Use GitHub App for codeowner validation and remove hacky script

infinisil · infinisil · commit cf30052ba8f9 · 2024-04-26T16:16:17.000+02:00
We shouldn't use personal access tokens, instead we created a GitHub App with read-only access to just this repository. While codeowners-validator supports GitHub App authentication, the same cannot be said for the hacky script I wrote because there was no support for checking write access: mszostok/codeowners-validator#157 Instead of trying to hack the script more to make it work with GitHub App authentication, I decided to implement it into codeowners-validator itself: mszostok/codeowners-validator#222 Because it's not merged/released yet, we need to build it ourselves, so I added some Nix to do that reproducibly.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -31,37 +31,24 @@ jobs:
       with:
         path: trusted-base
 
+    - name: Build codeowners validator
+      # We run the result of this with access to secrets later, so it's important to trust this!
+      run: nix-build trusted-base -A packages.codeowners-validator
+
     - uses: actions/checkout@v4
       with:
         ref: refs/pull/${{ github.event.pull_request.number }}/merge
         path: untrusted-pr
 
-    - uses: mszostok/codeowners-validator@v0.7.4
-      with:
-        # GitHub access token is required only if the `owners` check is enabled
-        # See https://github.com/mszostok/codeowners-validator/blob/main/docs/gh-auth.md#public-repositories
-        github_access_token: "${{ secrets.OWNERS_VALIDATOR_GITHUB_SECRET }}"
-
-        # The repository path in which CODEOWNERS file should be validated."
-        repository_path: untrusted-pr
-
-        # The owner and repository name. For example, gh-codeowners/codeowners-samples. Used to check if GitHub team is in the given organization and has permission to the given repository."
-        owner_checker_repository: "${{ github.repository }}"
-
-        # "The comma-separated list of experimental checks that should be executed. By default, all experimental checks are turned off. Possible values: notowned,avoid-shadowing"
-        experimental_checks: "notowned,avoid-shadowing"
-
-        # Specifies whether CODEOWNERS may have unowned files. For example, `/infra/oncall-rotator/oncall-config.yml` doesn't have owner and this is not reported.
-        owner_checker_allow_unowned_patterns: "false"
-
-        # Specifies whether only teams are allowed as owners of files.
-        owner_checker_owners_must_be_teams: "false"
-
-    # The above validator doesn't currently ensure that people have write access: https://github.com/mszostok/codeowners-validator/issues/157
-    # So we're doing it manually instead
-    - name: Check that codeowners have write access
-      # Important that we run the script from the base branch,
-      # because otherwise a PR from a fork could change it to extract the secret
-      run: trusted-base/scripts/unprivileged-owners.sh untrusted-pr ${{ github.repository }}
+    - name: Validate codeowners
+      run: result/bin/codeowners-validator
       env:
-        GH_TOKEN: "${{ secrets.OWNERS_VALIDATOR_GITHUB_SECRET }}"
+        # See https://github.com/mszostok/codeowners-validator/blob/main/docs/gh-auth.md#public-repositories
+        GITHUB_APP_ID: ${{ secrets.APP_ID }}
+        GITHUB_APP_INSTALLATION_ID: ${{ secrets.APP_INSTALLATION_ID }}
+        GITHUB_APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
+        REPOSITORY_PATH: untrusted-pr
+        OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
+        EXPERIMENTAL_CHECKS: "notowned,avoid-shadowing"
+        OWNER_CHECKER_ALLOW_UNOWNED_PATTERNS: "false"
+        OWNER_CHECKER_OWNERS_MUST_BE_TEAMS: "false"
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+result*
diff --git a/default.nix b/default.nix
@@ -0,0 +1,34 @@
+let
+  sources = import ./npins;
+in
+{
+  system ? builtins.currentSystem,
+  nixpkgs ? sources.nixpkgs,
+}:
+let
+  pkgs = import nixpkgs {
+    inherit system;
+    config = { };
+    overlays = [ ];
+  };
+  inherit (pkgs) lib;
+
+  packages = {
+    codeowners-validator = pkgs.buildGoModule {
+      name = "codeowners-validator";
+      src = sources.codeowners-validator;
+      vendorHash = "sha256-R+pW3xcfpkTRqfS2ETVOwG8PZr0iH5ewroiF7u8hcYI=";
+      postPatch = "rm -r docs/investigation";
+    };
+  };
+  
+in
+{
+  inherit packages;
+
+  shell = pkgs.mkShell {
+    packages = [
+      pkgs.npins
+    ];
+  };
+}
diff --git a/npins/default.nix b/npins/default.nix
@@ -0,0 +1,47 @@
+# Generated by npins. Do not modify; will be overwritten regularly
+let
+  data = builtins.fromJSON (builtins.readFile ./sources.json);
+  version = data.version;
+
+  mkSource = spec:
+    assert spec ? type; let
+      path =
+        if spec.type == "Git" then mkGitSource spec
+        else if spec.type == "GitRelease" then mkGitSource spec
+        else if spec.type == "PyPi" then mkPyPiSource spec
+        else if spec.type == "Channel" then mkChannelSource spec
+        else builtins.throw "Unknown source type ${spec.type}";
+    in
+    spec // { outPath = path; };
+
+  mkGitSource = { repository, revision, url ? null, hash, ... }:
+    assert repository ? type;
+    # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
+    # In the latter case, there we will always be an url to the tarball
+    if url != null then
+      (builtins.fetchTarball {
+        inherit url;
+        sha256 = hash; # FIXME: check nix version & use SRI hashes
+      })
+    else assert repository.type == "Git"; builtins.fetchGit {
+      url = repository.url;
+      rev = revision;
+      # hash = hash;
+    };
+
+  mkPyPiSource = { url, hash, ... }:
+    builtins.fetchurl {
+      inherit url;
+      sha256 = hash;
+    };
+
+  mkChannelSource = { url, hash, ... }:
+    builtins.fetchTarball {
+      inherit url;
+      sha256 = hash;
+    };
+in
+if version == 3 then
+  builtins.mapAttrs (_: mkSource) data.pins
+else
+  throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
diff --git a/npins/sources.json b/npins/sources.json
@@ -0,0 +1,23 @@
+{
+  "pins": {
+    "codeowners-validator": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "tweag",
+        "repo": "codeowners-validator"
+      },
+      "branch": "simpler-faster-permission-check",
+      "revision": "a69f70c0bd8ec168ff695f412afa83c7b7a65413",
+      "url": "https://github.com/tweag/codeowners-validator/archive/a69f70c0bd8ec168ff695f412afa83c7b7a65413.tar.gz",
+      "hash": "1rybdypjgn4i065r6msfwyx1rvv73x19p28lps3si79bwbkg2xg0"
+    },
+    "nixpkgs": {
+      "type": "Channel",
+      "name": "nixpkgs-unstable",
+      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.05pre616757.4c86138ce486/nixexprs.tar.xz",
+      "hash": "0lbvdj9jc7g3pqs0yvahpb8y453gn65jvkvbnnkbi6m4afp92p04"
+    }
+  },
+  "version": 3
+}
diff --git a/scripts/unprivileged-owners.sh b/scripts/unprivileged-owners.sh
diff --git a/shell.nix b/shell.nix
@@ -0,0 +1 @@
+(import ./. { }).shell
