workflows: run build & check in the merge queue; never push to cachix in PRs (#460726)

2025-11-12 14:08:49 +00:00
parent 9bb5d0bc47 3bc31e0474
commit ab49ff2169
7 changed files with 103 additions and 58 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -12,9 +12,14 @@ on:
      mergedSha:
        required: true
        type: string
-    secrets:
-      CACHIX_AUTH_TOKEN:
+      targetSha:
        required: true
+        type: string
+    secrets:
+      # Should only be provided in the merge queue, not in pull requests,
+      # where we're evaluating untrusted code.
+      CACHIX_AUTH_TOKEN_GHA:
+        required: false

 permissions: {}

@@ -55,6 +60,7 @@ jobs:
        uses: ./.github/actions/checkout
        with:
          merged-as-untrusted-at: ${{ inputs.mergedSha }}
+          target-as-trusted-at: ${{ inputs.targetSha }}

      - uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31
        with:
@@ -63,13 +69,13 @@ jobs:

      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
        with:
-          # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
-          name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
-          extraPullNames: nixpkgs-ci
-          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
+          name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }}
+          extraPullNames: nixpkgs-gha
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
          pushFilter: '(-source$|-nixpkgs-tarball-)'

-      - run: nix-env --install -f nixpkgs/untrusted-pinned -A nix-build-uncached
+      - run: nix-env --install -f nixpkgs/trusted-pinned -A nix-build-uncached

      - name: Build shell
        if: contains(matrix.builds, 'shell')
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -4,10 +4,10 @@ on:
  workflow_call:
    inputs:
      baseBranch:
-        required: true
+        required: false
        type: string
      headBranch:
-        required: true
+        required: false
        type: string
      mergedSha:
        required: true
@@ -16,8 +16,10 @@ on:
        required: true
        type: string
    secrets:
-      CACHIX_AUTH_TOKEN:
-        required: true
+      # Should only be provided in the merge queue, not in pull requests,
+      # where we're evaluating untrusted code.
+      CACHIX_AUTH_TOKEN_GHA:
+        required: false

 permissions: {}

@@ -27,6 +29,7 @@ defaults:

 jobs:
  commits:
+    if: inputs.baseBranch && inputs.headBranch
    permissions:
      pull-requests: write
    runs-on: ubuntu-24.04-arm
@@ -86,10 +89,10 @@ jobs:

      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
        with:
-          # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
-          name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
-          extraPullNames: nixpkgs-ci
-          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
+          name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }}
+          extraPullNames: nixpkgs-gha
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
          pushFilter: -source$

      - name: Build codeowners validator
--- a/.github/workflows/eval.yml
+++ b/.github/workflows/eval.yml
@@ -19,8 +19,10 @@ on:
        default: false
        type: boolean
    secrets:
-      CACHIX_AUTH_TOKEN:
-        required: true
+      # Should only be provided in the merge queue, not in pull requests,
+      # where we're evaluating untrusted code.
+      CACHIX_AUTH_TOKEN_GHA:
+        required: false

 permissions: {}

@@ -102,10 +104,10 @@ jobs:

      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
        with:
-          # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
-          name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
-          extraPullNames: nixpkgs-ci
-          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
+          name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }}
+          extraPullNames: nixpkgs-gha
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
          pushFilter: '(-source|-single-chunk)$'

      - name: Evaluate the ${{ matrix.system }} output paths at the merge commit
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -10,8 +10,10 @@ on:
        required: true
        type: string
    secrets:
-      CACHIX_AUTH_TOKEN:
-        required: true
+      # Should only be provided in the merge queue, not in pull requests,
+      # where we're evaluating untrusted code.
+      CACHIX_AUTH_TOKEN_GHA:
+        required: false

 permissions: {}

@@ -72,10 +74,10 @@ jobs:

      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
        with:
-          # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
-          name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
-          extraPullNames: nixpkgs-ci
-          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
+          name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }}
+          extraPullNames: nixpkgs-gha
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
          pushFilter: -source$

      - name: Parse all nix files
@@ -101,10 +103,10 @@ jobs:

      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
        with:
-          # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
-          name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
-          extraPullNames: nixpkgs-ci
-          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
+          name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }}
+          extraPullNames: nixpkgs-gha
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
          pushFilter: -source$

      - name: Running nixpkgs-vet
--- a/.github/workflows/merge-group.yml
+++ b/.github/workflows/merge-group.yml
@@ -13,9 +13,6 @@ on:
      targetSha:
        required: true
        type: string
-    secrets:
-      CACHIX_AUTH_TOKEN:
-        required: true

 permissions: {}

@@ -23,7 +20,10 @@ jobs:
  prepare:
    runs-on: ubuntu-24.04-arm
    outputs:
-      systems: ${{ steps.systems.outputs.systems }}
+      baseBranch: ${{ steps.prepare.outputs.base }}
+      mergedSha: ${{ steps.prepare.outputs.mergedSha }}
+      targetSha: ${{ steps.prepare.outputs.targetSha }}
+      systems: ${{ steps.prepare.outputs.systems }}
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
@@ -31,19 +31,50 @@ jobs:
          sparse-checkout: |
            ci/supportedSystems.json

-      - name: Load supported systems
-        id: systems
-        run: |
-          echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"
+      - id: prepare
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          MERGED_SHA: ${{ inputs.mergedSha }}
+          TARGET_SHA: ${{ inputs.targetSha }}
+        with:
+          script: |
+            const { classify } = require('./ci/supportedBranches.js')
+            const baseBranch = (
+              context.payload.merge_group?.base_ref ??
+              context.payload.pull_request.base.ref
+            ).replace(/^refs\/heads\//, '')
+            const baseClassification = classify(baseBranch)
+            core.setOutput('base', baseClassification)
+            core.info('base classification:', baseClassification)
+
+            core.setOutput('mergedSha', context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA)
+            core.info(`mergedSha: ${context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA}`)
+            core.setOutput('targetSha', context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA)
+            core.info(`targetSha: ${context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA}`)
+            core.setOutput('systems', require('./ci/supportedSystems.json'))
+
+  check:
+    name: Check
+    needs: [prepare]
+    uses: ./.github/workflows/check.yml
+    permissions:
+      # cherry-picks; formality right now, but unused
+      pull-requests: write
+    secrets:
+      CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
+    with:
+      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
+      targetSha: ${{ needs.prepare.outputs.targetSha }}

  lint:
    name: Lint
+    needs: [prepare]
    uses: ./.github/workflows/lint.yml
    secrets:
-      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
    with:
-      mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }}
-      targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }}
+      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
+      targetSha: ${{ needs.prepare.outputs.targetSha }}

  eval:
    name: Eval
@@ -55,13 +86,25 @@ jobs:
      # compare
      statuses: write
    secrets:
-      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
    with:
      artifact-prefix: ${{ inputs.artifact-prefix }}
-      mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }}
-      targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }}
+      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
+      targetSha: ${{ needs.prepare.outputs.targetSha }}
      systems: ${{ needs.prepare.outputs.systems }}

+  build:
+    name: Build
+    needs: [prepare]
+    uses: ./.github/workflows/build.yml
+    secrets:
+      CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
+    with:
+      artifact-prefix: ${{ inputs.artifact-prefix }}
+      baseBranch: ${{ needs.prepare.outputs.baseBranch }}
+      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
+      targetSha: ${{ needs.prepare.outputs.targetSha }}
+
  # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset.
  # It "needs" all the jobs that should block the Merge Queue.
  unlock:
--- a/.github/workflows/pull-request-target.yml
+++ b/.github/workflows/pull-request-target.yml
@@ -8,8 +8,6 @@ on:
        required: true
        type: string
    secrets:
-      CACHIX_AUTH_TOKEN:
-        required: true
      NIXPKGS_CI_APP_PRIVATE_KEY:
        required: true

@@ -63,8 +61,6 @@ jobs:
    permissions:
      # cherry-picks
      pull-requests: write
-    secrets:
-      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
    with:
      baseBranch: ${{ needs.prepare.outputs.baseBranch }}
      headBranch: ${{ needs.prepare.outputs.headBranch }}
@@ -75,8 +71,6 @@ jobs:
    name: Lint
    needs: [prepare]
    uses: ./.github/workflows/lint.yml
-    secrets:
-      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
    with:
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
      targetSha: ${{ needs.prepare.outputs.targetSha }}
@@ -88,8 +82,6 @@ jobs:
    permissions:
      # compare
      statuses: write
-    secrets:
-      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
    with:
      artifact-prefix: ${{ inputs.artifact-prefix }}
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
@@ -113,12 +105,11 @@ jobs:
    name: Build
    needs: [prepare]
    uses: ./.github/workflows/build.yml
-    secrets:
-      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
    with:
      artifact-prefix: ${{ inputs.artifact-prefix }}
      baseBranch: ${{ needs.prepare.outputs.baseBranch }}
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
+      targetSha: ${{ needs.prepare.outputs.targetSha }}

  # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset.
  # It "needs" all the jobs that should block merging a PR.
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -82,9 +82,8 @@ jobs:
    uses: ./.github/workflows/merge-group.yml
    # Those are actually only used on the merge_group event, but will throw an error if not set.
    permissions:
+      pull-requests: write
      statuses: write
-    secrets:
-      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
    with:
      artifact-prefix: mg-
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
@@ -101,7 +100,6 @@ jobs:
      pull-requests: write
      statuses: write
    secrets:
-      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
      NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
    with:
      artifact-prefix: pr-