Skip to content

[Backport release-25.05] workflows/check: run codeowners validator from trusted checkout#457529

Merged
wolfgangwalther merged 2 commits intorelease-25.05from
backport-457527-to-release-25.05
Nov 1, 2025
Merged

[Backport release-25.05] workflows/check: run codeowners validator from trusted checkout#457529
wolfgangwalther merged 2 commits intorelease-25.05from
backport-457527-to-release-25.05

Conversation

@nixpkgs-ci
Copy link
Contributor

@nixpkgs-ci nixpkgs-ci bot commented Nov 1, 2025

Bot-based backport to release-25.05, triggered by a label in #457527.

  • Before merging, ensure that this backport is acceptable for the release.
    • Even as a non-committer, if you find that it is not acceptable, leave a comment.

@wolfgangwalther @github-actions
workflows/check: run codeowners validator from trusted checkout
923ca2a 
In f7d6d11 I wrongly assumed that
running from the untrusted checkout should be fine for the codeowners
validator, because we removed all the logic for privileged tokens.
However, this job also contains access to the cachix secret, which could
be used to push malicious code to cachix, which would then be pulled by
a more privileged workflow like reviewers.yml later.

(cherry picked from commit 9718f29)
@wolfgangwalther @github-actions
workflows/pr: rename to pull-request-target
5a8ff6a 
To be able to disable the pr.yml workflow on GitHub, we need to rename
it to a different name. Let's use the long name for consistency with
merge-group.yml. This only affects the GitHub-internal name, not the
visible name in the PR checklist, which is still "PR". This visible name
is also used by nixpkgs-review, so that won't break.

(cherry picked from commit f66a380)
@nixpkgs-ci nixpkgs-ci bot added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Nov 1, 2025
@nixpkgs-ci nixpkgs-ci bot mentioned this pull request Nov 1, 2025
Merged
1 task
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux. 6.topic: continuous integration Affects continuous integration (CI) in Nixpkgs, including Ofborg and GitHub Actions 4.workflow: backport This targets a stable branch 6.topic: policy discussion Discuss policies to work in and around Nixpkgs labels Nov 1, 2025
@wolfgangwalther wolfgangwalther added this pull request to the merge queue Nov 1, 2025
Merged via the queue into release-25.05 with commit 829aa1b Nov 1, 2025
63 of 67 checks passed
@wolfgangwalther wolfgangwalther deleted the backport-457527-to-release-25.05 branch November 1, 2025 12:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@philiptaron philiptaron Awaiting requested review from philiptaron

@Mic92 Mic92 Awaiting requested review from Mic92

@MattSturgeon MattSturgeon Awaiting requested review from MattSturgeon

@zowoq zowoq Awaiting requested review from zowoq

@wolfgangwalther wolfgangwalther Awaiting requested review from wolfgangwalther

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 4.workflow: backport This targets a stable branch 6.topic: continuous integration Affects continuous integration (CI) in Nixpkgs, including Ofborg and GitHub Actions 6.topic: policy discussion Discuss policies to work in and around Nixpkgs 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wolfgangwalther