diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index bbeb72a701ef4..36db5d7cf0aca 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -8,26 +8,31 @@ on: # the GitHub repository. This means that it should not evaluate user input in a # way that allows code injection. -permissions: - contents: read +permissions: {} jobs: backport: - permissions: - contents: write # for korthout/backport-action to create branch - pull-requests: write # for korthout/backport-action to create PR to backport name: Backport Pull Request if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name)) runs-on: ubuntu-latest steps: + # Use a GitHub App to create the PR so that CI gets triggered + # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs + - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 + id: app-token + with: + app-id: ${{ vars.BACKPORT_APP_ID }} + private-key: ${{ secrets.BACKPORT_PRIVATE_KEY }} - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + token: ${{ steps.app-token.outputs.token }} - name: Create backport PRs uses: korthout/backport-action@bd410d37cdcae80be6d969823ff5a225fe5c833f # v3.0.2 with: # Config README: https://github.com/korthout/backport-action#backport-action copy_labels_pattern: 'severity:\ssecurity' + github_token: ${{ steps.app-token.outputs.token }} pull_description: |- Bot-based backport to `${target_branch}`, triggered by a label in #${pull_number}. diff --git a/.github/workflows/check-nix-format.yml b/.github/workflows/check-nix-format.yml index 16574d28cc73f..81bc083b3c649 100644 --- a/.github/workflows/check-nix-format.yml +++ b/.github/workflows/check-nix-format.yml @@ -85,6 +85,7 @@ jobs: echo "Some new/changed Nix files are not properly formatted" echo "Please go to the Nixpkgs root directory, run \`nix-shell\`, then:" echo "nixfmt ${unformattedFiles[*]@Q}" + echo "Make sure your branch is up to date with master, rebase if not." echo "If you're having trouble, please ping @NixOS/nix-formatting" exit 1 fi diff --git a/.github/workflows/eval-lib-tests.yml b/.github/workflows/eval-lib-tests.yml new file mode 100644 index 0000000000000..3ca5707e09b4c --- /dev/null +++ b/.github/workflows/eval-lib-tests.yml @@ -0,0 +1,30 @@ +name: "Building Nixpkgs lib-tests" + +permissions: + contents: read + +on: + pull_request_target: + paths: + - 'lib/**' +jobs: + get-merge-commit: + uses: ./.github/workflows/get-merge-commit.yml + + nixpkgs-lib-tests: + name: nixpkgs-lib-tests + runs-on: ubuntu-latest + needs: get-merge-commit + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + if: needs.get-merge-commit.outputs.mergedSha + with: + # pull_request_target checks out the base branch by default + ref: ${{ needs.get-merge-commit.outputs.mergedSha }} + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + with: + # explicitly enable sandbox + extra_nix_config: sandbox = true + - name: Building Nixpkgs lib-tests + run: | + nix-build --arg pkgs "(import ./ci/. {}).pkgs" ./lib/tests/release.nix diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml index 3a061961a0cdf..43d336441308a 100644 --- a/.github/workflows/eval.yml +++ b/.github/workflows/eval.yml @@ -16,53 +16,29 @@ permissions: contents: read jobs: + get-merge-commit: + uses: ./.github/workflows/get-merge-commit.yml + attrs: name: Attributes runs-on: ubuntu-latest + needs: get-merge-commit outputs: - mergedSha: ${{ steps.merged.outputs.mergedSha }} + mergedSha: ${{ needs.get-merge-commit.outputs.mergedSha }} baseSha: ${{ steps.baseSha.outputs.baseSha }} systems: ${{ steps.systems.outputs.systems }} steps: - # Important: Because of `pull_request_target`, this doesn't check out the PR, - # but rather the base branch of the PR, which is needed so we don't run untrusted code - - name: Check out the ci directory of the base branch - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - path: base - sparse-checkout: ci - - name: Check if the PR can be merged and get the test merge commit - id: merged - env: - GH_TOKEN: ${{ github.token }} - GH_EVENT: ${{ github.event_name }} - run: | - case "$GH_EVENT" in - push) - echo "mergedSha=${{ github.sha }}" >> "$GITHUB_OUTPUT" - ;; - pull_request_target) - if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then - echo "Checking the merge commit $mergedSha" - echo "mergedSha=$mergedSha" >> "$GITHUB_OUTPUT" - else - # Skipping so that no notifications are sent - echo "Skipping the rest..." - fi - ;; - esac - rm -rf base - name: Check out the PR at the test merge commit uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Add this to _all_ subsequent steps to skip them - if: steps.merged.outputs.mergedSha + if: needs.get-merge-commit.outputs.mergedSha with: - ref: ${{ steps.merged.outputs.mergedSha }} + ref: ${{ needs.get-merge-commit.outputs.mergedSha }} fetch-depth: 2 path: nixpkgs - name: Determine base commit - if: github.event_name == 'pull_request_target' && steps.merged.outputs.mergedSha + if: github.event_name == 'pull_request_target' && needs.get-merge-commit.outputs.mergedSha id: baseSha run: | baseSha=$(git -C nixpkgs rev-parse HEAD^1) @@ -70,22 +46,40 @@ jobs: - name: Install Nix uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 - if: steps.merged.outputs.mergedSha + if: needs.get-merge-commit.outputs.mergedSha - name: Evaluate the list of all attributes and get the systems matrix id: systems - if: steps.merged.outputs.mergedSha + if: needs.get-merge-commit.outputs.mergedSha run: | nix-build nixpkgs/ci -A eval.attrpathsSuperset echo "systems=$(> "$GITHUB_OUTPUT" - name: Upload the list of all attributes uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 - if: steps.merged.outputs.mergedSha + if: needs.get-merge-commit.outputs.mergedSha with: name: paths path: result/* + eval-aliases: + name: Eval nixpkgs with aliases enabled + runs-on: ubuntu-latest + needs: attrs + steps: + - name: Check out the PR at the test merge commit + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + ref: ${{ needs.attrs.outputs.mergedSha }} + path: nixpkgs + + - name: Install Nix + uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + + - name: Query nixpkgs with aliases enabled to check for basic syntax errors + run: | + time nix-env -I ./nixpkgs -f ./nixpkgs -qa '*' --option restrict-eval true --option allow-import-from-derivation false >/dev/null + outpaths: name: Outpaths runs-on: ubuntu-latest @@ -228,6 +222,7 @@ jobs: if: needs.process.outputs.baseRunId permissions: pull-requests: write + statuses: write steps: - name: Download process result uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 @@ -267,3 +262,23 @@ jobs: GH_TOKEN: ${{ github.token }} REPOSITORY: ${{ github.repository }} NUMBER: ${{ github.event.number }} + + - name: Add eval summary to commit statuses + if: ${{ github.event_name == 'pull_request_target' }} + run: | + description=$(jq -r ' + "Package: added " + (.attrdiff.added | length | tostring) + + ", removed " + (.attrdiff.removed | length | tostring) + + ", changed " + (.attrdiff.changed | length | tostring) + + ", Rebuild: linux " + (.rebuildCountByKernel.linux | tostring) + + ", darwin " + (.rebuildCountByKernel.darwin | tostring) + ' > "$GITHUB_OUTPUT" + ;; + pull_request_target) + if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then + echo "Checking the merge commit $mergedSha" + echo "mergedSha=$mergedSha" >> "$GITHUB_OUTPUT" + else + # Skipping so that no notifications are sent + echo "Skipping the rest..." + fi + ;; + esac + rm -rf base diff --git a/.github/workflows/nixpkgs-vet.yml b/.github/workflows/nixpkgs-vet.yml index a7eb1b0eedae4..6d39efc3e26a2 100644 --- a/.github/workflows/nixpkgs-vet.yml +++ b/.github/workflows/nixpkgs-vet.yml @@ -19,46 +19,34 @@ permissions: {} # There is a feature request for suppressing notifications on concurrency-canceled runs: https://github.com/orgs/community/discussions/13015 jobs: + get-merge-commit: + uses: ./.github/workflows/get-merge-commit.yml + check: name: nixpkgs-vet # This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases. runs-on: ubuntu-latest # This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long. timeout-minutes: 10 + needs: get-merge-commit steps: - # This checks out the base branch because of pull_request_target - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - path: base - sparse-checkout: ci - - name: Resolving the merge commit - env: - GH_TOKEN: ${{ github.token }} - run: | - if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then - echo "Checking the merge commit $mergedSha" - echo "mergedSha=$mergedSha" >> "$GITHUB_ENV" - else - echo "Skipping the rest..." - fi - rm -rf base - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - if: env.mergedSha + if: needs.get-merge-commit.outputs.mergedSha with: # pull_request_target checks out the base branch by default - ref: ${{ env.mergedSha }} + ref: ${{ needs.get-merge-commit.outputs.mergedSha }} # Fetches the merge commit and its parents fetch-depth: 2 - name: Checking out base branch - if: env.mergedSha + if: needs.get-merge-commit.outputs.mergedSha run: | base=$(mktemp -d) git worktree add "$base" "$(git rev-parse HEAD^1)" echo "base=$base" >> "$GITHUB_ENV" - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 - if: env.mergedSha + if: needs.get-merge-commit.outputs.mergedSha - name: Fetching the pinned tool - if: env.mergedSha + if: needs.get-merge-commit.outputs.mergedSha # Update the pinned version using ci/nixpkgs-vet/update-pinned-tool.sh run: | # The pinned version of the tooling to use. @@ -71,7 +59,7 @@ jobs: # Adds a result symlink as a GC root. nix-store --realise "$toolPath" --add-root result - name: Running nixpkgs-vet - if: env.mergedSha + if: needs.get-merge-commit.outputs.mergedSha env: # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/ CLICOLOR_FORCE: 1 diff --git a/ci/README.md b/ci/README.md index 11b53c6095e6e..7aa49eb82c704 100644 --- a/ci/README.md +++ b/ci/README.md @@ -58,7 +58,7 @@ Exit codes: ### Usage -This script can be used in GitHub Actions workflows as follows: +This script is implemented as a reusable GitHub Actions workflow, and can be used as follows: ```yaml on: pull_request_target @@ -67,32 +67,19 @@ on: pull_request_target permissions: {} jobs: + get-merge-commit: + # use the relative path of the get-merge-commit workflow yaml here + uses: ./.github/workflows/get-merge-commit.yml + build: name: Build runs-on: ubuntu-latest + needs: get-merge-commit steps: - # Important: Because of `pull_request_target`, this doesn't check out the PR, - # but rather the base branch of the PR, which is needed so we don't run untrusted code - - uses: actions/checkout@ - with: - path: base - sparse-checkout: ci - - name: Resolving the merge commit - env: - GH_TOKEN: ${{ github.token }} - run: | - if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then - echo "Checking the merge commit $mergedSha" - echo "mergedSha=$mergedSha" >> "$GITHUB_ENV" - else - # Skipping so that no notifications are sent - echo "Skipping the rest..." - fi - rm -rf base - uses: actions/checkout@ # Add this to _all_ subsequent steps to skip them - if: env.mergedSha + if: needs.get-merge-commit.outputs.mergedSha with: - ref: ${{ env.mergedSha }} + ref: ${{ needs.get-merge-commit.outputs.mergedSha }} - ... ```