Loading .github/workflows/check.yml +4 −0 Original line number Diff line number Diff line Loading @@ -12,6 +12,9 @@ on: mergedSha: required: true type: string ownersCanFail: required: true type: boolean targetSha: required: true type: string Loading Loading @@ -94,6 +97,7 @@ jobs: # handling untrusted PR input. owners: runs-on: ubuntu-24.04-arm continue-on-error: ${{ inputs.ownersCanFail }} timeout-minutes: 5 steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 Loading .github/workflows/merge-group.yml +21 −10 Original line number Diff line number Diff line Loading @@ -26,19 +26,30 @@ jobs: mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }} # This job's only purpose is to serve as a target for the "Required Status Checks" branch ruleset. # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. # It "needs" all the jobs that should block the Merge Queue. # If they pass, it is skipped — which counts as "success" for purposes of the branch ruleset. # However, if any of them fail, this job will also fail — thus blocking the branch ruleset. no-pr-failures: unlock: if: github.event_name != 'pull_request' # Modify this list to add or remove jobs from required status checks. needs: - lint # WARNING: # Do NOT change the name of this job, otherwise the rule will not catch it anymore. # This would prevent all PRs from passing the merge queue. name: no PR failures if: ${{ failure() }} runs-on: ubuntu-24.04-arm permissions: statuses: write steps: - run: exit 1 - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | const { serverUrl, repo, runId, payload } = context const target_url = `${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}` await github.rest.repos.createCommitStatus({ ...repo, sha: payload.merge_group.head_sha, // WARNING: // Do NOT change the name of this, otherwise the rule will not catch it anymore. // This would prevent all PRs from merging. context: 'no PR failures', state: 'success', target_url, }) .github/workflows/pr.yml +22 −14 Original line number Diff line number Diff line Loading @@ -61,6 +61,7 @@ jobs: headBranch: ${{ needs.prepare.outputs.headBranch }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} ownersCanFail: ${{ !contains(fromJSON(needs.prepare.outputs.touched), 'owners') }} lint: name: Lint Loading Loading @@ -119,26 +120,33 @@ jobs: baseBranch: ${{ needs.prepare.outputs.baseBranch }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} # This job's only purpose is to serve as a target for the "Required Status Checks" branch ruleset. # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. # It "needs" all the jobs that should block merging a PR. # If they pass, it is skipped — which counts as "success" for purposes of the branch ruleset. # However, if any of them fail, this job will also fail — thus blocking the branch ruleset. no-pr-failures: unlock: if: github.event_name != 'pull_request' # Modify this list to add or remove jobs from required status checks. needs: - check - lint - eval - build # WARNING: # Do NOT change the name of this job, otherwise the rule will not catch it anymore. # This would prevent all PRs from merging. name: no PR failures # A single job is "cancelled" when it hits its timeout. This is not the same # as "skipped", which happens when the `if` condition doesn't apply. # The "cancelled()" function only checks the whole workflow, but not individual # jobs. if: ${{ failure() || contains(needs.*.result, 'cancelled') }} runs-on: ubuntu-24.04-arm permissions: statuses: write steps: - run: exit 1 - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | const { serverUrl, repo, runId, payload } = context const target_url = `${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}?pr=${payload.pull_request.number}` await github.rest.repos.createCommitStatus({ ...repo, sha: payload.pull_request.head.sha, // WARNING: // Do NOT change the name of this, otherwise the rule will not catch it anymore. // This would prevent all PRs from merging. context: 'no PR failures', state: 'success', target_url, }) .github/workflows/test.yml +5 −2 Original line number Diff line number Diff line Loading @@ -76,6 +76,9 @@ jobs: name: Merge Group needs: [prepare] uses: ./.github/workflows/merge-group.yml # Those are actually only used on the merge_group event, but will throw an error if not set. permissions: statuses: write secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} with: Loading @@ -87,7 +90,7 @@ jobs: name: PR needs: [prepare] uses: ./.github/workflows/pr.yml # Those are not actually used on pull_request, but will throw an error if not set. # Those are actually only used on the pull_request_target event, but will throw an error if not set. permissions: issues: write pull-requests: write Loading @@ -102,7 +105,7 @@ jobs: name: Push needs: [prepare] uses: ./.github/workflows/push.yml # Those are not actually used on push, but will throw an error if not set. # Those are not actually used on the push or pull_request events, but will throw an error if not set. permissions: statuses: write secrets: Loading ci/github-script/prepare.js +4 −2 Original line number Diff line number Diff line Loading @@ -76,8 +76,10 @@ module.exports = async ({ github, context, core }) => { }) ).map((file) => file.filename) if (files.includes('ci/pinned.json')) core.setOutput('touched', ['pinned']) else core.setOutput('touched', []) const touched = [] if (files.includes('ci/pinned.json')) touched.push('pinned') if (files.includes('ci/OWNERS')) touched.push('owners') core.setOutput('touched', touched) return } Loading Loading
.github/workflows/check.yml +4 −0 Original line number Diff line number Diff line Loading @@ -12,6 +12,9 @@ on: mergedSha: required: true type: string ownersCanFail: required: true type: boolean targetSha: required: true type: string Loading Loading @@ -94,6 +97,7 @@ jobs: # handling untrusted PR input. owners: runs-on: ubuntu-24.04-arm continue-on-error: ${{ inputs.ownersCanFail }} timeout-minutes: 5 steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 Loading
.github/workflows/merge-group.yml +21 −10 Original line number Diff line number Diff line Loading @@ -26,19 +26,30 @@ jobs: mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }} # This job's only purpose is to serve as a target for the "Required Status Checks" branch ruleset. # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. # It "needs" all the jobs that should block the Merge Queue. # If they pass, it is skipped — which counts as "success" for purposes of the branch ruleset. # However, if any of them fail, this job will also fail — thus blocking the branch ruleset. no-pr-failures: unlock: if: github.event_name != 'pull_request' # Modify this list to add or remove jobs from required status checks. needs: - lint # WARNING: # Do NOT change the name of this job, otherwise the rule will not catch it anymore. # This would prevent all PRs from passing the merge queue. name: no PR failures if: ${{ failure() }} runs-on: ubuntu-24.04-arm permissions: statuses: write steps: - run: exit 1 - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | const { serverUrl, repo, runId, payload } = context const target_url = `${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}` await github.rest.repos.createCommitStatus({ ...repo, sha: payload.merge_group.head_sha, // WARNING: // Do NOT change the name of this, otherwise the rule will not catch it anymore. // This would prevent all PRs from merging. context: 'no PR failures', state: 'success', target_url, })
.github/workflows/pr.yml +22 −14 Original line number Diff line number Diff line Loading @@ -61,6 +61,7 @@ jobs: headBranch: ${{ needs.prepare.outputs.headBranch }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} ownersCanFail: ${{ !contains(fromJSON(needs.prepare.outputs.touched), 'owners') }} lint: name: Lint Loading Loading @@ -119,26 +120,33 @@ jobs: baseBranch: ${{ needs.prepare.outputs.baseBranch }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} # This job's only purpose is to serve as a target for the "Required Status Checks" branch ruleset. # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. # It "needs" all the jobs that should block merging a PR. # If they pass, it is skipped — which counts as "success" for purposes of the branch ruleset. # However, if any of them fail, this job will also fail — thus blocking the branch ruleset. no-pr-failures: unlock: if: github.event_name != 'pull_request' # Modify this list to add or remove jobs from required status checks. needs: - check - lint - eval - build # WARNING: # Do NOT change the name of this job, otherwise the rule will not catch it anymore. # This would prevent all PRs from merging. name: no PR failures # A single job is "cancelled" when it hits its timeout. This is not the same # as "skipped", which happens when the `if` condition doesn't apply. # The "cancelled()" function only checks the whole workflow, but not individual # jobs. if: ${{ failure() || contains(needs.*.result, 'cancelled') }} runs-on: ubuntu-24.04-arm permissions: statuses: write steps: - run: exit 1 - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | const { serverUrl, repo, runId, payload } = context const target_url = `${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}?pr=${payload.pull_request.number}` await github.rest.repos.createCommitStatus({ ...repo, sha: payload.pull_request.head.sha, // WARNING: // Do NOT change the name of this, otherwise the rule will not catch it anymore. // This would prevent all PRs from merging. context: 'no PR failures', state: 'success', target_url, })
.github/workflows/test.yml +5 −2 Original line number Diff line number Diff line Loading @@ -76,6 +76,9 @@ jobs: name: Merge Group needs: [prepare] uses: ./.github/workflows/merge-group.yml # Those are actually only used on the merge_group event, but will throw an error if not set. permissions: statuses: write secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} with: Loading @@ -87,7 +90,7 @@ jobs: name: PR needs: [prepare] uses: ./.github/workflows/pr.yml # Those are not actually used on pull_request, but will throw an error if not set. # Those are actually only used on the pull_request_target event, but will throw an error if not set. permissions: issues: write pull-requests: write Loading @@ -102,7 +105,7 @@ jobs: name: Push needs: [prepare] uses: ./.github/workflows/push.yml # Those are not actually used on push, but will throw an error if not set. # Those are not actually used on the push or pull_request events, but will throw an error if not set. permissions: statuses: write secrets: Loading
ci/github-script/prepare.js +4 −2 Original line number Diff line number Diff line Loading @@ -76,8 +76,10 @@ module.exports = async ({ github, context, core }) => { }) ).map((file) => file.filename) if (files.includes('ci/pinned.json')) core.setOutput('touched', ['pinned']) else core.setOutput('touched', []) const touched = [] if (files.includes('ci/pinned.json')) touched.push('pinned') if (files.includes('ci/OWNERS')) touched.push('owners') core.setOutput('touched', touched) return } Loading
