Merge branch 'NixOS:master' into autoraise/add-custom-compile-flags

on:

  workflow_call:

    inputs:

      artifact-prefix:

        required: true

        type: string

      baseBranch:

        required: true

        type: string

          contains(fromJSON(inputs.baseBranch).type, 'primary')

        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0

        with:

          name: nixos-manual-${{ matrix.name }}

          name: ${{ inputs.artifact-prefix }}nixos-manual-${{ matrix.name }}

          path: nixos-manual

on:

  workflow_call:

    inputs:

      artifact-prefix:

        required: true

        type: string

      mergedSha:

        required: true

        type: string

          # Note: Keep the same further down in sync!

      - name: Evaluate the ${{ matrix.system }} output paths at the target commit

        if: inputs.targetSha

        env:

          MATRIX_SYSTEM: ${{ matrix.system }}

        # This is very quick, because it pulls the eval results from Cachix.

        run: |

          nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A eval.singleSystem \

          TARGET_DRV=$(nix-instantiate nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A eval.singleSystem \

            --argstr evalSystem "$MATRIX_SYSTEM" \

            --arg chunkSize 8000 \

            --argstr nixPath "nixVersions.latest" \

            --out-link target

            --argstr nixPath "nixVersions.latest")

          # Try to fetch this from Cachix a few times, for up to 30 seconds. This avoids running Eval

          # twice in the Merge Queue, when a later item finishes Eval at the merge commit earlier.

          for _i in {1..6}; do

            # Using --max-jobs 0 will cause nix-build to fail if this can't be substituted from cachix.

            if nix-build "$TARGET_DRV" --max-jobs 0; then

              break

            fi

            sleep 5

          done

          # Either fetches from Cachix or runs Eval itself. The fallback is required

          # for pull requests into wip-branches without merge queue.

          nix-build "$TARGET_DRV" --out-link target

      - name: Compare outpaths against the target branch

        if: inputs.targetSha

        env:

          MATRIX_SYSTEM: ${{ matrix.system }}

        run: |

            --out-link diff

      - name: Upload outpaths diff and stats

        if: inputs.targetSha

        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0

        with:

          name: ${{ matrix.version && format('{0}-', matrix.version) || '' }}diff-${{ matrix.system }}

          name: ${{ inputs.artifact-prefix }}${{ matrix.version && format('{0}-', matrix.version) || '' }}diff-${{ matrix.system }}

          path: diff/*

  compare:

    runs-on: ubuntu-24.04-arm

    needs: [eval]

    if: inputs.targetSha && !cancelled() && !failure()

    if: ${{ !cancelled() && !failure() }}

    permissions:

      statuses: write

    timeout-minutes: 5

      - name: Download output paths and eval stats for all systems

        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0

        with:

          pattern: diff-*

          pattern: ${{ inputs.artifact-prefix }}diff-*

          path: diff

          merge-multiple: true

            --arg diffDir ./diff \

            --out-link combined

      - name: Upload the maintainer list

        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0

        with:

          name: ${{ inputs.artifact-prefix }}maintainers

          path: combined/maintainers.json

      - name: Compare against the target branch

        env:

          AUTHOR_ID: ${{ github.event.pull_request.user.id }}

      - name: Upload the comparison results

        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0

        with:

          name: comparison

          name: ${{ inputs.artifact-prefix }}comparison

          path: comparison/*

      - name: Add eval summary to commit statuses

      - name: Add version comparison table to job summary

        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0

        env:

          ARTIFACT_PREFIX: ${{ inputs.artifact-prefix }}

          SYSTEMS: ${{ inputs.systems }}

          VERSIONS: ${{ needs.versions.outputs.versions }}

        with:

            const { readFileSync } = require('node:fs')

            const path = require('node:path')

            const prefix = process.env.ARTIFACT_PREFIX

            const systems = JSON.parse(process.env.SYSTEMS)

            const versions = JSON.parse(process.env.VERSIONS)

                  [{ data: version }].concat(

                    systems.map((system) => {

                      try {

                        const artifact = path.join('versions', `${version}-diff-${system}`)

                        const artifact = path.join('versions', `${prefix}${version}-diff-${system}`)

                        const time = Math.round(

                          parseFloat(

                            readFileSync(

  merge_group:

  workflow_call:

    inputs:

      artifact-prefix:

        required: true

        type: string

      mergedSha:

        required: true

        type: string

    secrets:

      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

    with:

      artifact-prefix: ${{ inputs.artifact-prefix }}

      mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }}

      targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }}

      systems: ${{ needs.prepare.outputs.systems }}

  # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset.

on:

  pull_request_target:

  workflow_call:

    inputs:

      artifact-prefix:

        required: true

        type: string

    secrets:

      CACHIX_AUTH_TOKEN:

        required: true

    secrets:

      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

    with:

      artifact-prefix: ${{ inputs.artifact-prefix }}

      mergedSha: ${{ needs.prepare.outputs.mergedSha }}

      targetSha: ${{ needs.prepare.outputs.targetSha }}

      systems: ${{ needs.prepare.outputs.systems }}

    uses: ./.github/workflows/reviewers.yml

    secrets:

      OWNER_APP_PRIVATE_KEY: ${{ secrets.OWNER_APP_PRIVATE_KEY }}

    with:

      artifact-prefix: ${{ inputs.artifact-prefix }}

  build:

    name: Build

    secrets:

      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

    with:

      artifact-prefix: ${{ inputs.artifact-prefix }}

      baseBranch: ${{ needs.prepare.outputs.baseBranch }}

      mergedSha: ${{ needs.prepare.outputs.mergedSha }}

  pull_request_target:

    types: [ready_for_review]

  workflow_call:

    inputs:

      artifact-prefix:

        required: true

        type: string

    secrets:

      OWNER_APP_PRIVATE_KEY:

        required: true

      - name: Wait for comparison to be done

        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0

        id: eval

        env:

          ARTIFACT: ${{ inputs.artifact-prefix }}comparison

        with:

          script: |

            const run_id = (await github.rest.actions.listWorkflowRuns({

                owner: context.repo.owner,

                repo: context.repo.repo,

                run_id,

                name: 'comparison'

                name: process.env.ARTIFACT,

              })

              if (result.data.total_count > 0) return

              await new Promise(resolve => setTimeout(resolve, 5000))

        with:

          run-id: ${{ steps.eval.outputs.run-id }}

          github-token: ${{ github.token }}

          pattern: comparison

          pattern: ${{ inputs.artifact-prefix }}comparison

          path: comparison

          merge-multiple: true