gador/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

workflows: run build & check in the merge queue; never push to cachix in PRs (#460726)

Browse Source
This commit is contained in:
Wolfgang Walther
2025-11-12 14:08:49 +00:00
committed by GitHub
parent 9bb5d0bc47 3bc31e0474
commit ab49ff2169
7 changed files with 103 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
.github/workflows/build.yml vendored
View File

@@ -12,9 +12,14 @@ on:
mergedSha: mergedSha:
required: true required: true
type: string type: string
secrets: targetSha:
CACHIX_AUTH_TOKEN:
required: true required: true
type: string
secrets:
# Should only be provided in the merge queue, not in pull requests,
# where we're evaluating untrusted code.
CACHIX_AUTH_TOKEN_GHA:
required: false
permissions: {} permissions: {}
@@ -55,6 +60,7 @@ jobs:
uses: ./.github/actions/checkout uses: ./.github/actions/checkout
with: with:
merged-as-untrusted-at: ${{ inputs.mergedSha }} merged-as-untrusted-at: ${{ inputs.mergedSha }}
target-as-trusted-at: ${{ inputs.targetSha }}
- uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 - uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31
with: with:
@@ -63,13 +69,13 @@ jobs:
- uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
with: with:
# The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }}
extraPullNames: nixpkgs-ci extraPullNames: nixpkgs-gha
authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
pushFilter: '(-source$|-nixpkgs-tarball-)' pushFilter: '(-source$|-nixpkgs-tarball-)'
- run: nix-env --install -f nixpkgs/untrusted-pinned -A nix-build-uncached - run: nix-env --install -f nixpkgs/trusted-pinned -A nix-build-uncached
- name: Build shell - name: Build shell
if: contains(matrix.builds, 'shell') if: contains(matrix.builds, 'shell')

19
.github/workflows/check.yml vendored
View File

@@ -4,10 +4,10 @@ on:
workflow_call: workflow_call:
inputs: inputs:
baseBranch: baseBranch:
required: true required: false
type: string type: string
headBranch: headBranch:
required: true required: false
type: string type: string
mergedSha: mergedSha:
required: true required: true
@@ -16,8 +16,10 @@ on:
required: true required: true
type: string type: string
secrets: secrets:
CACHIX_AUTH_TOKEN: # Should only be provided in the merge queue, not in pull requests,
required: true # where we're evaluating untrusted code.
CACHIX_AUTH_TOKEN_GHA:
required: false
permissions: {} permissions: {}
@@ -27,6 +29,7 @@ defaults:
jobs: jobs:
commits: commits:
if: inputs.baseBranch && inputs.headBranch
permissions: permissions:
pull-requests: write pull-requests: write
runs-on: ubuntu-24.04-arm runs-on: ubuntu-24.04-arm
@@ -86,10 +89,10 @@ jobs:
- uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
with: with:
# The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }}
extraPullNames: nixpkgs-ci extraPullNames: nixpkgs-gha
authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
pushFilter: -source$ pushFilter: -source$
- name: Build codeowners validator - name: Build codeowners validator

14
.github/workflows/eval.yml vendored
View File

@@ -19,8 +19,10 @@ on:
default: false default: false
type: boolean type: boolean
secrets: secrets:
CACHIX_AUTH_TOKEN: # Should only be provided in the merge queue, not in pull requests,
required: true # where we're evaluating untrusted code.
CACHIX_AUTH_TOKEN_GHA:
required: false
permissions: {} permissions: {}
@@ -102,10 +104,10 @@ jobs:
- uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
with: with:
# The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }}
extraPullNames: nixpkgs-ci extraPullNames: nixpkgs-gha
authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
pushFilter: '(-source|-single-chunk)$' pushFilter: '(-source|-single-chunk)$'
- name: Evaluate the ${{ matrix.system }} output paths at the merge commit - name: Evaluate the ${{ matrix.system }} output paths at the merge commit

22
.github/workflows/lint.yml vendored
View File

@@ -10,8 +10,10 @@ on:
required: true required: true
type: string type: string
secrets: secrets:
CACHIX_AUTH_TOKEN: # Should only be provided in the merge queue, not in pull requests,
required: true # where we're evaluating untrusted code.
CACHIX_AUTH_TOKEN_GHA:
required: false
permissions: {} permissions: {}
@@ -72,10 +74,10 @@ jobs:
- uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
with: with:
# The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }}
extraPullNames: nixpkgs-ci extraPullNames: nixpkgs-gha
authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
pushFilter: -source$ pushFilter: -source$
- name: Parse all nix files - name: Parse all nix files
@@ -101,10 +103,10 @@ jobs:
- uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
with: with:
# The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }}
extraPullNames: nixpkgs-ci extraPullNames: nixpkgs-gha
authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
pushFilter: -source$ pushFilter: -source$
- name: Running nixpkgs-vet - name: Running nixpkgs-vet

71
.github/workflows/merge-group.yml vendored
View File

@@ -13,9 +13,6 @@ on:
targetSha: targetSha:
required: true required: true
type: string type: string
secrets:
CACHIX_AUTH_TOKEN:
required: true
permissions: {} permissions: {}
@@ -23,7 +20,10 @@ jobs:
prepare: prepare:
runs-on: ubuntu-24.04-arm runs-on: ubuntu-24.04-arm
outputs: outputs:
systems: ${{ steps.systems.outputs.systems }} baseBranch: ${{ steps.prepare.outputs.base }}
mergedSha: ${{ steps.prepare.outputs.mergedSha }}
targetSha: ${{ steps.prepare.outputs.targetSha }}
systems: ${{ steps.prepare.outputs.systems }}
steps: steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
@@ -31,19 +31,50 @@ jobs:
sparse-checkout: | sparse-checkout: |
ci/supportedSystems.json ci/supportedSystems.json
- name: Load supported systems - id: prepare
id: systems uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
run: | env:
echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT" MERGED_SHA: ${{ inputs.mergedSha }}
TARGET_SHA: ${{ inputs.targetSha }}
with:
script: |
const { classify } = require('./ci/supportedBranches.js')
const baseBranch = (
context.payload.merge_group?.base_ref ??
context.payload.pull_request.base.ref
).replace(/^refs\/heads\//, '')
const baseClassification = classify(baseBranch)
core.setOutput('base', baseClassification)
core.info('base classification:', baseClassification)
core.setOutput('mergedSha', context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA)
core.info(`mergedSha: ${context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA}`)
core.setOutput('targetSha', context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA)
core.info(`targetSha: ${context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA}`)
core.setOutput('systems', require('./ci/supportedSystems.json'))
check:
name: Check
needs: [prepare]
uses: ./.github/workflows/check.yml
permissions:
# cherry-picks; formality right now, but unused
pull-requests: write
secrets:
CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
with:
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
targetSha: ${{ needs.prepare.outputs.targetSha }}
lint: lint:
name: Lint name: Lint
needs: [prepare]
uses: ./.github/workflows/lint.yml uses: ./.github/workflows/lint.yml
secrets: secrets:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
with: with:
mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} mergedSha: ${{ needs.prepare.outputs.mergedSha }}
targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }} targetSha: ${{ needs.prepare.outputs.targetSha }}
eval: eval:
name: Eval name: Eval
@@ -55,13 +86,25 @@ jobs:
# compare # compare
statuses: write statuses: write
secrets: secrets:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
with: with:
artifact-prefix: ${{ inputs.artifact-prefix }} artifact-prefix: ${{ inputs.artifact-prefix }}
mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} mergedSha: ${{ needs.prepare.outputs.mergedSha }}
targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }} targetSha: ${{ needs.prepare.outputs.targetSha }}
systems: ${{ needs.prepare.outputs.systems }} systems: ${{ needs.prepare.outputs.systems }}
build:
name: Build
needs: [prepare]
uses: ./.github/workflows/build.yml
secrets:
CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
with:
artifact-prefix: ${{ inputs.artifact-prefix }}
baseBranch: ${{ needs.prepare.outputs.baseBranch }}
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
targetSha: ${{ needs.prepare.outputs.targetSha }}
# This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset.
# It "needs" all the jobs that should block the Merge Queue. # It "needs" all the jobs that should block the Merge Queue.
unlock: unlock:

11
.github/workflows/pull-request-target.yml vendored
View File

@@ -8,8 +8,6 @@ on:
required: true required: true
type: string type: string
secrets: secrets:
CACHIX_AUTH_TOKEN:
required: true
NIXPKGS_CI_APP_PRIVATE_KEY: NIXPKGS_CI_APP_PRIVATE_KEY:
required: true required: true
@@ -63,8 +61,6 @@ jobs:
permissions: permissions:
# cherry-picks # cherry-picks
pull-requests: write pull-requests: write
secrets:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
with: with:
baseBranch: ${{ needs.prepare.outputs.baseBranch }} baseBranch: ${{ needs.prepare.outputs.baseBranch }}
headBranch: ${{ needs.prepare.outputs.headBranch }} headBranch: ${{ needs.prepare.outputs.headBranch }}
@@ -75,8 +71,6 @@ jobs:
name: Lint name: Lint
needs: [prepare] needs: [prepare]
uses: ./.github/workflows/lint.yml uses: ./.github/workflows/lint.yml
secrets:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
with: with:
mergedSha: ${{ needs.prepare.outputs.mergedSha }} mergedSha: ${{ needs.prepare.outputs.mergedSha }}
targetSha: ${{ needs.prepare.outputs.targetSha }} targetSha: ${{ needs.prepare.outputs.targetSha }}
@@ -88,8 +82,6 @@ jobs:
permissions: permissions:
# compare # compare
statuses: write statuses: write
secrets:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
with: with:
artifact-prefix: ${{ inputs.artifact-prefix }} artifact-prefix: ${{ inputs.artifact-prefix }}
mergedSha: ${{ needs.prepare.outputs.mergedSha }} mergedSha: ${{ needs.prepare.outputs.mergedSha }}
@@ -113,12 +105,11 @@ jobs:
name: Build name: Build
needs: [prepare] needs: [prepare]
uses: ./.github/workflows/build.yml uses: ./.github/workflows/build.yml
secrets:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
with: with:
artifact-prefix: ${{ inputs.artifact-prefix }} artifact-prefix: ${{ inputs.artifact-prefix }}
baseBranch: ${{ needs.prepare.outputs.baseBranch }} baseBranch: ${{ needs.prepare.outputs.baseBranch }}
mergedSha: ${{ needs.prepare.outputs.mergedSha }} mergedSha: ${{ needs.prepare.outputs.mergedSha }}
targetSha: ${{ needs.prepare.outputs.targetSha }}
# This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset.
# It "needs" all the jobs that should block merging a PR. # It "needs" all the jobs that should block merging a PR.

4
.github/workflows/test.yml vendored
View File

@@ -82,9 +82,8 @@ jobs:
uses: ./.github/workflows/merge-group.yml uses: ./.github/workflows/merge-group.yml
# Those are actually only used on the merge_group event, but will throw an error if not set. # Those are actually only used on the merge_group event, but will throw an error if not set.
permissions: permissions:
pull-requests: write
statuses: write statuses: write
secrets:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
with: with:
artifact-prefix: mg- artifact-prefix: mg-
mergedSha: ${{ needs.prepare.outputs.mergedSha }} mergedSha: ${{ needs.prepare.outputs.mergedSha }}
@@ -101,7 +100,6 @@ jobs:
pull-requests: write pull-requests: write
statuses: write statuses: write
secrets: secrets:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }} NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
with: with:
artifact-prefix: pr- artifact-prefix: pr-