diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 701ac0b80b92..01b2f4a7b1d5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -12,9 +12,14 @@ on: mergedSha: required: true type: string - secrets: - CACHIX_AUTH_TOKEN: + targetSha: required: true + type: string + secrets: + # Should only be provided in the merge queue, not in pull requests, + # where we're evaluating untrusted code. + CACHIX_AUTH_TOKEN_GHA: + required: false permissions: {} @@ -55,6 +60,7 @@ jobs: uses: ./.github/actions/checkout with: merged-as-untrusted-at: ${{ inputs.mergedSha }} + target-as-trusted-at: ${{ inputs.targetSha }} - uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 with: @@ -63,13 +69,13 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: - # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. - name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} - extraPullNames: nixpkgs-ci - authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. + name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} + extraPullNames: nixpkgs-gha + authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: '(-source$|-nixpkgs-tarball-)' - - run: nix-env --install -f nixpkgs/untrusted-pinned -A nix-build-uncached + - run: nix-env --install -f nixpkgs/trusted-pinned -A nix-build-uncached - name: Build shell if: contains(matrix.builds, 'shell') diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index e317903c2f8d..dfcbbd8b45c1 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -4,10 +4,10 @@ on: workflow_call: inputs: baseBranch: - required: true + required: false type: string headBranch: - required: true + required: false type: string mergedSha: required: true @@ -16,8 +16,10 @@ on: required: true type: string secrets: - CACHIX_AUTH_TOKEN: - required: true + # Should only be provided in the merge queue, not in pull requests, + # where we're evaluating untrusted code. + CACHIX_AUTH_TOKEN_GHA: + required: false permissions: {} @@ -27,6 +29,7 @@ defaults: jobs: commits: + if: inputs.baseBranch && inputs.headBranch permissions: pull-requests: write runs-on: ubuntu-24.04-arm @@ -86,10 +89,10 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: - # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. - name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} - extraPullNames: nixpkgs-ci - authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. + name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} + extraPullNames: nixpkgs-gha + authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: -source$ - name: Build codeowners validator diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml index ccd58fe1e9a9..fcacd60da6a2 100644 --- a/.github/workflows/eval.yml +++ b/.github/workflows/eval.yml @@ -19,8 +19,10 @@ on: default: false type: boolean secrets: - CACHIX_AUTH_TOKEN: - required: true + # Should only be provided in the merge queue, not in pull requests, + # where we're evaluating untrusted code. + CACHIX_AUTH_TOKEN_GHA: + required: false permissions: {} @@ -102,10 +104,10 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: - # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. - name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} - extraPullNames: nixpkgs-ci - authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. + name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} + extraPullNames: nixpkgs-gha + authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: '(-source|-single-chunk)$' - name: Evaluate the ${{ matrix.system }} output paths at the merge commit diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 486dac20207c..8b900a8261f2 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -10,8 +10,10 @@ on: required: true type: string secrets: - CACHIX_AUTH_TOKEN: - required: true + # Should only be provided in the merge queue, not in pull requests, + # where we're evaluating untrusted code. + CACHIX_AUTH_TOKEN_GHA: + required: false permissions: {} @@ -72,10 +74,10 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: - # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. - name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} - extraPullNames: nixpkgs-ci - authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. + name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} + extraPullNames: nixpkgs-gha + authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: -source$ - name: Parse all nix files @@ -101,10 +103,10 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: - # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. - name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} - extraPullNames: nixpkgs-ci - authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. + name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} + extraPullNames: nixpkgs-gha + authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: -source$ - name: Running nixpkgs-vet diff --git a/.github/workflows/merge-group.yml b/.github/workflows/merge-group.yml index fe3d8fcc27d0..d84cb3318423 100644 --- a/.github/workflows/merge-group.yml +++ b/.github/workflows/merge-group.yml @@ -13,9 +13,6 @@ on: targetSha: required: true type: string - secrets: - CACHIX_AUTH_TOKEN: - required: true permissions: {} @@ -23,7 +20,10 @@ jobs: prepare: runs-on: ubuntu-24.04-arm outputs: - systems: ${{ steps.systems.outputs.systems }} + baseBranch: ${{ steps.prepare.outputs.base }} + mergedSha: ${{ steps.prepare.outputs.mergedSha }} + targetSha: ${{ steps.prepare.outputs.targetSha }} + systems: ${{ steps.prepare.outputs.systems }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: @@ -31,19 +31,50 @@ jobs: sparse-checkout: | ci/supportedSystems.json - - name: Load supported systems - id: systems - run: | - echo "systems=$(jq -c > "$GITHUB_OUTPUT" + - id: prepare + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + MERGED_SHA: ${{ inputs.mergedSha }} + TARGET_SHA: ${{ inputs.targetSha }} + with: + script: | + const { classify } = require('./ci/supportedBranches.js') + const baseBranch = ( + context.payload.merge_group?.base_ref ?? + context.payload.pull_request.base.ref + ).replace(/^refs\/heads\//, '') + const baseClassification = classify(baseBranch) + core.setOutput('base', baseClassification) + core.info('base classification:', baseClassification) + + core.setOutput('mergedSha', context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA) + core.info(`mergedSha: ${context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA}`) + core.setOutput('targetSha', context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA) + core.info(`targetSha: ${context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA}`) + core.setOutput('systems', require('./ci/supportedSystems.json')) + + check: + name: Check + needs: [prepare] + uses: ./.github/workflows/check.yml + permissions: + # cherry-picks; formality right now, but unused + pull-requests: write + secrets: + CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} + with: + mergedSha: ${{ needs.prepare.outputs.mergedSha }} + targetSha: ${{ needs.prepare.outputs.targetSha }} lint: name: Lint + needs: [prepare] uses: ./.github/workflows/lint.yml secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} + CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: - mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} - targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }} + mergedSha: ${{ needs.prepare.outputs.mergedSha }} + targetSha: ${{ needs.prepare.outputs.targetSha }} eval: name: Eval @@ -55,13 +86,25 @@ jobs: # compare statuses: write secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} + CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: artifact-prefix: ${{ inputs.artifact-prefix }} - mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} - targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }} + mergedSha: ${{ needs.prepare.outputs.mergedSha }} + targetSha: ${{ needs.prepare.outputs.targetSha }} systems: ${{ needs.prepare.outputs.systems }} + build: + name: Build + needs: [prepare] + uses: ./.github/workflows/build.yml + secrets: + CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} + with: + artifact-prefix: ${{ inputs.artifact-prefix }} + baseBranch: ${{ needs.prepare.outputs.baseBranch }} + mergedSha: ${{ needs.prepare.outputs.mergedSha }} + targetSha: ${{ needs.prepare.outputs.targetSha }} + # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. # It "needs" all the jobs that should block the Merge Queue. unlock: diff --git a/.github/workflows/pull-request-target.yml b/.github/workflows/pull-request-target.yml index f74ce93de354..1f6424cbc527 100644 --- a/.github/workflows/pull-request-target.yml +++ b/.github/workflows/pull-request-target.yml @@ -8,8 +8,6 @@ on: required: true type: string secrets: - CACHIX_AUTH_TOKEN: - required: true NIXPKGS_CI_APP_PRIVATE_KEY: required: true @@ -63,8 +61,6 @@ jobs: permissions: # cherry-picks pull-requests: write - secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} with: baseBranch: ${{ needs.prepare.outputs.baseBranch }} headBranch: ${{ needs.prepare.outputs.headBranch }} @@ -75,8 +71,6 @@ jobs: name: Lint needs: [prepare] uses: ./.github/workflows/lint.yml - secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} with: mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} @@ -88,8 +82,6 @@ jobs: permissions: # compare statuses: write - secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} with: artifact-prefix: ${{ inputs.artifact-prefix }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} @@ -113,12 +105,11 @@ jobs: name: Build needs: [prepare] uses: ./.github/workflows/build.yml - secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} with: artifact-prefix: ${{ inputs.artifact-prefix }} baseBranch: ${{ needs.prepare.outputs.baseBranch }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} + targetSha: ${{ needs.prepare.outputs.targetSha }} # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. # It "needs" all the jobs that should block merging a PR. diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 727a9f965845..cb8956ae71dc 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -82,9 +82,8 @@ jobs: uses: ./.github/workflows/merge-group.yml # Those are actually only used on the merge_group event, but will throw an error if not set. permissions: + pull-requests: write statuses: write - secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} with: artifact-prefix: mg- mergedSha: ${{ needs.prepare.outputs.mergedSha }} @@ -101,7 +100,6 @@ jobs: pull-requests: write statuses: write secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }} with: artifact-prefix: pr-