Check that code owners have write access for the regular review

infinisil · infinisil · commit 9028d175b20f · 2024-04-24T21:26:13.000+02:00
diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml
@@ -11,14 +11,26 @@ jobs:
   update:
     runs-on: ubuntu-latest
     steps:
+      - uses: cachix/install-nix-action@v26
+
       - uses: actions/checkout@v4
+        with:
+          path: repo
+
+      - name: Generate issue body
+        run: repo/scripts/review-body.sh repo ${{ github.repository }} > body
+        env:
+          # This token has read-only admin access to see who has write access to this repo
+          GH_TOKEN: "${{ secrets.OWNERS_VALIDATOR_GITHUB_SECRET }}"
+
       - run: |
           gh api \
             --method POST \
             -H "Accept: application/vnd.github+json" \
             -H "X-GitHub-Api-Version: 2022-11-28" \
-            /repos/"$GITHUB_REPOSITORY"/issues \
+            /repos/${{ github.repository }}/issues \
             -f title="[$(date +'%Y %B')] Regular manual review " \
-            -f body="$(./scripts/review-body.sh)"
+            -F body=@body
         env:
+          # This token has write access to only issues to create one
           GH_TOKEN: ${{ github.token }}
diff --git a/scripts/review-body.sh b/scripts/review-body.sh
@@ -1,9 +1,21 @@
-#!/usr/bin/env bash
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash --pure --keep GH_TOKEN -I nixpkgs=channel:nixpkgs-unstable -p codeowners github-cli gitMinimal
+
 set -euo pipefail
 
 # This script outputs the contents of the regular review issue, see ./github/workflows/review.yml
 
-rev=$(git rev-parse HEAD)
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+if (( $# != 2 )); then
+  echo "Usage: $0 PATH OWNER/REPO"
+  exit 1
+fi
+
+root=$1
+repo=$2
+
+rev=$(git -C "$root" rev-parse HEAD)
 
 echo "Because the documentation in this repository may slowly deviate from reality, this monthly issue is created to regularly review the files.
 
@@ -30,4 +42,11 @@ while read -r file users; do
     continue
   fi
   echo "- [ ] \`$file\`: $users"
-done < .github/CODEOWNERS
+done < "$root"/.github/CODEOWNERS
+
+echo ""
+
+# Check that all code owners have write permissions
+# `|| true` because this script fails when there are code owners without permissions,
+# which is useful to fail PRs, but not here
+bash "$SCRIPT_DIR"/unprivileged-owners.sh "$root" "$repo" || true
