Reapply {ci,workflows}: allow multiple blocking reviews"

A couple of bugfixes, but the problem was that the apps weren't installed.

.github/workflows/check.yml

@@ -16,6 +16,14 @@ on:
         required: true
         type: string
     secrets:
+      # Can be provided in pull requests because the job it is used in does
+      # not evaluate untrusted code.
+      NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY:
+        required: false
+      # Can be provided in pull requests because the job it is used in does
+      # not evaluate untrusted code.
+      NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY:
+        required: false
       # Should only be provided in the merge queue, not in pull requests,
       # where we're evaluating untrusted code.
       CACHIX_AUTH_TOKEN_GHA:
@@ -45,9 +53,17 @@ jobs:
       - name: Install dependencies
         run: npm install bottleneck@2.19.5
 
+      - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        if: github.event_name != 'pull_request' && vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID
+        id: app-token
+        with:
+          client-id: ${{ vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID }}
+          private-key: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }}
+          permission-pull-requests: write
+
       - name: Log current API rate limits
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
         run: gh api /rate_limit | jq
 
       - name: Check commits
@@ -56,6 +72,7 @@ jobs:
         env:
           TARGETS_STABLE: ${{ fromJSON(inputs.baseBranch).stable && !contains(fromJSON(inputs.headBranch).type, 'development') }}
         with:
+          github-token: ${{ steps.app-token.outputs.token || github.token }}
           script: |
             const targetsStable = JSON.parse(process.env.TARGETS_STABLE)
             require('./trusted/ci/github-script/commits.js')({
@@ -68,7 +85,7 @@ jobs:
 
       - name: Log current API rate limits
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
         run: gh api /rate_limit | jq
 
   manual-file-edits:
@@ -85,25 +102,35 @@ jobs:
           sparse-checkout: |
             ci/github-script
 
+      - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        if: github.event_name != 'pull_request' && vars.NIXPKGS_MANUAL_EDIT_CHECK_CLIENT_ID
+        id: app-token
+        with:
+          client-id: ${{ vars.NIXPKGS_MANUAL_EDIT_CHECK_CLIENT_ID }}
+          private-key: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }}
+          permission-pull-requests: write
+
       - name: Log current API rate limits
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
         run: gh api /rate_limit | jq
 
       - name: Discourage manual edits to certain files
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
+          github-token: ${{ steps.app-token.outputs.token || github.token }}
           script: |
             require('./trusted/ci/github-script/manual-file-edits.js')({
               github,
               context,
               core,
+              dry: context.eventName == 'pull_request',
               repoPath: 'trusted',
             })
 
       - name: Log current API rate limits
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
         run: gh api /rate_limit | jq
 
   owners:

.github/workflows/eval.yml

@@ -23,6 +23,10 @@ on:
         default: false
         type: boolean
     secrets:
+      # Can be provided in pull requests because the job it is used in does
+      # not evaluate untrusted code.
+      NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY:
+        required: false
       # Should only be provided in the merge queue, not in pull requests,
       # where we're evaluating untrusted code.
       CACHIX_AUTH_TOKEN_GHA:
@@ -349,10 +353,22 @@ jobs:
               description,
               target_url
             })
+
+      - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        if: github.event_name == 'pull_request_target' && vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID
+        id: app-token
+        with:
+          client-id: ${{ vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID }}
+          private-key: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }}
+          permission-pull-requests: write
+
+      # It's fine to reuse this app in the 'pull-request-target / prepare' job,
+      # because that job has to run before this one.
       - name: Request changes if PR is against an inappropriate branch
         if: ${{ github.event_name == 'pull_request_target' }}
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
+          github-token: ${{ steps.app-token.outputs.token || github.token }}
           script: |
             require('./nixpkgs/trusted/ci/github-script/check-target-branch.js')({
               github,

.github/workflows/pull-request-target.yml

@@ -10,6 +10,12 @@ on:
     secrets:
       NIXPKGS_CI_APP_PRIVATE_KEY:
         required: true
+      NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY:
+        required: true
+      NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY:
+        required: true
+      NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY:
+        required: true
 
 concurrency:
   group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
@@ -36,9 +42,21 @@ jobs:
           sparse-checkout-cone-mode: true # default, for clarity
           sparse-checkout: |
             ci/github-script
+
+      # It's fine to reuse this app in the 'eval / compare' job,
+      # because this job has to run before that one.
+      - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        if: vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID
+        id: app-token
+        with:
+          client-id: ${{ vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID }}
+          private-key: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }}
+          permission-pull-requests: write
+
       - id: prepare
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
+          github-token: ${{ steps.app-token.outputs.token || github.token }}
           retries: 10
           # The default for this includes code 422, which happens regularly for us when comparing commits:
           #   422 - Server Error: Sorry, this diff is taking too long to generate.
@@ -60,6 +78,9 @@ jobs:
     permissions:
       # cherry-picks
       pull-requests: write
+    secrets:
+      NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }}
+      NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }}
     with:
       baseBranch: ${{ needs.prepare.outputs.baseBranch }}
       headBranch: ${{ needs.prepare.outputs.headBranch }}
@@ -82,6 +103,8 @@ jobs:
       # compare
       pull-requests: write
       statuses: write
+    secrets:
+      NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }}
     with:
       artifact-prefix: ${{ inputs.artifact-prefix }}
       mergedSha: ${{ needs.prepare.outputs.mergedSha }}

.github/workflows/test.yml

@@ -116,5 +116,8 @@ jobs:
       statuses: write # unused on pull_request, required by PR workflow
     secrets:
       NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
+      NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }}
+      NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }}
+      NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }}
     with:
       artifact-prefix: pr-