workflows/team-sync: init

Creates a team sync workflow that pushes the current state of teams to a JSON file, which can then be ingested by `lib.teams` to expose member lists. Co-Authored-By: Alexander Bantyev <alexander.bantyev@tweag.io>
2025-10-11 02:24:46 +02:00
parent ff336e2ecd
commit c0c6684257
3 changed files with 175 additions and 0 deletions
--- a/.github/workflows/team.yml
+++ b/.github/workflows/team.yml
@@ -0,0 +1,81 @@
+name: Teams
+
+on:
+  schedule:
+    # Every Tuesday at 19:42 (randomly chosen)
+    - cron: '42 19 * * 1'
+
+  # Allows manual trigger
+  workflow_dispatch:
+
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  sync:
+    runs-on: ubuntu-24.04-arm
+    steps:
+      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        id: team-token
+        with:
+          app-id: ${{ vars.OWNER_APP_ID }}
+          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
+          permission-administration: read
+          permission-members: read
+      - name: Fetch source
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+          sparse-checkout: |
+            ci/github-script
+            maintainers/github-teams.json
+      - name: Install dependencies
+        run: npm install bottleneck
+      - name: Synchronise teams
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          github-token: ${{ steps.team-token.outputs.token }}
+          script: |
+            require('./ci/github-script/get-teams.js')({
+              github,
+              context,
+              core,
+              outFile: "maintainers/github-teams.json"
+            })
+
+      # Use a GitHub App to create the PR so that CI gets triggered
+      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        id: sync-token
+        with:
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
+          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
+          permission-contents: write
+          permission-pull-requests: write
+      - name: Get GitHub App User Git String
+        id: user
+        env:
+          GH_TOKEN: ${{ steps.sync-token.outputs.token }}
+          APP_SLUG: ${{ steps.sync-token.outputs.app-slug }}
+        run: |
+          name="${APP_SLUG}[bot]"
+          userId=$(gh api "/users/$name" --jq .id)
+          email="$userId+$name@users.noreply.github.com"
+          echo "git-string=$name <$email>" >> "$GITHUB_OUTPUT"
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        with:
+          token: ${{ steps.sync-token.outputs.token }}
+          add-paths: maintainers/github-teams.json
+          author: ${{ steps.user.outputs.git-string }}
+          committer: ${{ steps.user.outputs.git-string }}
+          commit-message: "maintainers/github-teams.json: Automated sync"
+          branch: github-team-sync
+          title: "maintainers/github-teams.json: Automated sync"
+          body: |
+            This is an automated PR to sync the GitHub teams with access to this repository to the `lib.teams` list.
+
+            This PR can be merged without taking any further action.
+