From 77a3b006cd6154ab2c3590c1d8229669e9f66265 Mon Sep 17 00:00:00 2001
From: Wolfgang Walther <walther@technowledgy.de>
Date: Sat, 1 Nov 2025 18:49:14 +0100
Subject: [PATCH 1/2] workflows/test: trigger on some github-scripts as well

Changes in these files can easily cause the Test workflow to break, so
they should be tested as well.
---
 .github/workflows/test.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index f938ea5f64b1..8c0451a54754 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -66,6 +66,9 @@ jobs:
               '.github/workflows/pull-request-target.yml',
               '.github/workflows/reviewers.yml',
               '.github/workflows/test.yml',
+              'ci/github-script/bot.js',
+              'ci/github-script/merge.js',
+              'ci/github-script/withRateLimit.js',
             ].includes(file))) core.setOutput('pr', true)
 
   merge-group:

From 421974863f031fef03690906c2897483f60eccec Mon Sep 17 00:00:00 2001
From: Wolfgang Walther <walther@technowledgy.de>
Date: Sat, 1 Nov 2025 17:37:03 +0100
Subject: [PATCH 2/2] workflows/bot: avoid access teams endpoints in Test
 workflow

We have no chance of getting a token that can request the team endpoints
in the pull_request context. This makes sense, because non-members of
the org are also not allowed to view the teams' memberships.

Thus, just fake an empty team - that's fine for the Test workflow.
---
 ci/github-script/merge.js | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/ci/github-script/merge.js b/ci/github-script/merge.js
index 3c7576d659bb..42d350fe3f39 100644
--- a/ci/github-script/merge.js
+++ b/ci/github-script/merge.js
@@ -6,13 +6,21 @@ async function runChecklist({ github, context, pull_request, maintainers }) {
   const pull_number = pull_request.number
 
   if (!committers) {
-    committers = github
-      .paginate(github.rest.teams.listMembersInOrg, {
-        org: context.repo.owner,
-        team_slug: 'nixpkgs-committers',
-        per_page: 100,
-      })
-      .then((members) => new Set(members.map(({ id }) => id)))
+    if (context.eventName === 'pull_request') {
+      // We have no chance of getting a token in the pull_request context with the right
+      // permissions to access the members endpoint below. Thus, we're pretending to have
+      // no committers. This is OK; because this is only for the Test workflow, not for
+      // real use.
+      committers = new Set()
+    } else {
+      committers = github
+        .paginate(github.rest.teams.listMembersInOrg, {
+          org: context.repo.owner,
+          team_slug: 'nixpkgs-committers',
+          per_page: 100,
+        })
+        .then((members) => new Set(members.map(({ id }) => id)))
+    }
   }
 
   const files = await github.paginate(github.rest.pulls.listFiles, {