From ed36a1b90d222e3e49c1ea389f7858a435337de0 Mon Sep 17 00:00:00 2001 From: Arne Keller <2012gdwu+github@posteo.de> Date: Sun, 17 Nov 2024 22:27:50 +0100 Subject: [PATCH 1/8] workflows/check-nix-format: reminder to rebase (cherry picked from commit 088f1e641b8c14eb451591ce6d0ae29c3d8fd666) --- .github/workflows/check-nix-format.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/check-nix-format.yml b/.github/workflows/check-nix-format.yml index 16574d28cc73f..81bc083b3c649 100644 --- a/.github/workflows/check-nix-format.yml +++ b/.github/workflows/check-nix-format.yml @@ -85,6 +85,7 @@ jobs: echo "Some new/changed Nix files are not properly formatted" echo "Please go to the Nixpkgs root directory, run \`nix-shell\`, then:" echo "nixfmt ${unformattedFiles[*]@Q}" + echo "Make sure your branch is up to date with master, rebase if not." echo "If you're having trouble, please ping @NixOS/nix-formatting" exit 1 fi From 85ac223cdd9c0c905ae35d20c8be6a46e72c64e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Fri, 29 Nov 2024 22:37:40 +0100 Subject: [PATCH 2/8] ci/eval: test aliases Aliases do not add new packages, so basic evaluation with nix-env should be enough and fairly quick. (cherry picked from commit b47354725fb0cd2f0a2a132dce5b0e8f657e8174) --- .github/workflows/eval.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml index 3a061961a0cdf..f291e288c4348 100644 --- a/.github/workflows/eval.yml +++ b/.github/workflows/eval.yml @@ -86,6 +86,24 @@ jobs: name: paths path: result/* + eval-aliases: + name: Eval nixpkgs with aliases enabled + runs-on: ubuntu-latest + needs: attrs + steps: + - name: Check out the PR at the test merge commit + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + ref: ${{ needs.attrs.outputs.mergedSha }} + path: nixpkgs + + - name: Install Nix + uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + + - name: Query nixpkgs with aliases enabled to check for basic syntax errors + run: | + time nix-env -I ./nixpkgs -f ./nixpkgs -qa '*' --option restrict-eval true --option allow-import-from-derivation false >/dev/null + outpaths: name: Outpaths runs-on: ubuntu-latest From 881fc2f305b0f4f898c2b80a0d0623f388e37528 Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Sat, 30 Nov 2024 00:46:31 +0100 Subject: [PATCH 3/8] workflows/backport: Use GitHub App to create PRs to make GHA trigger on them (cherry picked from commit f31600fd0fc19fb3af357b140461c9afdc87af35) --- .github/workflows/backport.yml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index bbeb72a701ef4..36db5d7cf0aca 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -8,26 +8,31 @@ on: # the GitHub repository. This means that it should not evaluate user input in a # way that allows code injection. -permissions: - contents: read +permissions: {} jobs: backport: - permissions: - contents: write # for korthout/backport-action to create branch - pull-requests: write # for korthout/backport-action to create PR to backport name: Backport Pull Request if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name)) runs-on: ubuntu-latest steps: + # Use a GitHub App to create the PR so that CI gets triggered + # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs + - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 + id: app-token + with: + app-id: ${{ vars.BACKPORT_APP_ID }} + private-key: ${{ secrets.BACKPORT_PRIVATE_KEY }} - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + token: ${{ steps.app-token.outputs.token }} - name: Create backport PRs uses: korthout/backport-action@bd410d37cdcae80be6d969823ff5a225fe5c833f # v3.0.2 with: # Config README: https://github.com/korthout/backport-action#backport-action copy_labels_pattern: 'severity:\ssecurity' + github_token: ${{ steps.app-token.outputs.token }} pull_description: |- Bot-based backport to `${target_branch}`, triggered by a label in #${pull_number}. From 36cd40a401b351dbbff2963c494c2a2187949ffe Mon Sep 17 00:00:00 2001 From: Zhong Jianxin Date: Wed, 4 Dec 2024 20:03:48 +0800 Subject: [PATCH 4/8] workflows/eval: add eval summary to commit statuses (cherry picked from commit 26befe6e6ec704a838fe524da6ee8711c539ddea) --- .github/workflows/eval.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml index f291e288c4348..bd7b311675ed2 100644 --- a/.github/workflows/eval.yml +++ b/.github/workflows/eval.yml @@ -246,6 +246,7 @@ jobs: if: needs.process.outputs.baseRunId permissions: pull-requests: write + statuses: write steps: - name: Download process result uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 @@ -285,3 +286,23 @@ jobs: GH_TOKEN: ${{ github.token }} REPOSITORY: ${{ github.repository }} NUMBER: ${{ github.event.number }} + + - name: Add eval summary to commit statuses + if: ${{ github.event_name == 'pull_request_target' }} + run: | + description=$(jq -r ' + "Package: added " + (.attrdiff.added | length | tostring) + + ", removed " + (.attrdiff.removed | length | tostring) + + ", changed " + (.attrdiff.changed | length | tostring) + + ", Rebuild: linux " + (.rebuildCountByKernel.linux | tostring) + + ", darwin " + (.rebuildCountByKernel.darwin | tostring) + ' Date: Tue, 3 Dec 2024 22:15:15 +0530 Subject: [PATCH 5/8] ci: init get-merge-commit workflow Signed-off-by: John Titor <50095635+JohnRTitor@users.noreply.github.com> (cherry picked from commit b5a6aeb5df0e0bbfc505c9f9a9760bd08f98acc8) --- .github/workflows/get-merge-commit.yml | 43 ++++++++++++++++++++++++++ ci/README.md | 29 +++++------------ 2 files changed, 51 insertions(+), 21 deletions(-) create mode 100644 .github/workflows/get-merge-commit.yml diff --git a/.github/workflows/get-merge-commit.yml b/.github/workflows/get-merge-commit.yml new file mode 100644 index 0000000000000..63154d73ed9d2 --- /dev/null +++ b/.github/workflows/get-merge-commit.yml @@ -0,0 +1,43 @@ +name: Get merge commit + +on: + workflow_call: + outputs: + mergedSha: + description: "The merge commit SHA" + value: ${{ jobs.resolve-merge-commit.outputs.mergedSha }} + +# We need a token to query the API, but it doesn't need any special permissions +permissions: {} + +jobs: + resolve-merge-commit: + runs-on: ubuntu-latest + outputs: + mergedSha: ${{ steps.merged.outputs.mergedSha }} + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + path: base + sparse-checkout: ci + - name: Check if the PR can be merged and get the test merge commit + id: merged + env: + GH_TOKEN: ${{ github.token }} + GH_EVENT: ${{ github.event_name }} + run: | + case "$GH_EVENT" in + push) + echo "mergedSha=${{ github.sha }}" >> "$GITHUB_OUTPUT" + ;; + pull_request_target) + if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then + echo "Checking the merge commit $mergedSha" + echo "mergedSha=$mergedSha" >> "$GITHUB_OUTPUT" + else + # Skipping so that no notifications are sent + echo "Skipping the rest..." + fi + ;; + esac + rm -rf base diff --git a/ci/README.md b/ci/README.md index 11b53c6095e6e..7aa49eb82c704 100644 --- a/ci/README.md +++ b/ci/README.md @@ -58,7 +58,7 @@ Exit codes: ### Usage -This script can be used in GitHub Actions workflows as follows: +This script is implemented as a reusable GitHub Actions workflow, and can be used as follows: ```yaml on: pull_request_target @@ -67,32 +67,19 @@ on: pull_request_target permissions: {} jobs: + get-merge-commit: + # use the relative path of the get-merge-commit workflow yaml here + uses: ./.github/workflows/get-merge-commit.yml + build: name: Build runs-on: ubuntu-latest + needs: get-merge-commit steps: - # Important: Because of `pull_request_target`, this doesn't check out the PR, - # but rather the base branch of the PR, which is needed so we don't run untrusted code - - uses: actions/checkout@ - with: - path: base - sparse-checkout: ci - - name: Resolving the merge commit - env: - GH_TOKEN: ${{ github.token }} - run: | - if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then - echo "Checking the merge commit $mergedSha" - echo "mergedSha=$mergedSha" >> "$GITHUB_ENV" - else - # Skipping so that no notifications are sent - echo "Skipping the rest..." - fi - rm -rf base - uses: actions/checkout@ # Add this to _all_ subsequent steps to skip them - if: env.mergedSha + if: needs.get-merge-commit.outputs.mergedSha with: - ref: ${{ env.mergedSha }} + ref: ${{ needs.get-merge-commit.outputs.mergedSha }} - ... ``` From d9b5d04727886b684c7c42f5c147b065f7cff8f5 Mon Sep 17 00:00:00 2001 From: John Titor <50095635+JohnRTitor@users.noreply.github.com> Date: Tue, 3 Dec 2024 22:39:54 +0530 Subject: [PATCH 6/8] ci/eval: use the get-merge-commit workflow (cherry picked from commit 5ddb63fe13c213a7cd1e0866186cbed933fbfbc1) --- .github/workflows/eval.yml | 46 +++++++++----------------------------- 1 file changed, 11 insertions(+), 35 deletions(-) diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml index bd7b311675ed2..43d336441308a 100644 --- a/.github/workflows/eval.yml +++ b/.github/workflows/eval.yml @@ -16,53 +16,29 @@ permissions: contents: read jobs: + get-merge-commit: + uses: ./.github/workflows/get-merge-commit.yml + attrs: name: Attributes runs-on: ubuntu-latest + needs: get-merge-commit outputs: - mergedSha: ${{ steps.merged.outputs.mergedSha }} + mergedSha: ${{ needs.get-merge-commit.outputs.mergedSha }} baseSha: ${{ steps.baseSha.outputs.baseSha }} systems: ${{ steps.systems.outputs.systems }} steps: - # Important: Because of `pull_request_target`, this doesn't check out the PR, - # but rather the base branch of the PR, which is needed so we don't run untrusted code - - name: Check out the ci directory of the base branch - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - path: base - sparse-checkout: ci - - name: Check if the PR can be merged and get the test merge commit - id: merged - env: - GH_TOKEN: ${{ github.token }} - GH_EVENT: ${{ github.event_name }} - run: | - case "$GH_EVENT" in - push) - echo "mergedSha=${{ github.sha }}" >> "$GITHUB_OUTPUT" - ;; - pull_request_target) - if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then - echo "Checking the merge commit $mergedSha" - echo "mergedSha=$mergedSha" >> "$GITHUB_OUTPUT" - else - # Skipping so that no notifications are sent - echo "Skipping the rest..." - fi - ;; - esac - rm -rf base - name: Check out the PR at the test merge commit uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Add this to _all_ subsequent steps to skip them - if: steps.merged.outputs.mergedSha + if: needs.get-merge-commit.outputs.mergedSha with: - ref: ${{ steps.merged.outputs.mergedSha }} + ref: ${{ needs.get-merge-commit.outputs.mergedSha }} fetch-depth: 2 path: nixpkgs - name: Determine base commit - if: github.event_name == 'pull_request_target' && steps.merged.outputs.mergedSha + if: github.event_name == 'pull_request_target' && needs.get-merge-commit.outputs.mergedSha id: baseSha run: | baseSha=$(git -C nixpkgs rev-parse HEAD^1) @@ -70,18 +46,18 @@ jobs: - name: Install Nix uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 - if: steps.merged.outputs.mergedSha + if: needs.get-merge-commit.outputs.mergedSha - name: Evaluate the list of all attributes and get the systems matrix id: systems - if: steps.merged.outputs.mergedSha + if: needs.get-merge-commit.outputs.mergedSha run: | nix-build nixpkgs/ci -A eval.attrpathsSuperset echo "systems=$(> "$GITHUB_OUTPUT" - name: Upload the list of all attributes uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 - if: steps.merged.outputs.mergedSha + if: needs.get-merge-commit.outputs.mergedSha with: name: paths path: result/* From 24c4cdd84cf8d71cca3e6e8c0eafb78c4eafec86 Mon Sep 17 00:00:00 2001 From: John Titor <50095635+JohnRTitor@users.noreply.github.com> Date: Tue, 3 Dec 2024 23:07:28 +0530 Subject: [PATCH 7/8] ci/nixpkgs-vet: use the get-merge-commit workflow (cherry picked from commit 52acf63da445e81198a77b07591d02ce62826f6c) --- .github/workflows/nixpkgs-vet.yml | 32 ++++++++++--------------------- 1 file changed, 10 insertions(+), 22 deletions(-) diff --git a/.github/workflows/nixpkgs-vet.yml b/.github/workflows/nixpkgs-vet.yml index a7eb1b0eedae4..6d39efc3e26a2 100644 --- a/.github/workflows/nixpkgs-vet.yml +++ b/.github/workflows/nixpkgs-vet.yml @@ -19,46 +19,34 @@ permissions: {} # There is a feature request for suppressing notifications on concurrency-canceled runs: https://github.com/orgs/community/discussions/13015 jobs: + get-merge-commit: + uses: ./.github/workflows/get-merge-commit.yml + check: name: nixpkgs-vet # This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases. runs-on: ubuntu-latest # This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long. timeout-minutes: 10 + needs: get-merge-commit steps: - # This checks out the base branch because of pull_request_target - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - path: base - sparse-checkout: ci - - name: Resolving the merge commit - env: - GH_TOKEN: ${{ github.token }} - run: | - if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then - echo "Checking the merge commit $mergedSha" - echo "mergedSha=$mergedSha" >> "$GITHUB_ENV" - else - echo "Skipping the rest..." - fi - rm -rf base - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - if: env.mergedSha + if: needs.get-merge-commit.outputs.mergedSha with: # pull_request_target checks out the base branch by default - ref: ${{ env.mergedSha }} + ref: ${{ needs.get-merge-commit.outputs.mergedSha }} # Fetches the merge commit and its parents fetch-depth: 2 - name: Checking out base branch - if: env.mergedSha + if: needs.get-merge-commit.outputs.mergedSha run: | base=$(mktemp -d) git worktree add "$base" "$(git rev-parse HEAD^1)" echo "base=$base" >> "$GITHUB_ENV" - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 - if: env.mergedSha + if: needs.get-merge-commit.outputs.mergedSha - name: Fetching the pinned tool - if: env.mergedSha + if: needs.get-merge-commit.outputs.mergedSha # Update the pinned version using ci/nixpkgs-vet/update-pinned-tool.sh run: | # The pinned version of the tooling to use. @@ -71,7 +59,7 @@ jobs: # Adds a result symlink as a GC root. nix-store --realise "$toolPath" --add-root result - name: Running nixpkgs-vet - if: env.mergedSha + if: needs.get-merge-commit.outputs.mergedSha env: # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/ CLICOLOR_FORCE: 1 From b0631ca260186ec47508853ad9d45a07bdd670b0 Mon Sep 17 00:00:00 2001 From: John Titor <50095635+JohnRTitor@users.noreply.github.com> Date: Tue, 3 Dec 2024 18:23:59 +0530 Subject: [PATCH 8/8] ci: add Nixpkgs lib-tests workflow Ofborg also does this. Should be run on `lib/*` dirs Signed-off-by: John Titor <50095635+JohnRTitor@users.noreply.github.com> (cherry picked from commit 6da0724cf33c0c7215920d7513fb47777d002f34) --- .github/workflows/eval-lib-tests.yml | 30 ++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/eval-lib-tests.yml diff --git a/.github/workflows/eval-lib-tests.yml b/.github/workflows/eval-lib-tests.yml new file mode 100644 index 0000000000000..3ca5707e09b4c --- /dev/null +++ b/.github/workflows/eval-lib-tests.yml @@ -0,0 +1,30 @@ +name: "Building Nixpkgs lib-tests" + +permissions: + contents: read + +on: + pull_request_target: + paths: + - 'lib/**' +jobs: + get-merge-commit: + uses: ./.github/workflows/get-merge-commit.yml + + nixpkgs-lib-tests: + name: nixpkgs-lib-tests + runs-on: ubuntu-latest + needs: get-merge-commit + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + if: needs.get-merge-commit.outputs.mergedSha + with: + # pull_request_target checks out the base branch by default + ref: ${{ needs.get-merge-commit.outputs.mergedSha }} + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + with: + # explicitly enable sandbox + extra_nix_config: sandbox = true + - name: Building Nixpkgs lib-tests + run: | + nix-build --arg pkgs "(import ./ci/. {}).pkgs" ./lib/tests/release.nix