt # Browsers @@ -199,21 +199,20 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt # PostgreSQL and related stuff /pkgs/servers/sql/postgresql @thoughtpolice -/nixos/modules/services/databases/postgresql.xml @thoughtpolice +/nixos/modules/services/databases/postgresql.md @thoughtpolice /nixos/modules/services/databases/postgresql.nix @thoughtpolice /nixos/tests/postgresql.nix @thoughtpolice # Hardened profile & related modules /nixos/modules/profiles/hardened.nix @joachifm -/nixos/modules/security/hidepid.nix @joachifm /nixos/modules/security/lock-kernel-modules.nix @joachifm /nixos/modules/security/misc.nix @joachifm /nixos/tests/hardened.nix @joachifm -/pkgs/os-specific/linux/kernel/hardened-config.nix @joachifm +/pkgs/os-specific/linux/kernel/hardened/config.nix @joachifm # Home Automation -/nixos/modules/services/misc/home-assistant.nix @mweinelt -/nixos/modules/services/misc/zigbee2mqtt.nix @mweinelt +/nixos/modules/services/home-automation/home-assistant.nix @mweinelt +/nixos/modules/services/home-automation/zigbee2mqtt.nix @mweinelt /nixos/tests/home-assistant.nix @mweinelt /nixos/tests/zigbee2mqtt.nix @mweinelt /pkgs/servers/home-assistant @mweinelt @@ -306,8 +305,6 @@ nixos/modules/services/networking/networkmanager.nix @Janik-Haag # nim /pkgs/development/compilers/nim @ehmry -/pkgs/development/nim-packages @ehmry -/pkgs/top-level/nim-packages.nix @ehmry # terraform providers /pkgs/applications/networking/cluster/terraform-providers @zowoq From bbd64b4b69c028a44bd23203c98392daad76ff95 Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Wed, 9 Oct 2024 18:34:34 +0200 Subject: [PATCH 08/18] workflows/codeowners: Dry mode for now Apparently it started requesting reviews from code owners already because the DRY_MODE from the global env was overridden in the local job declaration: https://github.com/NixOS/nixpkgs/pull/347354#event-14570645380 (cherry picked from commit c1710f234caaf10207e71baa6a9c7cd733c9e7d6) --- .github/workflows/codeowners.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml index f4c6f23a0aef..01409dd57a66 100644 --- a/.github/workflows/codeowners.yml +++ b/.github/workflows/codeowners.yml @@ -15,11 +15,12 @@ on: env: # TODO: Once confirmed that this works by seeing that the action would request # reviews from the same people (or refuse for wrong base branches), - # move all entries from CODEOWNERS to OWNERS and change this value here - # OWNERS_FILE: .github/OWNERS + # move all entries from CODEOWNERS to OWNERS, remove these two lines and uncomment the ones below OWNERS_FILE: .github/CODEOWNERS - # Also remove this DRY_MODE: 1 + # OWNERS_FILE: .github/OWNERS + # # Don't do anything on draft PRs + # DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }} jobs: # Check that code owners is valid @@ -84,5 +85,3 @@ jobs: run: result/bin/request-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE" env: GH_TOKEN: ${{ steps.app-token.outputs.token }} - # Don't do anything on draft PRs - DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }} From 16b54e1afbd0046ef681acfcf6a434489ea4c14c Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Wed, 9 Oct 2024 22:08:15 +0200 Subject: [PATCH 09/18] ci/request-reviews: Don't rerequest users that already reviewed The automation should never rerequest reviews from users that already reviewed the changes, which is what was happening before this change: https://github.com/NixOS/nixpkgs/pull/347354#event-14570645380 Also reorder the arguments to make more sense (cherry picked from commit 9a054bb9ddf6413ff5252904321a14b5f1afec9d) --- ci/request-reviews/get-reviewers.sh | 28 +++++++++++++++++++++------ ci/request-reviews/request-reviews.sh | 2 +- 2 files changed, 23 insertions(+), 7 deletions(-) diff --git a/ci/request-reviews/get-reviewers.sh b/ci/request-reviews/get-reviewers.sh index d5cd9e0a4fd4..6a7b8edd8202 100755 --- a/ci/request-reviews/get-reviewers.sh +++ b/ci/request-reviews/get-reviewers.sh @@ -10,16 +10,18 @@ log() { echo "$@" >&2 } -if (( "$#" < 5 )); then - log "Usage: $0 GIT_REPO BASE_REF HEAD_REF OWNERS_FILE PR_AUTHOR" +if (( "$#" < 7 )); then + log "Usage: $0 GIT_REPO OWNERS_FILE BASE_REPO BASE_REF HEAD_REF PR_NUMBER PR_AUTHOR" exit 1 fi gitRepo=$1 -baseRef=$2 -headRef=$3 -ownersFile=$4 -prAuthor=$5 +ownersFile=$2 +baseRepo=$3 +baseRef=$4 +headRef=$5 +prNumber=$6 +prAuthor=$7 tmp=$(mktemp -d) trap 'rm -rf "$tmp"' exit @@ -77,6 +79,20 @@ if [[ -v users[$prAuthor] ]]; then unset 'users[$prAuthor]' fi +gh api \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "/repos/$baseRepo/pulls/$prNumber/reviews" \ + --jq '.[].user.login' > "$tmp/already-reviewed-by" + +# And we don't want to rerequest reviews from people who already reviewed +while read -r user; do + if [[ -v users[$user] ]]; then + log "User $user is a code owner but has already left a review, ignoring" + unset 'users[$user]' + fi +done < "$tmp/already-reviewed-by" + # Turn it into a JSON for the GitHub API call to request PR reviewers jq -n \ --arg users "${!users[*]}" \ diff --git a/ci/request-reviews/request-reviews.sh b/ci/request-reviews/request-reviews.sh index d62ab309bcc8..a70a95a65b3a 100755 --- a/ci/request-reviews/request-reviews.sh +++ b/ci/request-reviews/request-reviews.sh @@ -80,7 +80,7 @@ if ! "$SCRIPT_DIR"/verify-base-branch.sh "$tmp/nixpkgs.git" "$headRef" "$baseRep fi log "Getting code owners to request reviews from" -"$SCRIPT_DIR"/get-reviewers.sh "$tmp/nixpkgs.git" "$baseBranch" "$headRef" "$ownersFile" "$prAuthor" > "$tmp/reviewers.json" +"$SCRIPT_DIR"/get-reviewers.sh "$tmp/nixpkgs.git" "$ownersFile" "$baseRepo" "$baseBranch" "$headRef" "$prNumber" "$prAuthor" > "$tmp/reviewers.json" log "Requesting reviews from: $(<"$tmp/reviewers.json")" From 59990c7e7508fad01ba6656946be104299772b40 Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Wed, 9 Oct 2024 22:12:12 +0200 Subject: [PATCH 10/18] ci/request-reviews: Request reviews for individual team members This makes this codeowner mechanism behave differently than the native one, but there's no other way to avoid rerequesting reviews from teams when a member already reviewed the PR. (cherry picked from commit 1ff83b2c963544c1881f1c5f95fbd09a1ab02a10) --- ci/request-reviews/get-reviewers.sh | 38 +++++++++++++++++++++++------ 1 file changed, 30 insertions(+), 8 deletions(-) diff --git a/ci/request-reviews/get-reviewers.sh b/ci/request-reviews/get-reviewers.sh index 6a7b8edd8202..be0fd10c5b22 100755 --- a/ci/request-reviews/get-reviewers.sh +++ b/ci/request-reviews/get-reviewers.sh @@ -34,8 +34,8 @@ log "This PR touches ${#touchedFiles[@]} files" # remove code owners to avoid pinging them git -C "$gitRepo" show "$baseRef":"$ownersFile" > "$tmp"/codeowners -# Associative arrays with the team/user as the key for easy deduplication -declare -A teams users +# Associative array with the user as the key for easy de-duplication +declare -A users=() for file in "${touchedFiles[@]}"; do result=$(codeowners --file "$tmp"/codeowners "$file") @@ -61,10 +61,34 @@ for file in "${touchedFiles[@]}"; do fi # The first regex match is everything after the @ entry=${BASH_REMATCH[1]} - if [[ "$entry" =~ .*/(.*) ]]; then - # Teams look like $org/$team, where we only need $team for the API - # call to request reviews from teams - teams[${BASH_REMATCH[1]}]= + + if [[ "$entry" =~ (.*)/(.*) ]]; then + # Teams look like $org/$team + org=${BASH_REMATCH[1]} + team=${BASH_REMATCH[2]} + + # Instead of requesting a review from the team itself, + # we request reviews from the individual users. + # This is because once somebody from a team reviewed the PR, + # the API doesn't expose that the team was already requested for a review, + # so we wouldn't be able to avoid rerequesting reviews + # without saving some some extra state somewhere + + # We could also consider implementing a more advanced heuristic + # in the future that e.g. only pings one team member, + # but escalates to somebody else if that member doesn't respond in time. + gh api \ + --cache=1h \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "/orgs/$org/teams/$team/members" \ + --jq '.[].login' > "$tmp/team-members" + readarray -t members < "$tmp/team-members" + log "Team $entry has these members: ${members[*]}" + + for user in "${members[@]}"; do + users[$user]= + done else # Everything else is a user users[$entry]= @@ -96,8 +120,6 @@ done < "$tmp/already-reviewed-by" # Turn it into a JSON for the GitHub API call to request PR reviewers jq -n \ --arg users "${!users[*]}" \ - --arg teams "${!teams[*]}" \ '{ reviewers: $users | split(" "), - team_reviewers: $teams | split(" ") }' From b2bfec90cd6e529ca023d5eb1cb72d75cb0e66d8 Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Tue, 15 Oct 2024 00:44:04 +0200 Subject: [PATCH 11/18] CODEOWNERS: Switch to alternate mechanism This effectively disables the native GitHub codeowners feature and enables the new alternate codeowners mechanism introduced in https://github.com/NixOS/nixpkgs/pull/336261 This means that: - We can now declare users without write access as code owners! - Targeting the wrong branch won't trigger mass pings anymore! (cherry-picked from commit b01ca00aed65e4da1b79609cc55f74e731bab90d) --- .github/CODEOWNERS | 370 +------------------------------ .github/OWNERS | 19 -- .github/workflows/codeowners.yml | 11 +- ci/OWNERS | 370 +++++++++++++++++++++++++++++++ 4 files changed, 376 insertions(+), 394 deletions(-) delete mode 100644 .github/OWNERS create mode 100644 ci/OWNERS diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index a7ac5952bd49..eb8b282c7b36 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,368 +1,4 @@ -# CODEOWNERS file +# Use ci/OWNERS instead # -# This file is used to describe who owns what in this repository. This file does not -# replace `meta.maintainers` but is instead used for other things than derivations -# and modules, like documentation, package sets, and other assets. -# -# For documentation on this file, see https://help.github.com/articles/about-codeowners/ -# Mentioned users will get code review requests. -# -# IMPORTANT NOTE: in order to actually get pinged, commit access is required. -# This also holds true for GitHub teams. Since almost none of our teams have write -# permissions, you need to list all members of the team with commit access individually. - -# CI -/.github/workflows @NixOS/Security @Mic92 @zowoq -/.github/workflows/check-nix-format.yml @infinisil -/.github/workflows/codeowners.yml @infinisil -/.github/OWNERS @infinisil -/ci @infinisil - -# Develompent support -/.editorconfig @Mic92 @zowoq -/shell.nix @infinisil @NixOS/Security - -# Libraries -/lib @infinisil -/lib/systems @alyssais @ericson2314 -/lib/generators.nix @infinisil @Profpatsch -/lib/cli.nix @infinisil @Profpatsch -/lib/debug.nix @infinisil @Profpatsch -/lib/asserts.nix @infinisil @Profpatsch -/lib/path/* @infinisil -/lib/fileset @infinisil -## Libraries / Module system -/lib/modules.nix @infinisil @roberth -/lib/types.nix @infinisil @roberth -/lib/options.nix @infinisil @roberth -/lib/tests/modules.sh @infinisil @roberth -/lib/tests/modules @infinisil @roberth - -# Nixpkgs Internals -/default.nix @Ericson2314 -/pkgs/top-level/default.nix @Ericson2314 -/pkgs/top-level/impure.nix @Ericson2314 -/pkgs/top-level/stage.nix @Ericson2314 -/pkgs/top-level/splice.nix @Ericson2314 -/pkgs/top-level/release-cross.nix @Ericson2314 -/pkgs/stdenv/generic @Ericson2314 -/pkgs/stdenv/generic/check-meta.nix @Ericson2314 -/pkgs/stdenv/cross @Ericson2314 -/pkgs/build-support/cc-wrapper @Ericson2314 -/pkgs/build-support/bintools-wrapper @Ericson2314 -/pkgs/build-support/setup-hooks @Ericson2314 -/pkgs/build-support/setup-hooks/auto-patchelf.sh @layus -/pkgs/build-support/setup-hooks/auto-patchelf.py @layus -/pkgs/pkgs-lib @infinisil -## Format generators/serializers -/pkgs/pkgs-lib/formats/libconfig @ckiee @h7x4 -/pkgs/pkgs-lib/formats/hocon @h7x4 - -# pkgs/by-name -/pkgs/test/check-by-name @infinisil -/pkgs/by-name/README.md @infinisil -/pkgs/top-level/by-name-overlay.nix @infinisil -/.github/workflows/check-by-name.yml @infinisil - -# Nixpkgs build-support -/pkgs/build-support/writers @lassulus @Profpatsch - -# Nixpkgs make-disk-image -/doc/build-helpers/images/makediskimage.section.md @raitobezarius -/nixos/lib/make-disk-image.nix @raitobezarius - -# Nix, the package manager -# @raitobezarius is not "code owner", but is listed here to be notified of changes -# pertaining to the Nix package manager. -# i.e. no authority over those files. -pkgs/tools/package-management/nix/ @NixOS/nix-team @raitobezarius -nixos/modules/installer/tools/nix-fallback-paths.nix @NixOS/nix-team @raitobezarius - -# Nixpkgs documentation -/maintainers/scripts/db-to-md.sh @jtojnar @ryantm -/maintainers/scripts/doc @jtojnar @ryantm - -# Contributor documentation -/CONTRIBUTING.md @infinisil -/.github/PULL_REQUEST_TEMPLATE.md @infinisil -/doc/contributing/ @infinisil -/doc/contributing/contributing-to-documentation.chapter.md @jtojnar @infinisil -/lib/README.md @infinisil -/doc/README.md @infinisil -/nixos/README.md @infinisil -/pkgs/README.md @infinisil -/maintainers/README.md @infinisil - -# User-facing development documentation -/doc/development.md @infinisil -/doc/development @infinisil - -# NixOS Internals -/nixos/default.nix @infinisil -/nixos/lib/from-env.nix @infinisil -/nixos/lib/eval-config.nix @infinisil -/nixos/modules/system/activation/bootspec.nix @grahamc @cole-h @raitobezarius -/nixos/modules/system/activation/bootspec.cue @grahamc @cole-h @raitobezarius - -# NixOS integration test driver -/nixos/lib/test-driver @tfc - -# NixOS QEMU virtualisation -/nixos/modules/virtualisation/qemu-vm.nix @raitobezarius - -# Systemd -/nixos/modules/system/boot/systemd.nix @NixOS/systemd -/nixos/modules/system/boot/systemd @NixOS/systemd -/nixos/lib/systemd-*.nix @NixOS/systemd -/pkgs/os-specific/linux/systemd @NixOS/systemd - -# Systemd-boot -/nixos/modules/system/boot/loader/systemd-boot @JulienMalka - -# Images and installer media -/nixos/modules/installer/cd-dvd/ -/nixos/modules/installer/sd-card/ - -# Updaters -## update.nix -/maintainers/scripts/update.nix @jtojnar -/maintainers/scripts/update.py @jtojnar -## common-updater-scripts -/pkgs/common-updater/scripts/update-source-version @jtojnar - -# Python-related code and docs -/doc/languages-frameworks/python.section.md @mweinelt -/pkgs/development/interpreters/python/hooks - -# Haskell -/doc/languages-frameworks/haskell.section.md @sternenseemann @maralorn @ncfavier -/maintainers/scripts/haskell @sternenseemann @maralorn @ncfavier -/pkgs/development/compilers/ghc @sternenseemann @maralorn @ncfavier -/pkgs/development/haskell-modules @sternenseemann @maralorn @ncfavier -/pkgs/test/haskell @sternenseemann @maralorn @ncfavier -/pkgs/top-level/release-haskell.nix @sternenseemann @maralorn @ncfavier -/pkgs/top-level/haskell-packages.nix @sternenseemann @maralorn @ncfavier - -# Perl -/pkgs/development/interpreters/perl @stigtsp @zakame @marcusramberg -/pkgs/top-level/perl-packages.nix @stigtsp @zakame @marcusramberg -/pkgs/development/perl-modules @stigtsp @zakame @marcusramberg - -# R -/pkgs/applications/science/math/R @jbedo -/pkgs/development/r-modules @jbedo - -# Rust -/pkgs/development/compilers/rust @Mic92 @zowoq @winterqt @figsoda -/pkgs/build-support/rust @zowoq @winterqt @figsoda -/doc/languages-frameworks/rust.section.md @zowoq @winterqt @figsoda - -# C compilers -/pkgs/development/compilers/gcc -/pkgs/development/compilers/emscripten @raitobezarius -/doc/languages-frameworks/emscripten.section.md @raitobezarius - -# Audio -/nixos/modules/services/audio/botamusique.nix @mweinelt -/nixos/modules/services/audio/snapserver.nix @mweinelt -/nixos/tests/botamusique.nix @mweinelt -/nixos/tests/snapcast.nix @mweinelt - -# Browsers -/pkgs/applications/networking/browsers/firefox @mweinelt -/pkgs/applications/networking/browsers/chromium @emilylange -/nixos/tests/chromium.nix @emilylange - -# Certificate Authorities -pkgs/data/misc/cacert/ @ajs124 @lukegb @mweinelt -pkgs/development/libraries/nss/ @ajs124 @lukegb @mweinelt -pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt - -# Jetbrains -/pkgs/applications/editors/jetbrains @edwtjo - -# Licenses -/lib/licenses.nix @alyssais - -# Qt -/pkgs/development/libraries/qt-5 @K900 @NickCao @SuperSandro2000 @ttuegel -/pkgs/development/libraries/qt-6 @K900 @NickCao @SuperSandro2000 @ttuegel - -# KDE / Plasma 5 -/pkgs/applications/kde @K900 @NickCao @SuperSandro2000 @ttuegel -/pkgs/desktops/plasma-5 @K900 @NickCao @SuperSandro2000 @ttuegel -/pkgs/development/libraries/kde-frameworks @K900 @NickCao @SuperSandro2000 @ttuegel - -# KDE / Plasma 6 -/pkgs/kde @K900 @NickCao @SuperSandro2000 @ttuegel -/maintainers/scripts/kde @K900 @NickCao @SuperSandro2000 @ttuegel - -# PostgreSQL and related stuff -/pkgs/servers/sql/postgresql @thoughtpolice -/nixos/modules/services/databases/postgresql.md @thoughtpolice -/nixos/modules/services/databases/postgresql.nix @thoughtpolice -/nixos/tests/postgresql.nix @thoughtpolice - -# Hardened profile & related modules -/nixos/modules/profiles/hardened.nix @joachifm -/nixos/modules/security/lock-kernel-modules.nix @joachifm -/nixos/modules/security/misc.nix @joachifm -/nixos/tests/hardened.nix @joachifm -/pkgs/os-specific/linux/kernel/hardened/config.nix @joachifm - -# Home Automation -/nixos/modules/services/home-automation/home-assistant.nix @mweinelt -/nixos/modules/services/home-automation/zigbee2mqtt.nix @mweinelt -/nixos/tests/home-assistant.nix @mweinelt -/nixos/tests/zigbee2mqtt.nix @mweinelt -/pkgs/servers/home-assistant @mweinelt -/pkgs/tools/misc/esphome @mweinelt - -# Network Time Daemons -/pkgs/tools/networking/chrony @thoughtpolice -/pkgs/tools/networking/ntp @thoughtpolice -/pkgs/tools/networking/openntpd @thoughtpolice -/nixos/modules/services/networking/ntp @thoughtpolice - -# Network -/pkgs/tools/networking/octodns @Janik-Haag -/pkgs/tools/networking/kea/default.nix @mweinelt -/pkgs/tools/networking/babeld/default.nix @mweinelt -/nixos/modules/services/networking/babeld.nix @mweinelt -/nixos/modules/services/networking/kea.nix @mweinelt -/nixos/modules/services/networking/knot.nix @mweinelt -nixos/modules/services/networking/networkmanager.nix @Janik-Haag -/nixos/modules/services/monitoring/prometheus/exporters/kea.nix @mweinelt -/nixos/tests/babeld.nix @mweinelt -/nixos/tests/kea.nix @mweinelt -/nixos/tests/knot.nix @mweinelt -/nixos/tests/networking/* @Janik-Haag - -# Web servers -/doc/packages/nginx.section.md @raitobezarius -/pkgs/servers/http/nginx/ @raitobezarius -/nixos/modules/services/web-servers/nginx/ @raitobezarius - -# Dhall -/pkgs/development/dhall-modules @Gabriella439 @Profpatsch @ehmry -/pkgs/development/interpreters/dhall @Gabriella439 @Profpatsch @ehmry - -# Idris -/pkgs/development/idris-modules @Infinisil - -# Bazel -/pkgs/development/tools/build-managers/bazel @Profpatsch - -# NixOS modules for e-mail and dns services -/nixos/modules/services/mail/mailman.nix @peti -/nixos/modules/services/mail/postfix.nix @peti -/nixos/modules/services/networking/bind.nix @peti -/nixos/modules/services/mail/rspamd.nix @peti - -# Emacs -/pkgs/applications/editors/emacs/elisp-packages @adisbladis -/pkgs/applications/editors/emacs @adisbladis -/pkgs/top-level/emacs-packages.nix @adisbladis - -# Neovim -/pkgs/applications/editors/neovim @figsoda @teto - -# VimPlugins -/pkgs/applications/editors/vim/plugins @figsoda - -# VsCode Extensions -/pkgs/applications/editors/vscode/extensions - -# PHP interpreter, packages, extensions, tests and documentation -/doc/languages-frameworks/php.section.md @aanderse @drupol @globin @ma27 @talyz -/nixos/tests/php @aanderse @drupol @globin @ma27 @talyz -/pkgs/build-support/php/build-pecl.nix @aanderse @drupol @globin @ma27 @talyz -/pkgs/build-support/php @drupol -/pkgs/development/interpreters/php @jtojnar @aanderse @drupol @globin @ma27 @talyz -/pkgs/development/php-packages @aanderse @drupol @globin @ma27 @talyz -/pkgs/top-level/php-packages.nix @jtojnar @aanderse @drupol @globin @ma27 @talyz - -# Docker tools -/pkgs/build-support/docker @roberth -/nixos/tests/docker-tools* @roberth -/doc/build-helpers/images/dockertools.section.md @roberth - -# Blockchains -/pkgs/applications/blockchains @mmahut @RaghavSood - -# Go -/doc/languages-frameworks/go.section.md @kalbasit @Mic92 @zowoq -/pkgs/build-support/go @kalbasit @Mic92 @zowoq -/pkgs/development/compilers/go @kalbasit @Mic92 @zowoq - -# GNOME -/pkgs/desktops/gnome @jtojnar -/pkgs/desktops/gnome/extensions @jtojnar -/pkgs/build-support/make-hardcode-gsettings-patch @jtojnar - -# Cinnamon -/pkgs/desktops/cinnamon @mkg20001 - -# nim -/pkgs/development/compilers/nim @ehmry - -# terraform providers -/pkgs/applications/networking/cluster/terraform-providers @zowoq - -# Forgejo -nixos/modules/services/misc/forgejo.nix @adamcstephens @bendlas @emilylange -pkgs/by-name/fo/forgejo/package.nix @adamcstephens @bendlas @emilylange - -# Dotnet -/pkgs/build-support/dotnet @corngood -/pkgs/development/compilers/dotnet @corngood -/pkgs/test/dotnet @corngood -/doc/languages-frameworks/dotnet.section.md @corngood - -# Node.js -/pkgs/build-support/node/build-npm-package @lilyinstarlight @winterqt -/pkgs/build-support/node/fetch-npm-deps @lilyinstarlight @winterqt -/doc/languages-frameworks/javascript.section.md @lilyinstarlight @winterqt - -# environment.noXlibs option aka NoX -/nixos/modules/config/no-x-libs.nix @SuperSandro2000 - -# OCaml -/pkgs/build-support/ocaml @ulrikstrid -/pkgs/development/compilers/ocaml @ulrikstrid -/pkgs/development/ocaml-modules @ulrikstrid - -# ZFS -pkgs/os-specific/linux/zfs/2_1.nix @raitobezarius -pkgs/os-specific/linux/zfs/generic.nix @raitobezarius -nixos/modules/tasks/filesystems/zfs.nix @raitobezarius -nixos/tests/zfs.nix @raitobezarius - -# Zig -/pkgs/development/compilers/zig @figsoda -/doc/hooks/zig.section.md @figsoda - -# Buildbot -nixos/modules/services/continuous-integration/buildbot @Mic92 @zowoq -nixos/tests/buildbot.nix @Mic92 @zowoq -pkgs/development/tools/continuous-integration/buildbot @Mic92 @zowoq - -# Pretix -pkgs/by-name/pr/pretix/ @mweinelt -pkgs/by-name/pr/pretalx/ @mweinelt -nixos/modules/services/web-apps/pretix.nix @mweinelt -nixos/modules/services/web-apps/pretalx.nix @mweinelt -nixos/tests/web-apps/pretix.nix @mweinelt -nixos/tests/web-apps/pretalx.nix @mweinelt - -# incus/lxc/lxd -nixos/maintainers/scripts/lxd/ @adamcstephens -nixos/modules/virtualisation/incus.nix @adamcstephens -nixos/modules/virtualisation/lxc* @adamcstephens -nixos/modules/virtualisation/lxd* @adamcstephens -nixos/tests/incus/ @adamcstephens -nixos/tests/lxd/ @adamcstephens -pkgs/by-name/in/incus/ @adamcstephens -pkgs/by-name/lx/lxc* @adamcstephens -pkgs/by-name/lx/lxd* @adamcstephens -pkgs/os-specific/linux/lxc/ @adamcstephens +# This file would be for the native code owner feature of GitHub, +# but is not being used because of its problems, see ci/OWNERS diff --git a/.github/OWNERS b/.github/OWNERS deleted file mode 100644 index 94f0ef5b6934..000000000000 --- a/.github/OWNERS +++ /dev/null @@ -1,19 +0,0 @@ -# -# Currently unused! Use CODEOWNERS for now, see workflows/codeowners.yml -# -#################### -# -# This file is used to describe who owns what in this repository. -# Users/teams will get review requests for PRs that change their files. -# -# This file does not replace `meta.maintainers` -# but is instead used for other things than derivations and modules, -# like documentation, package sets, and other assets. -# -# This file uses the same syntax as the natively supported CODEOWNERS file, -# see https://help.github.com/articles/about-codeowners/ for documentation. -# However it comes with some notable differences: -# - There is no need for user/team listed here to have write access. -# - No reviews will be requested for PRs that target the wrong base branch. -# -# Processing of this file is implemented in workflows/codeowners.yml diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml index 01409dd57a66..164b5a1136f2 100644 --- a/.github/workflows/codeowners.yml +++ b/.github/workflows/codeowners.yml @@ -13,14 +13,9 @@ on: types: [opened, ready_for_review, synchronize, reopened, edited] env: - # TODO: Once confirmed that this works by seeing that the action would request - # reviews from the same people (or refuse for wrong base branches), - # move all entries from CODEOWNERS to OWNERS, remove these two lines and uncomment the ones below - OWNERS_FILE: .github/CODEOWNERS - DRY_MODE: 1 - # OWNERS_FILE: .github/OWNERS - # # Don't do anything on draft PRs - # DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }} + OWNERS_FILE: ci/OWNERS + # Don't do anything on draft PRs + DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }} jobs: # Check that code owners is valid diff --git a/ci/OWNERS b/ci/OWNERS new file mode 100644 index 000000000000..8904c846e816 --- /dev/null +++ b/ci/OWNERS @@ -0,0 +1,370 @@ +# This file is used to describe who owns what in this repository. +# Users/teams will get review requests for PRs that change their files. +# +# This file does not replace `meta.maintainers` +# but is instead used for other things than derivations and modules, +# like documentation, package sets, and other assets. +# +# This file uses the same syntax as the natively supported CODEOWNERS file, +# see https://help.github.com/articles/about-codeowners/ for documentation. +# However it comes with some notable differences: +# - There is no need for user/team listed here to have write access. +# - No reviews will be requested for PRs that target the wrong base branch. +# +# Processing of this file is implemented in workflows/codeowners.yml + +# CI +/.github/workflows @NixOS/Security @Mic92 @zowoq +/.github/workflows/check-nix-format.yml @infinisil +/.github/workflows/codeowners.yml @infinisil +/ci/OWNERS @infinisil +/ci @infinisil @philiptaron @NixOS/Security + +# Develompent support +/.editorconfig @Mic92 @zowoq +/shell.nix @infinisil @NixOS/Security + +# Libraries +/lib @infinisil +/lib/systems @alyssais @ericson2314 +/lib/generators.nix @infinisil @Profpatsch +/lib/cli.nix @infinisil @Profpatsch +/lib/debug.nix @infinisil @Profpatsch +/lib/asserts.nix @infinisil @Profpatsch +/lib/path/* @infinisil +/lib/fileset @infinisil +## Libraries / Module system +/lib/modules.nix @infinisil @roberth +/lib/types.nix @infinisil @roberth +/lib/options.nix @infinisil @roberth +/lib/tests/modules.sh @infinisil @roberth +/lib/tests/modules @infinisil @roberth + +# Nixpkgs Internals +/default.nix @Ericson2314 +/pkgs/top-level/default.nix @Ericson2314 +/pkgs/top-level/impure.nix @Ericson2314 +/pkgs/top-level/stage.nix @Ericson2314 +/pkgs/top-level/splice.nix @Ericson2314 +/pkgs/top-level/release-cross.nix @Ericson2314 +/pkgs/stdenv/generic @Ericson2314 +/pkgs/stdenv/generic/check-meta.nix @Ericson2314 +/pkgs/stdenv/cross @Ericson2314 +/pkgs/build-support/cc-wrapper @Ericson2314 +/pkgs/build-support/bintools-wrapper @Ericson2314 +/pkgs/build-support/setup-hooks @Ericson2314 +/pkgs/build-support/setup-hooks/auto-patchelf.sh @layus +/pkgs/build-support/setup-hooks/auto-patchelf.py @layus +/pkgs/pkgs-lib @infinisil +## Format generators/serializers +/pkgs/pkgs-lib/formats/libconfig @ckiee @h7x4 +/pkgs/pkgs-lib/formats/hocon @h7x4 + +# pkgs/by-name +/pkgs/test/check-by-name @infinisil +/pkgs/by-name/README.md @infinisil +/pkgs/top-level/by-name-overlay.nix @infinisil +/.github/workflows/check-by-name.yml @infinisil + +# Nixpkgs build-support +/pkgs/build-support/writers @lassulus @Profpatsch + +# Nixpkgs make-disk-image +/doc/build-helpers/images/makediskimage.section.md @raitobezarius +/nixos/lib/make-disk-image.nix @raitobezarius + +# Nix, the package manager +# @raitobezarius is not "code owner", but is listed here to be notified of changes +# pertaining to the Nix package manager. +# i.e. no authority over those files. +pkgs/tools/package-management/nix/ @NixOS/nix-team @raitobezarius +nixos/modules/installer/tools/nix-fallback-paths.nix @NixOS/nix-team @raitobezarius + +# Nixpkgs documentation +/maintainers/scripts/db-to-md.sh @jtojnar @ryantm +/maintainers/scripts/doc @jtojnar @ryantm + +# Contributor documentation +/CONTRIBUTING.md @infinisil +/.github/PULL_REQUEST_TEMPLATE.md @infinisil +/doc/contributing/ @infinisil +/doc/contributing/contributing-to-documentation.chapter.md @jtojnar @infinisil +/lib/README.md @infinisil +/doc/README.md @infinisil +/nixos/README.md @infinisil +/pkgs/README.md @infinisil +/maintainers/README.md @infinisil + +# User-facing development documentation +/doc/development.md @infinisil +/doc/development @infinisil + +# NixOS Internals +/nixos/default.nix @infinisil +/nixos/lib/from-env.nix @infinisil +/nixos/lib/eval-config.nix @infinisil +/nixos/modules/system/activation/bootspec.nix @grahamc @cole-h @raitobezarius +/nixos/modules/system/activation/bootspec.cue @grahamc @cole-h @raitobezarius + +# NixOS integration test driver +/nixos/lib/test-driver @tfc + +# NixOS QEMU virtualisation +/nixos/modules/virtualisation/qemu-vm.nix @raitobezarius + +# Systemd +/nixos/modules/system/boot/systemd.nix @NixOS/systemd +/nixos/modules/system/boot/systemd @NixOS/systemd +/nixos/lib/systemd-*.nix @NixOS/systemd +/pkgs/os-specific/linux/systemd @NixOS/systemd + +# Systemd-boot +/nixos/modules/system/boot/loader/systemd-boot @JulienMalka + +# Images and installer media +/nixos/modules/installer/cd-dvd/ +/nixos/modules/installer/sd-card/ + +# Updaters +## update.nix +/maintainers/scripts/update.nix @jtojnar +/maintainers/scripts/update.py @jtojnar +## common-updater-scripts +/pkgs/common-updater/scripts/update-source-version @jtojnar + +# Python-related code and docs +/doc/languages-frameworks/python.section.md @mweinelt +/pkgs/development/interpreters/python/hooks + +# Haskell +/doc/languages-frameworks/haskell.section.md @sternenseemann @maralorn @ncfavier +/maintainers/scripts/haskell @sternenseemann @maralorn @ncfavier +/pkgs/development/compilers/ghc @sternenseemann @maralorn @ncfavier +/pkgs/development/haskell-modules @sternenseemann @maralorn @ncfavier +/pkgs/test/haskell @sternenseemann @maralorn @ncfavier +/pkgs/top-level/release-haskell.nix @sternenseemann @maralorn @ncfavier +/pkgs/top-level/haskell-packages.nix @sternenseemann @maralorn @ncfavier + +# Perl +/pkgs/development/interpreters/perl @stigtsp @zakame @marcusramberg +/pkgs/top-level/perl-packages.nix @stigtsp @zakame @marcusramberg +/pkgs/development/perl-modules @stigtsp @zakame @marcusramberg + +# R +/pkgs/applications/science/math/R @jbedo +/pkgs/development/r-modules @jbedo + +# Rust +/pkgs/development/compilers/rust @Mic92 @zowoq @winterqt @figsoda +/pkgs/build-support/rust @zowoq @winterqt @figsoda +/doc/languages-frameworks/rust.section.md @zowoq @winterqt @figsoda + +# C compilers +/pkgs/development/compilers/gcc +/pkgs/development/compilers/emscripten @raitobezarius +/doc/languages-frameworks/emscripten.section.md @raitobezarius + +# Audio +/nixos/modules/services/audio/botamusique.nix @mweinelt +/nixos/modules/services/audio/snapserver.nix @mweinelt +/nixos/tests/botamusique.nix @mweinelt +/nixos/tests/snapcast.nix @mweinelt + +# Browsers +/pkgs/applications/networking/browsers/firefox @mweinelt +/pkgs/applications/networking/browsers/chromium @emilylange +/nixos/tests/chromium.nix @emilylange + +# Certificate Authorities +pkgs/data/misc/cacert/ @ajs124 @lukegb @mweinelt +pkgs/development/libraries/nss/ @ajs124 @lukegb @mweinelt +pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt + +# Jetbrains +/pkgs/applications/editors/jetbrains @edwtjo + +# Licenses +/lib/licenses.nix @alyssais + +# Qt +/pkgs/development/libraries/qt-5 @K900 @NickCao @SuperSandro2000 @ttuegel +/pkgs/development/libraries/qt-6 @K900 @NickCao @SuperSandro2000 @ttuegel + +# KDE / Plasma 5 +/pkgs/applications/kde @K900 @NickCao @SuperSandro2000 @ttuegel +/pkgs/desktops/plasma-5 @K900 @NickCao @SuperSandro2000 @ttuegel +/pkgs/development/libraries/kde-frameworks @K900 @NickCao @SuperSandro2000 @ttuegel + +# KDE / Plasma 6 +/pkgs/kde @K900 @NickCao @SuperSandro2000 @ttuegel +/maintainers/scripts/kde @K900 @NickCao @SuperSandro2000 @ttuegel + +# PostgreSQL and related stuff +/pkgs/servers/sql/postgresql @thoughtpolice +/nixos/modules/services/databases/postgresql.md @thoughtpolice +/nixos/modules/services/databases/postgresql.nix @thoughtpolice +/nixos/tests/postgresql.nix @thoughtpolice + +# Hardened profile & related modules +/nixos/modules/profiles/hardened.nix @joachifm +/nixos/modules/security/lock-kernel-modules.nix @joachifm +/nixos/modules/security/misc.nix @joachifm +/nixos/tests/hardened.nix @joachifm +/pkgs/os-specific/linux/kernel/hardened/config.nix @joachifm + +# Home Automation +/nixos/modules/services/home-automation/home-assistant.nix @mweinelt +/nixos/modules/services/home-automation/zigbee2mqtt.nix @mweinelt +/nixos/tests/home-assistant.nix @mweinelt +/nixos/tests/zigbee2mqtt.nix @mweinelt +/pkgs/servers/home-assistant @mweinelt +/pkgs/tools/misc/esphome @mweinelt + +# Network Time Daemons +/pkgs/tools/networking/chrony @thoughtpolice +/pkgs/tools/networking/ntp @thoughtpolice +/pkgs/tools/networking/openntpd @thoughtpolice +/nixos/modules/services/networking/ntp @thoughtpolice + +# Network +/pkgs/tools/networking/octodns @Janik-Haag +/pkgs/tools/networking/kea/default.nix @mweinelt +/pkgs/tools/networking/babeld/default.nix @mweinelt +/nixos/modules/services/networking/babeld.nix @mweinelt +/nixos/modules/services/networking/kea.nix @mweinelt +/nixos/modules/services/networking/knot.nix @mweinelt +nixos/modules/services/networking/networkmanager.nix @Janik-Haag +/nixos/modules/services/monitoring/prometheus/exporters/kea.nix @mweinelt +/nixos/tests/babeld.nix @mweinelt +/nixos/tests/kea.nix @mweinelt +/nixos/tests/knot.nix @mweinelt +/nixos/tests/networking/* @Janik-Haag + +# Web servers +/doc/packages/nginx.section.md @raitobezarius +/pkgs/servers/http/nginx/ @raitobezarius +/nixos/modules/services/web-servers/nginx/ @raitobezarius + +# Dhall +/pkgs/development/dhall-modules @Gabriella439 @Profpatsch @ehmry +/pkgs/development/interpreters/dhall @Gabriella439 @Profpatsch @ehmry + +# Idris +/pkgs/development/idris-modules @Infinisil + +# Bazel +/pkgs/development/tools/build-managers/bazel @Profpatsch + +# NixOS modules for e-mail and dns services +/nixos/modules/services/mail/mailman.nix @peti +/nixos/modules/services/mail/postfix.nix @peti +/nixos/modules/services/networking/bind.nix @peti +/nixos/modules/services/mail/rspamd.nix @peti + +# Emacs +/pkgs/applications/editors/emacs/elisp-packages @adisbladis +/pkgs/applications/editors/emacs @adisbladis +/pkgs/top-level/emacs-packages.nix @adisbladis + +# Neovim +/pkgs/applications/editors/neovim @figsoda @teto + +# VimPlugins +/pkgs/applications/editors/vim/plugins @figsoda + +# VsCode Extensions +/pkgs/applications/editors/vscode/extensions + +# PHP interpreter, packages, extensions, tests and documentation +/doc/languages-frameworks/php.section.md @aanderse @drupol @globin @ma27 @talyz +/nixos/tests/php @aanderse @drupol @globin @ma27 @talyz +/pkgs/build-support/php/build-pecl.nix @aanderse @drupol @globin @ma27 @talyz +/pkgs/build-support/php @drupol +/pkgs/development/interpreters/php @jtojnar @aanderse @drupol @globin @ma27 @talyz +/pkgs/development/php-packages @aanderse @drupol @globin @ma27 @talyz +/pkgs/top-level/php-packages.nix @jtojnar @aanderse @drupol @globin @ma27 @talyz + +# Docker tools +/pkgs/build-support/docker @roberth +/nixos/tests/docker-tools* @roberth +/doc/build-helpers/images/dockertools.section.md @roberth + +# Blockchains +/pkgs/applications/blockchains @mmahut @RaghavSood + +# Go +/doc/languages-frameworks/go.section.md @kalbasit @Mic92 @zowoq +/pkgs/build-support/go @kalbasit @Mic92 @zowoq +/pkgs/development/compilers/go @kalbasit @Mic92 @zowoq + +# GNOME +/pkgs/desktops/gnome @jtojnar +/pkgs/desktops/gnome/extensions @jtojnar +/pkgs/build-support/make-hardcode-gsettings-patch @jtojnar + +# Cinnamon +/pkgs/desktops/cinnamon @mkg20001 + +# nim +/pkgs/development/compilers/nim @ehmry + +# terraform providers +/pkgs/applications/networking/cluster/terraform-providers @zowoq + +# Forgejo +nixos/modules/services/misc/forgejo.nix @adamcstephens @bendlas @emilylange +pkgs/by-name/fo/forgejo/package.nix @adamcstephens @bendlas @emilylange + +# Dotnet +/pkgs/build-support/dotnet @corngood +/pkgs/development/compilers/dotnet @corngood +/pkgs/test/dotnet @corngood +/doc/languages-frameworks/dotnet.section.md @corngood + +# Node.js +/pkgs/build-support/node/build-npm-package @lilyinstarlight @winterqt +/pkgs/build-support/node/fetch-npm-deps @lilyinstarlight @winterqt +/doc/languages-frameworks/javascript.section.md @lilyinstarlight @winterqt + +# environment.noXlibs option aka NoX +/nixos/modules/config/no-x-libs.nix @SuperSandro2000 + +# OCaml +/pkgs/build-support/ocaml @ulrikstrid +/pkgs/development/compilers/ocaml @ulrikstrid +/pkgs/development/ocaml-modules @ulrikstrid + +# ZFS +pkgs/os-specific/linux/zfs/2_1.nix @raitobezarius +pkgs/os-specific/linux/zfs/generic.nix @raitobezarius +nixos/modules/tasks/filesystems/zfs.nix @raitobezarius +nixos/tests/zfs.nix @raitobezarius + +# Zig +/pkgs/development/compilers/zig @figsoda +/doc/hooks/zig.section.md @figsoda + +# Buildbot +nixos/modules/services/continuous-integration/buildbot @Mic92 @zowoq +nixos/tests/buildbot.nix @Mic92 @zowoq +pkgs/development/tools/continuous-integration/buildbot @Mic92 @zowoq + +# Pretix +pkgs/by-name/pr/pretix/ @mweinelt +pkgs/by-name/pr/pretalx/ @mweinelt +nixos/modules/services/web-apps/pretix.nix @mweinelt +nixos/modules/services/web-apps/pretalx.nix @mweinelt +nixos/tests/web-apps/pretix.nix @mweinelt +nixos/tests/web-apps/pretalx.nix @mweinelt + +# incus/lxc/lxd +nixos/maintainers/scripts/lxd/ @adamcstephens +nixos/modules/virtualisation/incus.nix @adamcstephens +nixos/modules/virtualisation/lxc* @adamcstephens +nixos/modules/virtualisation/lxd* @adamcstephens +nixos/tests/incus/ @adamcstephens +nixos/tests/lxd/ @adamcstephens +pkgs/by-name/in/incus/ @adamcstephens +pkgs/by-name/lx/lxc* @adamcstephens +pkgs/by-name/lx/lxd* @adamcstephens +pkgs/os-specific/linux/lxc/ @adamcstephens From 3493325e09961d55fcbaa9fbdd890e1e9c2ef0af Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Thu, 10 Oct 2024 00:11:47 +0200 Subject: [PATCH 12/18] CONTRIBUTING: Remove now-unneeded mass ping section This is not a problem anymore with the parent commit (cherry picked from commit c2464034c05b39cbcd72cb4f0323ed58c549453f) --- CONTRIBUTING.md | 43 +++---------------------------------------- 1 file changed, 3 insertions(+), 40 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index f40fb86ee559..38ae730cd4c1 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -193,19 +193,12 @@ The last checkbox is about whether it fits the guidelines in this `CONTRIBUTING. [rebase]: #rebasing-between-branches-ie-from-master-to-staging From time to time, changes between branches must be rebased, for example, if the -number of new rebuilds they would cause is too large for the target branch. When -rebasing, care must be taken to include only the intended changes, otherwise -many CODEOWNERS will be inadvertently requested for review. To achieve this, -rebasing should not be performed directly on the target branch, but on the merge -base between the current and target branch. As an additional precautionary measure, -you should temporarily mark the PR as draft for the duration of the operation. -This reduces the probability of mass-pinging people. (OfBorg might still -request a couple of persons for reviews though.) +number of new rebuilds they would cause is too large for the target branch. In the following example, we assume that the current branch, called `feature`, is based on `master`, and we rebase it onto the merge base between -`master` and `staging` so that the PR can eventually be retargeted to -`staging` without causing a mess. The example uses `upstream` as the remote for `NixOS/nixpkgs.git` +`master` and `staging` so that the PR can be retargeted to +`staging`. The example uses `upstream` as the remote for `NixOS/nixpkgs.git` while `origin` is the remote you are pushing to. @@ -234,36 +227,6 @@ git status git push origin feature --force-with-lease ``` -#### Something went wrong and a lot of people were pinged - -It happens. Remember to be kind, especially to new contributors. -There is no way back, so the pull request should be closed and locked -(if possible). The changes should be re-submitted in a new PR, in which the people -originally involved in the conversation need to manually be pinged again. -No further discussion should happen on the original PR, as a lot of people -are now subscribed to it. - -The following message (or a version thereof) might be left when closing to -describe the situation, since closing and locking without any explanation -is kind of rude: - -```markdown -It looks like you accidentally mass-pinged a bunch of people, which are now subscribed -and getting notifications for everything in this pull request. Unfortunately, they -cannot be automatically unsubscribed from the issue (removing review request does not -unsubscribe), therefore development cannot continue in this pull request anymore. - -Please open a new pull request with your changes, link back to this one and ping the -people actually involved in here over there. - -In order to avoid this in the future, there are instructions for how to properly -rebase between branches in our [contribution guidelines](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#rebasing-between-branches-ie-from-master-to-staging). -Setting your pull request to draft prior to rebasing is strongly recommended. -In draft status, you can preview the list of people that are about to be requested -for review, which allows you to sidestep this issue. -This is not a bulletproof method though, as OfBorg still does review requests even on draft PRs. -``` - ## How to backport pull requests [pr-backport]: #how-to-backport-pull-requests From 9115330873d866918080193b743f1e0498f2c59a Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Thu, 10 Oct 2024 01:26:00 +0200 Subject: [PATCH 13/18] ci/request-reviews: Make wrong base branch message hashes more transparent Also, fix the description of the text (cherry picked from commit c721e917ce7942f2e401411d6053f81c49a7d8c5) --- ci/request-reviews/verify-base-branch.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ci/request-reviews/verify-base-branch.sh b/ci/request-reviews/verify-base-branch.sh index 17d721c5ddd1..7be280db8d65 100755 --- a/ci/request-reviews/verify-base-branch.sh +++ b/ci/request-reviews/verify-base-branch.sh @@ -90,8 +90,9 @@ for testBranch in "${devBranches[@]}"; do log -e "\e[33m" echo "The PR's base branch is set to $baseBranch, but $extraCommits commits from the $testBranch branch are included. Make sure you know the [right base branch for your changes](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#branch-conventions), then:" echo "- If the changes should go to the $testBranch branch, [change the base branch](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-base-branch-of-a-pull-request) to $testBranch" - echo "- If the changes should go to the $baseBranch branch, rebase your PR onto the merge base with the $testBranch branch:" - echo " \`\`\`" + echo "- If the changes should go to the $baseBranch branch, rebase your PR onto the merge base with the $baseBranch branch:" + echo " \`\`\`bash" + echo " # git rebase --onto \$(git merge-base upstream/$baseBranch HEAD) \$(git merge-base upstream/$testBranch HEAD)" echo " git rebase --onto $prMergeBase $testMergeBase" echo " git push --force-with-lease" echo " \`\`\`" From bd43ae43124c132430ce938158c638018c64d8bd Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Thu, 10 Oct 2024 01:40:43 +0200 Subject: [PATCH 14/18] .gitattributes: Mark ci/OWNERS as CODEOWNERS (cherry picked from commit ddeb2dfd9117e540bc4479d8ef359349bc29bbb5) --- .gitattributes | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitattributes b/.gitattributes index 01d363cbb1c1..32cd96ef9e2c 100644 --- a/.gitattributes +++ b/.gitattributes @@ -16,3 +16,5 @@ nixos/doc/default.nix linguist-documentation=false nixos/modules/module-list.nix merge=union # pkgs/top-level/all-packages.nix merge=union + +ci/OWNERS linguist-language=CODEOWNERS From 01f9bc543fc188267d4315e716cce15571fa263f Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Thu, 10 Oct 2024 21:17:53 +0200 Subject: [PATCH 15/18] workflows/codeowners: Cache codeowner validator build The codeowner-validator build declared in ci/codeowners-validator was not cached before and needed to be built for every PR, which is slow and wasteful: https://github.com/NixOS/nixpkgs/actions/runs/11280533037/job/31373720922 (cherry picked from commit f9b28d5678b351f06365ed683c6a948669fe23fd) --- .github/workflows/codeowners.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml index 164b5a1136f2..56588d45c9cd 100644 --- a/.github/workflows/codeowners.yml +++ b/.github/workflows/codeowners.yml @@ -25,6 +25,13 @@ jobs: steps: - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 + if: github.repository_owner == 'NixOS' + with: + # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. + name: nixpkgs-ci + authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself. # We later build and run code from the base branch with access to secrets, # so it's important this is not the PRs code. From 6e6a84a2a5bcc421159c800d411b28bef942283d Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Fri, 11 Oct 2024 03:40:57 +0200 Subject: [PATCH 16/18] ci/request-reviews: Fix for branches starting with "pr" Turns out if : is passed, a local branch is updated, which can conflict if the PR branch starts with "pr". I tried to avoid that with the original code but apparently that didn't work! https://github.com/NixOS/nixpkgs/actions/runs/11284183639/job/31384967152?pr=347822 Fetching the PR commit history From https://github.com/linj-fork/nixpkgs * [new branch] pr/kanata-add-version-check -> fork/pr error: cannot lock ref 'refs/remotes/fork/pr/kanata-add-version-check': 'refs/remotes/fork/pr' exists; cannot create 'refs/remotes/fork/pr/kanata-add-version-check' ! [new branch] pr/kanata-add-version-check -> fork/pr/kanata-add-version-check (unable to update local ref) error: some local refs could not be updated; try running (cherry picked from commit 299a181477322181573d6014c995c2e1db05c844) --- ci/request-reviews/request-reviews.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/ci/request-reviews/request-reviews.sh b/ci/request-reviews/request-reviews.sh index a70a95a65b3a..8a3d78a50d5f 100755 --- a/ci/request-reviews/request-reviews.sh +++ b/ci/request-reviews/request-reviews.sh @@ -60,10 +60,9 @@ git -C "$tmp/nixpkgs.git" remote add fork https://github.com/"$prRepo".git git -C "$tmp/nixpkgs.git" config remote.fork.partialclonefilter tree:0 git -C "$tmp/nixpkgs.git" config remote.fork.promisor true -# This should not conflict with any refs in Nixpkgs -headRef=refs/remotes/fork/pr -# Only fetch into a remote ref, because the local ref namespace is used by Nixpkgs, don't want any conflicts -git -C "$tmp/nixpkgs.git" fetch --no-tags fork "$prBranch":"$headRef" +# Our local branches mirror Nixpkgs, so make sure to not try to update any to avoid conflicts +git -C "$tmp/nixpkgs.git" fetch --no-tags fork "$prBranch" +headRef=$(git -C "$tmp/nixpkgs.git" rev-parse HEAD) log "Checking correctness of the base branch" if ! "$SCRIPT_DIR"/verify-base-branch.sh "$tmp/nixpkgs.git" "$headRef" "$baseRepo" "$baseBranch" "$prRepo" "$prBranch" | tee "$tmp/invalid-base-error" >&2; then From 9af45a7f850c1cd78bc0d850407e1b92684a38f7 Mon Sep 17 00:00:00 2001 From: Lin Jian Date: Sat, 12 Oct 2024 06:03:46 +0800 Subject: [PATCH 17/18] ci/request-reviews: fix headRef to point to the PR head Previously, headRef points to the master branch of Nixpkgs, which basically means no code owner review will be requested. The problem can be verified using the following command. $ DRY_MODE=1 ./ci/request-reviews/request-reviews.sh NixOS/nixpkgs 347973 ci/OWNERS [...] This PR touches 0 files Requesting reviews from: { "reviewers": [] } [...] Additionally, the comment about conflicts is removed thanks to the unambiguous way of specifying ref. (cherry picked from commit f4c6e1174c8ece4de32fcee3ab7ccb267b640ea7) --- ci/request-reviews/request-reviews.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ci/request-reviews/request-reviews.sh b/ci/request-reviews/request-reviews.sh index 8a3d78a50d5f..b21354560242 100755 --- a/ci/request-reviews/request-reviews.sh +++ b/ci/request-reviews/request-reviews.sh @@ -60,9 +60,8 @@ git -C "$tmp/nixpkgs.git" remote add fork https://github.com/"$prRepo".git git -C "$tmp/nixpkgs.git" config remote.fork.partialclonefilter tree:0 git -C "$tmp/nixpkgs.git" config remote.fork.promisor true -# Our local branches mirror Nixpkgs, so make sure to not try to update any to avoid conflicts git -C "$tmp/nixpkgs.git" fetch --no-tags fork "$prBranch" -headRef=$(git -C "$tmp/nixpkgs.git" rev-parse HEAD) +headRef=$(git -C "$tmp/nixpkgs.git" rev-parse refs/remotes/fork/"$prBranch") log "Checking correctness of the base branch" if ! "$SCRIPT_DIR"/verify-base-branch.sh "$tmp/nixpkgs.git" "$headRef" "$baseRepo" "$baseBranch" "$prRepo" "$prBranch" | tee "$tmp/invalid-base-error" >&2; then From 80202bd4fab1f37f853d5eab3a843f6385e209b4 Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Sat, 12 Oct 2024 05:27:01 +0200 Subject: [PATCH 18/18] ci/request-reviews: Avoid duplicates with different casings It's possible to have different casings in OWNERS, so we need to handle that (cherry picked from commit e612b89953ca26d1bff9b1a731e453389639cc10) --- ci/request-reviews/get-reviewers.sh | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/ci/request-reviews/get-reviewers.sh b/ci/request-reviews/get-reviewers.sh index be0fd10c5b22..1107edd9e6f1 100755 --- a/ci/request-reviews/get-reviewers.sh +++ b/ci/request-reviews/get-reviewers.sh @@ -35,6 +35,7 @@ log "This PR touches ${#touchedFiles[@]} files" git -C "$gitRepo" show "$baseRef":"$ownersFile" > "$tmp"/codeowners # Associative array with the user as the key for easy de-duplication +# Make sure to always lowercase keys to avoid duplicates with different casings declare -A users=() for file in "${touchedFiles[@]}"; do @@ -87,20 +88,20 @@ for file in "${touchedFiles[@]}"; do log "Team $entry has these members: ${members[*]}" for user in "${members[@]}"; do - users[$user]= + users[${user,,}]= done else # Everything else is a user - users[$entry]= + users[${entry,,}]= fi done done # Cannot request a review from the author -if [[ -v users[$prAuthor] ]]; then +if [[ -v users[${prAuthor,,}] ]]; then log "One or more files are owned by the PR author, ignoring" - unset 'users[$prAuthor]' + unset 'users[${prAuthor,,}]' fi gh api \ @@ -111,9 +112,9 @@ gh api \ # And we don't want to rerequest reviews from people who already reviewed while read -r user; do - if [[ -v users[$user] ]]; then + if [[ -v users[${user,,}] ]]; then log "User $user is a code owner but has already left a review, ignoring" - unset 'users[$user]' + unset 'users[${user,,}]' fi done < "$tmp/already-reviewed-by"