nixpkgs/.github/workflows/build.yml

name: Build

on:
  workflow_call:
    inputs:
      artifact-prefix:
        required: true
        type: string
      baseBranch:
        required: true
        type: string
      mergedSha:
        required: true
        type: string
      targetSha:
        required: true
        type: string
    secrets:
      # Should only be provided in the merge queue, not in pull requests,
      # where we're evaluating untrusted code.
      CACHIX_AUTH_TOKEN:
        required: false

permissions: {}

defaults:
  run:
    shell: bash

jobs:
  build:
    strategy:
      fail-fast: false
      matrix:
        include:
          - runner: ubuntu-24.04
            name: x86_64-linux
            systems: x86_64-linux
            builds: [shell, manual-nixos, lib-tests, tarball]
            desc: shell, docs, lib, tarball
          - runner: ubuntu-24.04-arm
            name: aarch64-linux
            systems: aarch64-linux
            builds: [shell, manual-nixos, manual-nixpkgs, manual-nixpkgs-tests]
            desc: shell, docs
          - runner: macos-14
            name: darwin
            systems: aarch64-darwin x86_64-darwin
            builds: [shell]
            desc: shell
    name: '${{ matrix.name }}: ${{ matrix.desc }}'
    runs-on: ${{ matrix.runner }}
    timeout-minutes: 60
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false
          sparse-checkout: .github/actions
      - name: Checkout the merge commit
        uses: ./.github/actions/checkout
        with:
          merged-as-untrusted-at: ${{ inputs.mergedSha }}
          target-as-trusted-at: ${{ inputs.targetSha }}

      - uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31
        with:
          # Sandbox is disabled on MacOS by default.
          extra_nix_config: sandbox = true

      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
        with:
          # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
          name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
          extraPullNames: nixpkgs-ci
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
          pushFilter: '(-source$|-nixpkgs-tarball-)'

      - run: nix-env --install -f nixpkgs/trusted-pinned -A nix-build-uncached

      - name: Build shell
        if: contains(matrix.builds, 'shell')
        run: echo "${{ matrix.systems }}" | xargs -n1 nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A shell --argstr system

      - name: Build NixOS manual
        if: |
          contains(matrix.builds, 'manual-nixos') && !cancelled() &&
          contains(fromJSON(inputs.baseBranch).type, 'primary')
        run: nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A manual-nixos --out-link nixos-manual

      - name: Build Nixpkgs manual
        if: contains(matrix.builds, 'manual-nixpkgs') && !cancelled()
        run: nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A manual-nixpkgs -A manual-nixpkgs-tests

      - name: Build Nixpkgs manual tests
        if: contains(matrix.builds, 'manual-nixpkgs-tests') && !cancelled()
        run: nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A manual-nixpkgs-tests

      - name: Build lib tests
        if: contains(matrix.builds, 'lib-tests') && !cancelled()
        run: nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A lib-tests

      - name: Build tarball
        if: contains(matrix.builds, 'tarball') && !cancelled()
        run: nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A tarball

      - name: Upload NixOS manual
        if: |
          contains(matrix.builds, 'manual-nixos') && !cancelled() &&
          contains(fromJSON(inputs.baseBranch).type, 'primary')
        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: ${{ inputs.artifact-prefix }}nixos-manual-${{ matrix.name }}
          path: nixos-manual