ci: init get-merge-commit workflow#361494
Conversation
github-actions
bot
added
6.topic: policy discussion
nix-owners
bot
requested review from
LeSuisse,
azuwis,
mweinelt,
risicle and
zowoq
github-actions
bot
added
10.rebuild-darwin: 0
JohnRTitor
force-pushed
the
ci-merge-commit
branch
from
6b0a7ec to
893039e
Compare
.github/workflows/nixpkgs-vet.yml
Outdated
There was a problem hiding this comment.
Do we need a separate job for this? It seems like this can just be a separate step in the first job instead. This way we wouldn't spam the list of CI checks with many of these
There was a problem hiding this comment.
I just followed https://docs.github.com/en/actions/sharing-automations/reusing-workflows#calling-a-reusable-workflow
But let's try to implement this.
There was a problem hiding this comment.
@infinisil tried d3446ef, but seems to fail https://github.com/JohnRTitor/nixpkgs/actions/runs/12145724531/job/33868011344?pr=2
Could you help?
There was a problem hiding this comment.
You'll need to move it after the checkout, as the message suggests. Otherwise it hasn't cloned the repo.
There was a problem hiding this comment.
Well we are doing it in the get-merge-commit workflow. https://github.com/JohnRTitor/nixpkgs/blob/d3446ef3d7072be54facc926568a02830c484823/.github/workflows/get-merge-commit.yml#L16
It works if I just drop d3446ef
There was a problem hiding this comment.
On Matrix (since there were problems with GitHub) @JohnRTitor shared this:
Unlike when you are using actions within a workflow, you call reusable workflows directly within a job, and not from within job steps.
There was a problem hiding this comment.
I just found out about "Composite actions" though, which sound like a better fit now! https://docs.github.com/en/actions/sharing-automations/avoiding-duplication#key-differences-between-reusable-workflows-and-composite-actions
There was a problem hiding this comment.
Looks like that works best with a separate repository though, which we could totally do by requesting it, won't be as local anymore though.
There was a problem hiding this comment.
Composite actions does not need a separate repo, I use them in both in-repo and out-of-repo.
In-repo example https://github.com/azuwis/nix-config/blob/dd9650cce55ca08d1304fb49e850a4ddaeb42f8d/.github/workflows/package.yml#L53
We can totally put them in the ci/ dir.
JohnRTitor
force-pushed
the
ci-merge-commit
branch
from
893039e to
aa7ba08
Compare
JohnRTitor
force-pushed
the
ci-merge-commit
branch
from
d3446ef to
de672df
Compare
There was a problem hiding this comment.
I am not sure what I am doing wrong here. Tried my best to follow: https://github.com/storacha/add-to-web3/blob/main/action.yml
which gives an output as well.
https://github.com/JohnRTitor/nixpkgs/actions/runs/12164535023/job/33926420934?pr=2 currently does not run at all.
There was a problem hiding this comment.
I think it would be better to have this as a seperate workflow, in a seperate repo.
Or we can just revert to the previous solution.
There was a problem hiding this comment.
@JohnRTitor I believe the error is accurate, the repo needs to be checked out before a local workflow can be used. So this part can't be reused and needs to be duplicated:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
path: base
sparse-checkout: ciThere was a problem hiding this comment.
Discussed on Matrix. Main points:
- This then also requires
rm -rf baseagain, kind of annoying - @JohnRTitor had the idea of turning eval and Nixpkgs-vet to a reusable workflow and call it from a bigger/main workflow, to explore in the future
- For now we can just use reusable workflows, it's not too much extra noise and we can always change it
There was a problem hiding this comment.
Sending this for review, but looks like GitHub is having some issues with CI.
JohnRTitor
force-pushed
the
ci-merge-commit
branch
from
de672df to
aa7ba08
Compare
There was a problem hiding this comment.
Security concern: There's no permissions specified here, so this might use a default token with a lot of permissions and not the one from the parent workflow with little permissions. Should definitely specify permissions here to limit it to only what's necessary (which requires figuring out which one this uses). See also https://docs.github.com/en/actions/sharing-automations/reusing-workflows#using-inputs-and-secrets-in-a-reusable-workflow
There was a problem hiding this comment.
Decided to go with:
# We need a token to query the API, but it doesn't need any special permissions
permissions: {}
ci/README.md
Outdated
Signed-off-by: John Titor <50095635+JohnRTitor@users.noreply.github.com>
JohnRTitor
force-pushed
the
ci-merge-commit
branch
from
aa7ba08 to
52acf63
Compare
|
Git push to origin failed for release-24.11 with exitcode 1 |
|
Follow-up: #364338 |
5 participants
Since we are preferring to use get-merge-commit.sh to resolve the merge commit, let's make it a reusable workflow so we can use it in other actions (ie, in #361447)
Tested at JohnRTitor#2