ci: Add codeowners validator
This commit is contained in:
parent
369cfa02da
commit
5695bf6cfe
31
ci/codeowners-validator/default.nix
Normal file
31
ci/codeowners-validator/default.nix
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
{
|
||||||
|
buildGoModule,
|
||||||
|
fetchFromGitHub,
|
||||||
|
fetchpatch,
|
||||||
|
}:
|
||||||
|
buildGoModule {
|
||||||
|
name = "codeowners-validator";
|
||||||
|
src = fetchFromGitHub {
|
||||||
|
owner = "mszostok";
|
||||||
|
repo = "codeowners-validator";
|
||||||
|
rev = "f3651e3810802a37bd965e6a9a7210728179d076";
|
||||||
|
hash = "sha256-5aSmmRTsOuPcVLWfDF6EBz+6+/Qpbj66udAmi1CLmWQ=";
|
||||||
|
};
|
||||||
|
patches = [
|
||||||
|
# https://github.com/mszostok/codeowners-validator/pull/222
|
||||||
|
(fetchpatch {
|
||||||
|
name = "user-write-access-check";
|
||||||
|
url = "https://github.com/mszostok/codeowners-validator/compare/f3651e3810802a37bd965e6a9a7210728179d076...840eeb88b4da92bda3e13c838f67f6540b9e8529.patch";
|
||||||
|
hash = "sha256-t3Dtt8SP9nbO3gBrM0nRE7+G6N/ZIaczDyVHYAG/6mU=";
|
||||||
|
})
|
||||||
|
# Undoes part of the above PR: We don't want to require write access
|
||||||
|
# to the repository, that's only needed for GitHub's native CODEOWNERS.
|
||||||
|
# Furthermore, it removes an unneccessary check from the code
|
||||||
|
# that breaks tokens generated for GitHub Apps.
|
||||||
|
./permissions.patch
|
||||||
|
# Allows setting a custom CODEOWNERS path using the OWNERS_FILE env var
|
||||||
|
./owners-file-name.patch
|
||||||
|
];
|
||||||
|
postPatch = "rm -r docs/investigation";
|
||||||
|
vendorHash = "sha256-R+pW3xcfpkTRqfS2ETVOwG8PZr0iH5ewroiF7u8hcYI=";
|
||||||
|
}
|
15
ci/codeowners-validator/owners-file-name.patch
Normal file
15
ci/codeowners-validator/owners-file-name.patch
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
diff --git a/pkg/codeowners/owners.go b/pkg/codeowners/owners.go
|
||||||
|
index 6910bd2..e0c95e9 100644
|
||||||
|
--- a/pkg/codeowners/owners.go
|
||||||
|
+++ b/pkg/codeowners/owners.go
|
||||||
|
@@ -39,6 +39,10 @@ func NewFromPath(repoPath string) ([]Entry, error) {
|
||||||
|
// openCodeownersFile finds a CODEOWNERS file and returns content.
|
||||||
|
// see: https://help.github.com/articles/about-code-owners/#codeowners-file-location
|
||||||
|
func openCodeownersFile(dir string) (io.Reader, error) {
|
||||||
|
+ if file, ok := os.LookupEnv("OWNERS_FILE"); ok {
|
||||||
|
+ return fs.Open(file)
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
var detectedFiles []string
|
||||||
|
for _, p := range []string{".", "docs", ".github"} {
|
||||||
|
pth := path.Join(dir, p)
|
36
ci/codeowners-validator/permissions.patch
Normal file
36
ci/codeowners-validator/permissions.patch
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
diff --git a/internal/check/valid_owner.go b/internal/check/valid_owner.go
|
||||||
|
index a264bcc..610eda8 100644
|
||||||
|
--- a/internal/check/valid_owner.go
|
||||||
|
+++ b/internal/check/valid_owner.go
|
||||||
|
@@ -16,7 +16,6 @@ import (
|
||||||
|
const scopeHeader = "X-OAuth-Scopes"
|
||||||
|
|
||||||
|
var reqScopes = map[github.Scope]struct{}{
|
||||||
|
- github.ScopeReadOrg: {},
|
||||||
|
}
|
||||||
|
|
||||||
|
type ValidOwnerConfig struct {
|
||||||
|
@@ -223,10 +222,7 @@ func (v *ValidOwner) validateTeam(ctx context.Context, name string) *validateErr
|
||||||
|
for _, t := range v.repoTeams {
|
||||||
|
// GitHub normalizes name before comparison
|
||||||
|
if strings.EqualFold(t.GetSlug(), team) {
|
||||||
|
- if t.Permissions["push"] {
|
||||||
|
- return nil
|
||||||
|
- }
|
||||||
|
- return newValidateError("Team %q cannot review PRs on %q as neither it nor any parent team has write permissions.", team, v.orgRepoName)
|
||||||
|
+ return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -245,10 +241,7 @@ func (v *ValidOwner) validateGitHubUser(ctx context.Context, name string) *valid
|
||||||
|
for _, u := range v.repoUsers {
|
||||||
|
// GitHub normalizes name before comparison
|
||||||
|
if strings.EqualFold(u.GetLogin(), userName) {
|
||||||
|
- if u.Permissions["push"] {
|
||||||
|
- return nil
|
||||||
|
- }
|
||||||
|
- return newValidateError("User %q cannot review PRs on %q as they don't have write permissions.", userName, v.orgRepoName)
|
||||||
|
+ return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -25,4 +25,5 @@ in
|
|||||||
{
|
{
|
||||||
inherit pkgs;
|
inherit pkgs;
|
||||||
requestReviews = pkgs.callPackage ./request-reviews { };
|
requestReviews = pkgs.callPackage ./request-reviews { };
|
||||||
|
codeownersValidator = pkgs.callPackage ./codeowners-validator { };
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user