Loading .github/workflows/check.yml +31 −4 Original line number Diff line number Diff line Loading @@ -16,6 +16,14 @@ on: required: true type: string secrets: # Can be provided in pull requests because the job it is used in does # not evaluate untrusted code. NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: required: false # Can be provided in pull requests because the job it is used in does # not evaluate untrusted code. NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: required: false # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: Loading Loading @@ -45,9 +53,17 @@ jobs: - name: Install dependencies run: npm install bottleneck@2.19.5 - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: github.event_name != 'pull_request' && vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write - name: Log current API rate limits env: GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} run: gh api /rate_limit | jq - name: Check commits Loading @@ -56,6 +72,7 @@ jobs: env: TARGETS_STABLE: ${{ fromJSON(inputs.baseBranch).stable && !contains(fromJSON(inputs.headBranch).type, 'development') }} with: github-token: ${{ steps.app-token.outputs.token || github.token }} script: | const targetsStable = JSON.parse(process.env.TARGETS_STABLE) require('./trusted/ci/github-script/commits.js')({ Loading @@ -68,7 +85,7 @@ jobs: - name: Log current API rate limits env: GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} run: gh api /rate_limit | jq manual-file-edits: Loading @@ -85,25 +102,35 @@ jobs: sparse-checkout: | ci/github-script - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: github.event_name != 'pull_request' && vars.NIXPKGS_MANUAL_EDIT_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_MANUAL_EDIT_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write - name: Log current API rate limits env: GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} run: gh api /rate_limit | jq - name: Discourage manual edits to certain files uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ steps.app-token.outputs.token || github.token }} script: | require('./trusted/ci/github-script/manual-file-edits.js')({ github, context, core, dry: context.eventName == 'pull_request', repoPath: 'trusted', }) - name: Log current API rate limits env: GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} run: gh api /rate_limit | jq owners: Loading .github/workflows/eval.yml +16 −0 Original line number Diff line number Diff line Loading @@ -23,6 +23,10 @@ on: default: false type: boolean secrets: # Can be provided in pull requests because the job it is used in does # not evaluate untrusted code. NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: required: false # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: Loading Loading @@ -349,10 +353,22 @@ jobs: description, target_url }) - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: github.event_name == 'pull_request_target' && vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write # It's fine to reuse this app in the 'pull-request-target / prepare' job, # because that job has to run before this one. - name: Request changes if PR is against an inappropriate branch if: ${{ github.event_name == 'pull_request_target' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ steps.app-token.outputs.token || github.token }} script: | require('./nixpkgs/trusted/ci/github-script/check-target-branch.js')({ github, Loading .github/workflows/pull-request-target.yml +23 −0 Original line number Diff line number Diff line Loading @@ -10,6 +10,12 @@ on: secrets: NIXPKGS_CI_APP_PRIVATE_KEY: required: true NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: required: true NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: required: true NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: required: true concurrency: group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }} Loading @@ -36,9 +42,21 @@ jobs: sparse-checkout-cone-mode: true # default, for clarity sparse-checkout: | ci/github-script # It's fine to reuse this app in the 'eval / compare' job, # because this job has to run before that one. - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write - id: prepare uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ steps.app-token.outputs.token || github.token }} retries: 10 # The default for this includes code 422, which happens regularly for us when comparing commits: # 422 - Server Error: Sorry, this diff is taking too long to generate. Loading @@ -60,6 +78,9 @@ jobs: permissions: # cherry-picks pull-requests: write secrets: NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }} NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }} with: baseBranch: ${{ needs.prepare.outputs.baseBranch }} headBranch: ${{ needs.prepare.outputs.headBranch }} Loading @@ -82,6 +103,8 @@ jobs: # compare pull-requests: write statuses: write secrets: NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }} with: artifact-prefix: ${{ inputs.artifact-prefix }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} Loading .github/workflows/test.yml +3 −0 Original line number Diff line number Diff line Loading @@ -116,5 +116,8 @@ jobs: statuses: write # unused on pull_request, required by PR workflow secrets: NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }} NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }} NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }} NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }} with: artifact-prefix: pr- ci/github-script/check-target-branch.js +3 −7 Original line number Diff line number Diff line Loading @@ -151,11 +151,9 @@ async function checkTargetBranch({ github, context, core, dry }) { core, dry, body, event: 'COMMENT', event: 'REQUEST_CHANGES', reviewKey, }) throw new Error('This PR is against the wrong branch.') } else if (rebuildsAllTests && !isExemptKernelUpdate) { let branchText if (base === 'master' && maxRebuildCount >= 500) { Loading @@ -179,11 +177,9 @@ async function checkTargetBranch({ github, context, core, dry }) { core, dry, body, event: 'COMMENT', event: 'REQUEST_CHANGES', reviewKey, }) throw new Error('This PR is against the wrong branch.') } else if ( maxRebuildCount >= 500 && !isExemptKernelUpdate && Loading @@ -204,7 +200,7 @@ async function checkTargetBranch({ github, context, core, dry }) { core, dry, body, event: 'COMMENT', event: 'REQUEST_CHANGES', reviewKey, }) } else { Loading Loading
.github/workflows/check.yml +31 −4 Original line number Diff line number Diff line Loading @@ -16,6 +16,14 @@ on: required: true type: string secrets: # Can be provided in pull requests because the job it is used in does # not evaluate untrusted code. NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: required: false # Can be provided in pull requests because the job it is used in does # not evaluate untrusted code. NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: required: false # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: Loading Loading @@ -45,9 +53,17 @@ jobs: - name: Install dependencies run: npm install bottleneck@2.19.5 - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: github.event_name != 'pull_request' && vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write - name: Log current API rate limits env: GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} run: gh api /rate_limit | jq - name: Check commits Loading @@ -56,6 +72,7 @@ jobs: env: TARGETS_STABLE: ${{ fromJSON(inputs.baseBranch).stable && !contains(fromJSON(inputs.headBranch).type, 'development') }} with: github-token: ${{ steps.app-token.outputs.token || github.token }} script: | const targetsStable = JSON.parse(process.env.TARGETS_STABLE) require('./trusted/ci/github-script/commits.js')({ Loading @@ -68,7 +85,7 @@ jobs: - name: Log current API rate limits env: GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} run: gh api /rate_limit | jq manual-file-edits: Loading @@ -85,25 +102,35 @@ jobs: sparse-checkout: | ci/github-script - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: github.event_name != 'pull_request' && vars.NIXPKGS_MANUAL_EDIT_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_MANUAL_EDIT_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write - name: Log current API rate limits env: GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} run: gh api /rate_limit | jq - name: Discourage manual edits to certain files uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ steps.app-token.outputs.token || github.token }} script: | require('./trusted/ci/github-script/manual-file-edits.js')({ github, context, core, dry: context.eventName == 'pull_request', repoPath: 'trusted', }) - name: Log current API rate limits env: GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} run: gh api /rate_limit | jq owners: Loading
.github/workflows/eval.yml +16 −0 Original line number Diff line number Diff line Loading @@ -23,6 +23,10 @@ on: default: false type: boolean secrets: # Can be provided in pull requests because the job it is used in does # not evaluate untrusted code. NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: required: false # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: Loading Loading @@ -349,10 +353,22 @@ jobs: description, target_url }) - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: github.event_name == 'pull_request_target' && vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write # It's fine to reuse this app in the 'pull-request-target / prepare' job, # because that job has to run before this one. - name: Request changes if PR is against an inappropriate branch if: ${{ github.event_name == 'pull_request_target' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ steps.app-token.outputs.token || github.token }} script: | require('./nixpkgs/trusted/ci/github-script/check-target-branch.js')({ github, Loading
.github/workflows/pull-request-target.yml +23 −0 Original line number Diff line number Diff line Loading @@ -10,6 +10,12 @@ on: secrets: NIXPKGS_CI_APP_PRIVATE_KEY: required: true NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: required: true NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: required: true NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: required: true concurrency: group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }} Loading @@ -36,9 +42,21 @@ jobs: sparse-checkout-cone-mode: true # default, for clarity sparse-checkout: | ci/github-script # It's fine to reuse this app in the 'eval / compare' job, # because this job has to run before that one. - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write - id: prepare uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ steps.app-token.outputs.token || github.token }} retries: 10 # The default for this includes code 422, which happens regularly for us when comparing commits: # 422 - Server Error: Sorry, this diff is taking too long to generate. Loading @@ -60,6 +78,9 @@ jobs: permissions: # cherry-picks pull-requests: write secrets: NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }} NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }} with: baseBranch: ${{ needs.prepare.outputs.baseBranch }} headBranch: ${{ needs.prepare.outputs.headBranch }} Loading @@ -82,6 +103,8 @@ jobs: # compare pull-requests: write statuses: write secrets: NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }} with: artifact-prefix: ${{ inputs.artifact-prefix }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} Loading
.github/workflows/test.yml +3 −0 Original line number Diff line number Diff line Loading @@ -116,5 +116,8 @@ jobs: statuses: write # unused on pull_request, required by PR workflow secrets: NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }} NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }} NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }} NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }} with: artifact-prefix: pr-
ci/github-script/check-target-branch.js +3 −7 Original line number Diff line number Diff line Loading @@ -151,11 +151,9 @@ async function checkTargetBranch({ github, context, core, dry }) { core, dry, body, event: 'COMMENT', event: 'REQUEST_CHANGES', reviewKey, }) throw new Error('This PR is against the wrong branch.') } else if (rebuildsAllTests && !isExemptKernelUpdate) { let branchText if (base === 'master' && maxRebuildCount >= 500) { Loading @@ -179,11 +177,9 @@ async function checkTargetBranch({ github, context, core, dry }) { core, dry, body, event: 'COMMENT', event: 'REQUEST_CHANGES', reviewKey, }) throw new Error('This PR is against the wrong branch.') } else if ( maxRebuildCount >= 500 && !isExemptKernelUpdate && Loading @@ -204,7 +200,7 @@ async function checkTargetBranch({ github, context, core, dry }) { core, dry, body, event: 'COMMENT', event: 'REQUEST_CHANGES', reviewKey, }) } else { Loading
