From 87912465af5de109283a9603b917af817d549283 Mon Sep 17 00:00:00 2001
From: Silvan Mosberger <silvan.mosberger@tweag.io>
Date: Tue, 23 Apr 2024 19:40:41 +0200
Subject: [PATCH 1/3] CODEOWNERS: Add myself to all files with no current owner

To satisfy the new check requiring all files to have a code owner
---
 .github/CODEOWNERS | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index b2ecce3..1f7dd33 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,5 +1,19 @@
-# See ./org-repo.md
+# See doc/org-repo.md
+
+/README.md @infinisil
+/CONTRIBUTING.md @infinisil
+/LICENSE @infinisil
 
 /.github/CODEOWNERS @infinisil @zimbatm
+/.github/workflows @infinisil
+/review-body.sh @infinisil
 
 /doc/org-repo.md @infinisil @zimbatm
+/doc/discourse.md @infinisil
+/doc/github.md @infinisil
+/doc/matrix.md @infinisil
+/doc/moderation.md @infinisil
+/doc/nixos-releases.md @infinisil
+/doc/resources.md @infinisil
+/doc/rfcs.md @infinisil
+/doc/teams.md @infinisil

From 569ec016309dec352adb30a16d9199c91bb656e1 Mon Sep 17 00:00:00 2001
From: Silvan Mosberger <silvan.mosberger@tweag.io>
Date: Tue, 23 Apr 2024 23:33:06 +0200
Subject: [PATCH 2/3] Check write permissions

---
 .github/CODEOWNERS             |  1 +
 .github/workflows/ci.yml       | 12 ++++++++
 scripts/unprivileged-owners.sh | 50 ++++++++++++++++++++++++++++++++++
 3 files changed, 63 insertions(+)
 create mode 100755 scripts/unprivileged-owners.sh

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 1f7dd33..096ff27 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -6,6 +6,7 @@
 
 /.github/CODEOWNERS @infinisil @zimbatm
 /.github/workflows @infinisil
+/scripts @infinisil
 /review-body.sh @infinisil
 
 /doc/org-repo.md @infinisil @zimbatm
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8601548..5d3236c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -25,6 +25,9 @@ jobs:
     name: Validate codeowners
     runs-on: ubuntu-latest
     steps:
+    - uses: cachix/install-nix-action@v26
+      with:
+        nix_path: nixpkgs=channel:nixos-unstable
 
     - uses: actions/checkout@v4
       with:
@@ -55,3 +58,12 @@ jobs:
 
         # Specifies whether only teams are allowed as owners of files.
         owner_checker_owners_must_be_teams: "false"
+
+    # The above validator doesn't currently ensure that people have write access: https://github.com/mszostok/codeowners-validator/issues/157
+    # So we're doing it manually instead
+    - name: Check that codeowners have write access
+      # Important that we run the script from the base branch,
+      # because otherwise a PR from a fork could change it to extract the secret
+      run: trusted-base/scripts/unprivileged-owners.sh untrusted-pr ${{ github.repository }}
+      env:
+        GH_TOKEN: "${{ secrets.OWNERS_VALIDATOR_GITHUB_SECRET }}"
diff --git a/scripts/unprivileged-owners.sh b/scripts/unprivileged-owners.sh
new file mode 100755
index 0000000..68dc4b8
--- /dev/null
+++ b/scripts/unprivileged-owners.sh
@@ -0,0 +1,50 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash --pure --keep GH_TOKEN -I nixpkgs=channel:nixpkgs-unstable -p codeowners github-cli
+
+set -euo pipefail
+
+tmp=$(mktemp -d)
+trap 'rm -rf "$tmp"' exit
+
+if (( $# != 2 )); then
+  echo "Usage: $0 PATH OWNER/REPO"
+  exit 1
+fi
+
+root=$1
+repo=$2
+
+# Writes all code owners into $tmp/codeowners, one user per line (without @)
+while read -r -a fields; do
+  # The first field is the filename
+  unset 'fields[0]'
+  if [[ "${fields[1]}" != "(unowned)" ]]; then
+    (IFS=$'\n'; echo "${fields[*]##@}")
+  fi
+done < <(cd "$root"; codeowners) |
+  sort -u > "$tmp/codeowners"
+
+# Get all users with push access
+gh api \
+  -H "Accept: application/vnd.github+json" \
+  -H "X-GitHub-Api-Version: 2022-11-28" \
+  --method GET \
+  -f permission=push \
+  /repos/"$repo"/collaborators \
+  -F per_page=100 \
+  --paginate \
+  --jq '.[].login' |
+  sort > "$tmp/collaborators"
+
+# Figure out all the owners that aren't collaborators
+readarray -t unprivilegedOwners < <(comm -23 "$tmp/codeowners" "$tmp/collaborators")
+
+if (( "${#unprivilegedOwners[@]}" == 0 )); then
+  echo "All code owners have write permission"
+else
+  echo "These code owners don't have write permission:"
+  for handle in "${unprivilegedOwners[@]}"; do
+    echo "- [ ] @$handle"
+  done
+  exit 1
+fi

From be0005a536e2c33584ff807c1df3053b233cfb63 Mon Sep 17 00:00:00 2001
From: Silvan Mosberger <silvan.mosberger@tweag.io>
Date: Tue, 23 Apr 2024 23:42:36 +0200
Subject: [PATCH 3/3] Try adding a codeowner without write access

---
 .github/CODEOWNERS | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 096ff27..e70e64a 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -2,7 +2,7 @@
 
 /README.md @infinisil
 /CONTRIBUTING.md @infinisil
-/LICENSE @infinisil
+/LICENSE @infinisil @infinixbot
 
 /.github/CODEOWNERS @infinisil @zimbatm
 /.github/workflows @infinisil