gador/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

workflows: checkout pinned nixpkgs explicitly

Browse Source 
This is slightly faster than downloading and extracting a tarball and
additionally allows a sparse checkout. No need to download docs or nixos
for our purpose.

The data is quite noisy, but suggests improvements from anywhere between
5-15 seconds for each job using the pinned nixpkgs.
This commit is contained in:
Wolfgang Walther
2025-08-10 14:44:39 +02:00
parent de7aa9f213
commit 8a9f0b8a47
5 changed files with 63 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
.github/actions/get-merge-commit/action.yml vendored
View File

@@ -9,6 +9,9 @@ inputs:
merged-as-untrusted: merged-as-untrusted:
description: "Whether to checkout the merge commit in the ./untrusted folder." description: "Whether to checkout the merge commit in the ./untrusted folder."
type: boolean type: boolean
pinnedFrom:
description: "Whether to checkout the pinned nixpkgs for CI and from where (trusted, untrusted)."
type: string
targetSha: targetSha:
description: "The target commit SHA, previously collected." description: "The target commit SHA, previously collected."
type: string type: string
@@ -93,3 +96,26 @@ runs:
with: with:
ref: ${{ inputs.targetSha || steps.commits.outputs.targetSha }} ref: ${{ inputs.targetSha || steps.commits.outputs.targetSha }}
path: trusted path: trusted
- if: inputs.pinnedFrom
id: pinned
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
env:
PINNED_FROM: ${{ inputs.pinnedFrom }}
with:
script: |
const path = require('node:path')
const pinned = require(path.resolve(path.join(process.env.PINNED_FROM, 'ci', 'pinned.json')))
core.setOutput('pinnedSha', pinned.pins.nixpkgs.revision)
- if: steps.pinned.outputs.pinnedSha
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
ref: ${{ steps.pinned.outputs.pinnedSha }}
path: pinned
sparse-checkout: |
lib
maintainers
nixos/lib
pkgs

13
.github/workflows/build.yml vendored
View File

@@ -53,6 +53,7 @@ jobs:
with: with:
mergedSha: ${{ inputs.mergedSha }} mergedSha: ${{ inputs.mergedSha }}
merged-as-untrusted: true merged-as-untrusted: true
pinnedFrom: untrusted
- uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
with: with:
@@ -67,29 +68,29 @@ jobs:
- name: Build shell - name: Build shell
if: contains(matrix.builds, 'shell') if: contains(matrix.builds, 'shell')
run: nix-build untrusted/ci -A shell run: nix-build untrusted/ci --arg nixpkgs ./pinned -A shell
- name: Build NixOS manual - name: Build NixOS manual
if: | if: |
contains(matrix.builds, 'manual-nixos') && !cancelled() && contains(matrix.builds, 'manual-nixos') && !cancelled() &&
contains(fromJSON(inputs.baseBranch).type, 'primary') contains(fromJSON(inputs.baseBranch).type, 'primary')
run: nix-build untrusted/ci -A manual-nixos --argstr system ${{ matrix.system }} --out-link nixos-manual run: nix-build untrusted/ci --arg nixpkgs ./pinned -A manual-nixos --argstr system ${{ matrix.system }} --out-link nixos-manual
- name: Build Nixpkgs manual - name: Build Nixpkgs manual
if: contains(matrix.builds, 'manual-nixpkgs') && !cancelled() if: contains(matrix.builds, 'manual-nixpkgs') && !cancelled()
run: nix-build untrusted/ci -A manual-nixpkgs -A manual-nixpkgs-tests run: nix-build untrusted/ci --arg nixpkgs ./pinned -A manual-nixpkgs -A manual-nixpkgs-tests
- name: Build Nixpkgs manual tests - name: Build Nixpkgs manual tests
if: contains(matrix.builds, 'manual-nixpkgs-tests') && !cancelled() if: contains(matrix.builds, 'manual-nixpkgs-tests') && !cancelled()
run: nix-build untrusted/ci -A manual-nixpkgs-tests run: nix-build untrusted/ci --arg nixpkgs ./pinned -A manual-nixpkgs-tests
- name: Build lib tests - name: Build lib tests
if: contains(matrix.builds, 'lib-tests') && !cancelled() if: contains(matrix.builds, 'lib-tests') && !cancelled()
run: nix-build untrusted/ci -A lib-tests run: nix-build untrusted/ci --arg nixpkgs ./pinned -A lib-tests
- name: Build tarball - name: Build tarball
if: contains(matrix.builds, 'tarball') && !cancelled() if: contains(matrix.builds, 'tarball') && !cancelled()
run: nix-build untrusted/ci -A tarball run: nix-build untrusted/ci --arg nixpkgs ./pinned -A tarball
- name: Upload NixOS manual - name: Upload NixOS manual
if: | if: |

36
.github/workflows/eval.yml vendored
View File

@@ -44,11 +44,15 @@ jobs:
sudo mkswap /swap sudo mkswap /swap
sudo swapon /swap sudo swapon /swap
- name: Check out the PR at the test merge commit - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
ref: ${{ inputs.mergedSha }} sparse-checkout: .github/actions
path: untrusted - name: Check out the PR at the test merge commit
uses: ./.github/actions/get-merge-commit
with:
mergedSha: ${{ inputs.mergedSha }}
merged-as-untrusted: true
pinnedFrom: untrusted
- name: Install Nix - name: Install Nix
uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
@@ -57,7 +61,7 @@ jobs:
env: env:
MATRIX_SYSTEM: ${{ matrix.system }} MATRIX_SYSTEM: ${{ matrix.system }}
run: | run: |
nix-build untrusted/ci -A eval.singleSystem \ nix-build untrusted/ci --arg nixpkgs ./pinned -A eval.singleSystem \
--argstr evalSystem "$MATRIX_SYSTEM" \ --argstr evalSystem "$MATRIX_SYSTEM" \
--arg chunkSize 8000 \ --arg chunkSize 8000 \
--out-link merged --out-link merged
@@ -135,7 +139,7 @@ jobs:
env: env:
MATRIX_SYSTEM: ${{ matrix.system }} MATRIX_SYSTEM: ${{ matrix.system }}
run: | run: |
nix-build untrusted/ci -A eval.diff \ nix-build untrusted/ci --arg nixpkgs ./pinned -A eval.diff \
--arg beforeDir ./target \ --arg beforeDir ./target \
--arg afterDir "$(readlink ./merged)" \ --arg afterDir "$(readlink ./merged)" \
--argstr evalSystem "$MATRIX_SYSTEM" \ --argstr evalSystem "$MATRIX_SYSTEM" \
@@ -156,6 +160,16 @@ jobs:
statuses: write statuses: write
timeout-minutes: 5 timeout-minutes: 5
steps: steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
sparse-checkout: .github/actions
- name: Check out the PR at the target commit
uses: ./.github/actions/get-merge-commit
with:
targetSha: ${{ inputs.targetSha }}
target-as-trusted: true
pinnedFrom: trusted
- name: Download output paths and eval stats for all systems - name: Download output paths and eval stats for all systems
uses: actions/download-artifact@de96f4613b77ec03b5cf633e7c350c32bd3c5660 # v4.1.8 uses: actions/download-artifact@de96f4613b77ec03b5cf633e7c350c32bd3c5660 # v4.1.8
with: with:
@@ -163,18 +177,12 @@ jobs:
path: diff path: diff
merge-multiple: true merge-multiple: true
- name: Check out the PR at the target commit
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
ref: ${{ inputs.targetSha }}
path: trusted
- name: Install Nix - name: Install Nix
uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
- name: Combine all output paths and eval stats - name: Combine all output paths and eval stats
run: | run: |
nix-build trusted/ci -A eval.combine \ nix-build trusted/ci --arg nixpkgs ./pinned -A eval.combine \
--arg diffDir ./diff \ --arg diffDir ./diff \
--out-link combined --out-link combined
@@ -187,7 +195,7 @@ jobs:
| jq --raw-input --slurp 'split("\n")[:-1]' > touched-files.json | jq --raw-input --slurp 'split("\n")[:-1]' > touched-files.json
# Use the target branch to get accurate maintainer info # Use the target branch to get accurate maintainer info
nix-build trusted/ci -A eval.compare \ nix-build trusted/ci --arg nixpkgs ./pinned -A eval.compare \
--arg combinedDir "$(realpath ./combined)" \ --arg combinedDir "$(realpath ./combined)" \
--arg touchedFilesJson ./touched-files.json \ --arg touchedFilesJson ./touched-files.json \
--argstr githubAuthorId "$AUTHOR_ID" \ --argstr githubAuthorId "$AUTHOR_ID" \

9
.github/workflows/lint.yml vendored
View File

@@ -29,6 +29,7 @@ jobs:
with: with:
mergedSha: ${{ inputs.mergedSha }} mergedSha: ${{ inputs.mergedSha }}
merged-as-untrusted: true merged-as-untrusted: true
pinnedFrom: untrusted
- uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
@@ -37,7 +38,7 @@ jobs:
# Note that it's fine to run this on untrusted code because: # Note that it's fine to run this on untrusted code because:
# - There's no secrets accessible here # - There's no secrets accessible here
# - The build is sandboxed # - The build is sandboxed
if ! nix-build untrusted/ci -A fmt.check; then if ! nix-build untrusted/ci --arg nixpkgs ./pinned -A fmt.check; then
echo "Some files are not properly formatted" echo "Some files are not properly formatted"
echo "Please format them by going to the Nixpkgs root directory and running one of:" echo "Please format them by going to the Nixpkgs root directory and running one of:"
echo " nix-shell --run treefmt" echo " nix-shell --run treefmt"
@@ -60,13 +61,14 @@ jobs:
with: with:
mergedSha: ${{ inputs.mergedSha }} mergedSha: ${{ inputs.mergedSha }}
merged-as-untrusted: true merged-as-untrusted: true
pinnedFrom: untrusted
- uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
- name: Parse all nix files - name: Parse all nix files
run: | run: |
# Tests multiple versions at once, let's make sure all of them run, so keep-going. # Tests multiple versions at once, let's make sure all of them run, so keep-going.
nix-build untrusted/ci -A parse --keep-going nix-build untrusted/ci --arg nixpkgs ./pinned -A parse --keep-going
nixpkgs-vet: nixpkgs-vet:
runs-on: ubuntu-24.04-arm runs-on: ubuntu-24.04-arm
@@ -80,6 +82,7 @@ jobs:
with: with:
mergedSha: ${{ inputs.mergedSha }} mergedSha: ${{ inputs.mergedSha }}
merged-as-untrusted: true merged-as-untrusted: true
pinnedFrom: untrusted
targetSha: ${{ inputs.targetSha }} targetSha: ${{ inputs.targetSha }}
target-as-trusted: true target-as-trusted: true
@@ -90,7 +93,7 @@ jobs:
# Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/ # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
CLICOLOR_FORCE: 1 CLICOLOR_FORCE: 1
run: | run: |
if nix-build untrusted/ci -A nixpkgs-vet --arg base "./trusted" --arg head "./untrusted"; then if nix-build untrusted/ci --arg nixpkgs ./pinned -A nixpkgs-vet --arg base "./trusted" --arg head "./untrusted"; then
exit 0 exit 0
else else
exitCode=$? exitCode=$?

4
ci/default.nix
View File

@@ -121,8 +121,8 @@ rec {
# CI jobs # CI jobs
lib-tests = import ../lib/tests/release.nix { inherit pkgs; }; lib-tests = import ../lib/tests/release.nix { inherit pkgs; };
manual-nixos = (import ../nixos/release.nix { }).manual.${system} or null; manual-nixos = (import ../nixos/release.nix { }).manual.${system} or null;
manual-nixpkgs = (import ../doc { }); manual-nixpkgs = (import ../doc { inherit pkgs; });
manual-nixpkgs-tests = (import ../doc { }).tests; manual-nixpkgs-tests = (import ../doc { inherit pkgs; }).tests;
nixpkgs-vet = pkgs.callPackage ./nixpkgs-vet.nix { }; nixpkgs-vet = pkgs.callPackage ./nixpkgs-vet.nix { };
parse = pkgs.lib.recurseIntoAttrs { parse = pkgs.lib.recurseIntoAttrs {
latest = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.latest; }; latest = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.latest; };