Loading .github/workflows/check.yml +33 −4 Original line number Diff line number Diff line Loading @@ -16,6 +16,14 @@ on: required: true type: string secrets: # Can be provided in pull requests because the job it is used in does # not evaluate untrusted code. NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: required: false # Can be provided in pull requests because the job it is used in does # not evaluate untrusted code. NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: required: false # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: Loading Loading @@ -45,9 +53,19 @@ jobs: - name: Install dependencies run: npm install bottleneck@2.19.5 # It's fine to reuse this app in the 'pull-request-target / prepare' job, # because that job has to run before this one. - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: github.event_name != 'pull_request' && vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write - name: Log current API rate limits env: GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} run: gh api /rate_limit | jq - name: Check commits Loading @@ -56,6 +74,7 @@ jobs: env: TARGETS_STABLE: ${{ fromJSON(inputs.baseBranch).stable && !contains(fromJSON(inputs.headBranch).type, 'development') }} with: github-token: ${{ steps.app-token.outputs.token || github.token }} script: | const targetsStable = JSON.parse(process.env.TARGETS_STABLE) require('./trusted/ci/github-script/commits.js')({ Loading @@ -68,7 +87,7 @@ jobs: - name: Log current API rate limits env: GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} run: gh api /rate_limit | jq manual-file-edits: Loading @@ -85,25 +104,35 @@ jobs: sparse-checkout: | ci/github-script - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: github.event_name != 'pull_request' && vars.NIXPKGS_MANUAL_EDIT_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_MANUAL_EDIT_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write - name: Log current API rate limits env: GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} run: gh api /rate_limit | jq - name: Discourage manual edits to certain files uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ steps.app-token.outputs.token || github.token }} script: | require('./trusted/ci/github-script/manual-file-edits.js')({ github, context, core, dry: context.eventName == 'pull_request', repoPath: 'trusted', }) - name: Log current API rate limits env: GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} run: gh api /rate_limit | jq owners: Loading .github/workflows/eval.yml +14 −0 Original line number Diff line number Diff line Loading @@ -23,6 +23,10 @@ on: default: false type: boolean secrets: # Can be provided in pull requests because the job it is used in does # not evaluate untrusted code. NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: required: false # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: Loading Loading @@ -349,10 +353,20 @@ jobs: description, target_url }) - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: github.event_name == 'pull_request_target' && vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write - name: Request changes if PR is against an inappropriate branch if: ${{ github.event_name == 'pull_request_target' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ steps.app-token.outputs.token || github.token }} script: | require('./nixpkgs/trusted/ci/github-script/check-target-branch.js')({ github, Loading .github/workflows/pull-request-target.yml +22 −0 Original line number Diff line number Diff line Loading @@ -10,6 +10,12 @@ on: secrets: NIXPKGS_CI_APP_PRIVATE_KEY: required: true NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: required: false NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: required: false NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: required: false concurrency: group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }} Loading @@ -36,6 +42,17 @@ jobs: sparse-checkout-cone-mode: true # default, for clarity sparse-checkout: | ci/github-script # It's fine to reuse this app in the 'check / commits' job, # because this job has to run before that one. - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write - id: prepare uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: Loading @@ -60,6 +77,9 @@ jobs: permissions: # cherry-picks pull-requests: write secrets: NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }} NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }} with: baseBranch: ${{ needs.prepare.outputs.baseBranch }} headBranch: ${{ needs.prepare.outputs.headBranch }} Loading @@ -82,6 +102,8 @@ jobs: # compare pull-requests: write statuses: write secrets: NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }} with: artifact-prefix: ${{ inputs.artifact-prefix }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} Loading ci/github-script/check-target-branch.js +3 −7 Original line number Diff line number Diff line Loading @@ -151,11 +151,9 @@ async function checkTargetBranch({ github, context, core, dry }) { core, dry, body, event: 'COMMENT', event: 'REQUEST_CHANGES', reviewKey, }) throw new Error('This PR is against the wrong branch.') } else if (rebuildsAllTests && !isExemptKernelUpdate) { let branchText if (base === 'master' && maxRebuildCount >= 500) { Loading @@ -179,11 +177,9 @@ async function checkTargetBranch({ github, context, core, dry }) { core, dry, body, event: 'COMMENT', event: 'REQUEST_CHANGES', reviewKey, }) throw new Error('This PR is against the wrong branch.') } else if ( maxRebuildCount >= 500 && !isExemptKernelUpdate && Loading @@ -204,7 +200,7 @@ async function checkTargetBranch({ github, context, core, dry }) { core, dry, body, event: 'COMMENT', event: 'REQUEST_CHANGES', reviewKey, }) } else { Loading ci/github-script/manual-file-edits.js +22 −4 Original line number Diff line number Diff line Loading @@ -7,9 +7,13 @@ const { getCommitDetailsForPR } = require('./get-pr-commit-details') * context: import('@actions/github/lib/context').Context, * core: import('@actions/core'), * repoPath?: string, * dry: boolean, * }} CheckManualFileEditsProps */ async function checkManualFileEdits({ github, context, core, repoPath }) { async function checkManualFileEdits({ github, context, core, repoPath, dry }) { const { dismissReviews, postReview } = require('./reviews.js') const reviewKey = 'manual-file-edits' const pull_number = context.payload.pull_request?.number if (!pull_number) { core.info('This is not a pull request. Skipping checks.') Loading @@ -35,8 +39,13 @@ async function checkManualFileEdits({ github, context, core, repoPath }) { changedPaths.includes('maintainers/github-teams.json'), ) ) { core.setFailed( [ postReview({ github, context, core, dry, event: 'REQUEST_CHANGES', body: [ 'maintainers/github-teams.json is supposed to accurately reflect the state of the teams in GitHub.\n', 'Therefore, it should not be edited manually.\n', 'All changes to teams listed in maintainers/github-teams.json should be performed in GitHub by a team maintainer.\n', Loading @@ -48,7 +57,16 @@ async function checkManualFileEdits({ github, context, core, repoPath }) { (prev, curr) => prev + (!prev || prev.endsWith('\n') ? '' : ' ') + curr, '', ), ) reviewKey, }) } else { dismissReviews({ github, context, core, dry, reviewKey, }) } } Loading Loading
.github/workflows/check.yml +33 −4 Original line number Diff line number Diff line Loading @@ -16,6 +16,14 @@ on: required: true type: string secrets: # Can be provided in pull requests because the job it is used in does # not evaluate untrusted code. NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: required: false # Can be provided in pull requests because the job it is used in does # not evaluate untrusted code. NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: required: false # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: Loading Loading @@ -45,9 +53,19 @@ jobs: - name: Install dependencies run: npm install bottleneck@2.19.5 # It's fine to reuse this app in the 'pull-request-target / prepare' job, # because that job has to run before this one. - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: github.event_name != 'pull_request' && vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write - name: Log current API rate limits env: GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} run: gh api /rate_limit | jq - name: Check commits Loading @@ -56,6 +74,7 @@ jobs: env: TARGETS_STABLE: ${{ fromJSON(inputs.baseBranch).stable && !contains(fromJSON(inputs.headBranch).type, 'development') }} with: github-token: ${{ steps.app-token.outputs.token || github.token }} script: | const targetsStable = JSON.parse(process.env.TARGETS_STABLE) require('./trusted/ci/github-script/commits.js')({ Loading @@ -68,7 +87,7 @@ jobs: - name: Log current API rate limits env: GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} run: gh api /rate_limit | jq manual-file-edits: Loading @@ -85,25 +104,35 @@ jobs: sparse-checkout: | ci/github-script - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: github.event_name != 'pull_request' && vars.NIXPKGS_MANUAL_EDIT_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_MANUAL_EDIT_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write - name: Log current API rate limits env: GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} run: gh api /rate_limit | jq - name: Discourage manual edits to certain files uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ steps.app-token.outputs.token || github.token }} script: | require('./trusted/ci/github-script/manual-file-edits.js')({ github, context, core, dry: context.eventName == 'pull_request', repoPath: 'trusted', }) - name: Log current API rate limits env: GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} run: gh api /rate_limit | jq owners: Loading
.github/workflows/eval.yml +14 −0 Original line number Diff line number Diff line Loading @@ -23,6 +23,10 @@ on: default: false type: boolean secrets: # Can be provided in pull requests because the job it is used in does # not evaluate untrusted code. NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: required: false # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: Loading Loading @@ -349,10 +353,20 @@ jobs: description, target_url }) - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: github.event_name == 'pull_request_target' && vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write - name: Request changes if PR is against an inappropriate branch if: ${{ github.event_name == 'pull_request_target' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ steps.app-token.outputs.token || github.token }} script: | require('./nixpkgs/trusted/ci/github-script/check-target-branch.js')({ github, Loading
.github/workflows/pull-request-target.yml +22 −0 Original line number Diff line number Diff line Loading @@ -10,6 +10,12 @@ on: secrets: NIXPKGS_CI_APP_PRIVATE_KEY: required: true NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: required: false NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: required: false NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: required: false concurrency: group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }} Loading @@ -36,6 +42,17 @@ jobs: sparse-checkout-cone-mode: true # default, for clarity sparse-checkout: | ci/github-script # It's fine to reuse this app in the 'check / commits' job, # because this job has to run before that one. - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write - id: prepare uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: Loading @@ -60,6 +77,9 @@ jobs: permissions: # cherry-picks pull-requests: write secrets: NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }} NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }} with: baseBranch: ${{ needs.prepare.outputs.baseBranch }} headBranch: ${{ needs.prepare.outputs.headBranch }} Loading @@ -82,6 +102,8 @@ jobs: # compare pull-requests: write statuses: write secrets: NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }} with: artifact-prefix: ${{ inputs.artifact-prefix }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} Loading
ci/github-script/check-target-branch.js +3 −7 Original line number Diff line number Diff line Loading @@ -151,11 +151,9 @@ async function checkTargetBranch({ github, context, core, dry }) { core, dry, body, event: 'COMMENT', event: 'REQUEST_CHANGES', reviewKey, }) throw new Error('This PR is against the wrong branch.') } else if (rebuildsAllTests && !isExemptKernelUpdate) { let branchText if (base === 'master' && maxRebuildCount >= 500) { Loading @@ -179,11 +177,9 @@ async function checkTargetBranch({ github, context, core, dry }) { core, dry, body, event: 'COMMENT', event: 'REQUEST_CHANGES', reviewKey, }) throw new Error('This PR is against the wrong branch.') } else if ( maxRebuildCount >= 500 && !isExemptKernelUpdate && Loading @@ -204,7 +200,7 @@ async function checkTargetBranch({ github, context, core, dry }) { core, dry, body, event: 'COMMENT', event: 'REQUEST_CHANGES', reviewKey, }) } else { Loading
ci/github-script/manual-file-edits.js +22 −4 Original line number Diff line number Diff line Loading @@ -7,9 +7,13 @@ const { getCommitDetailsForPR } = require('./get-pr-commit-details') * context: import('@actions/github/lib/context').Context, * core: import('@actions/core'), * repoPath?: string, * dry: boolean, * }} CheckManualFileEditsProps */ async function checkManualFileEdits({ github, context, core, repoPath }) { async function checkManualFileEdits({ github, context, core, repoPath, dry }) { const { dismissReviews, postReview } = require('./reviews.js') const reviewKey = 'manual-file-edits' const pull_number = context.payload.pull_request?.number if (!pull_number) { core.info('This is not a pull request. Skipping checks.') Loading @@ -35,8 +39,13 @@ async function checkManualFileEdits({ github, context, core, repoPath }) { changedPaths.includes('maintainers/github-teams.json'), ) ) { core.setFailed( [ postReview({ github, context, core, dry, event: 'REQUEST_CHANGES', body: [ 'maintainers/github-teams.json is supposed to accurately reflect the state of the teams in GitHub.\n', 'Therefore, it should not be edited manually.\n', 'All changes to teams listed in maintainers/github-teams.json should be performed in GitHub by a team maintainer.\n', Loading @@ -48,7 +57,16 @@ async function checkManualFileEdits({ github, context, core, repoPath }) { (prev, curr) => prev + (!prev || prev.endsWith('\n') ? '' : ' ') + curr, '', ), ) reviewKey, }) } else { dismissReviews({ github, context, core, dry, reviewKey, }) } } Loading
