Loading .github/workflows/build.yml +13 −7 Original line number Diff line number Diff line Loading @@ -12,9 +12,14 @@ on: mergedSha: required: true type: string secrets: CACHIX_AUTH_TOKEN: targetSha: required: true type: string secrets: # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} Loading Loading @@ -55,6 +60,7 @@ jobs: uses: ./.github/actions/checkout with: merged-as-untrusted-at: ${{ inputs.mergedSha }} target-as-trusted-at: ${{ inputs.targetSha }} - uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 with: Loading @@ -63,13 +69,13 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} extraPullNames: nixpkgs-ci authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} extraPullNames: nixpkgs-gha authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: '(-source$|-nixpkgs-tarball-)' - run: nix-env --install -f nixpkgs/untrusted-pinned -A nix-build-uncached - run: nix-env --install -f nixpkgs/trusted-pinned -A nix-build-uncached - name: Build shell if: contains(matrix.builds, 'shell') Loading .github/workflows/check.yml +11 −8 Original line number Diff line number Diff line Loading @@ -4,10 +4,10 @@ on: workflow_call: inputs: baseBranch: required: true required: false type: string headBranch: required: true required: false type: string mergedSha: required: true Loading @@ -16,8 +16,10 @@ on: required: true type: string secrets: CACHIX_AUTH_TOKEN: required: true # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} Loading @@ -27,6 +29,7 @@ defaults: jobs: commits: if: inputs.baseBranch && inputs.headBranch permissions: pull-requests: write runs-on: ubuntu-24.04-arm Loading Loading @@ -86,10 +89,10 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} extraPullNames: nixpkgs-ci authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} extraPullNames: nixpkgs-gha authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: -source$ - name: Build codeowners validator Loading .github/workflows/eval.yml +8 −6 Original line number Diff line number Diff line Loading @@ -19,8 +19,10 @@ on: default: false type: boolean secrets: CACHIX_AUTH_TOKEN: required: true # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} Loading Loading @@ -102,10 +104,10 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} extraPullNames: nixpkgs-ci authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} extraPullNames: nixpkgs-gha authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: '(-source|-single-chunk)$' - name: Evaluate the ${{ matrix.system }} output paths at the merge commit Loading .github/workflows/lint.yml +12 −10 Original line number Diff line number Diff line Loading @@ -10,8 +10,10 @@ on: required: true type: string secrets: CACHIX_AUTH_TOKEN: required: true # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} Loading Loading @@ -72,10 +74,10 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} extraPullNames: nixpkgs-ci authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} extraPullNames: nixpkgs-gha authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: -source$ - name: Parse all nix files Loading @@ -101,10 +103,10 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} extraPullNames: nixpkgs-ci authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} extraPullNames: nixpkgs-gha authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: -source$ - name: Running nixpkgs-vet Loading .github/workflows/merge-group.yml +57 −14 Original line number Diff line number Diff line Loading @@ -13,9 +13,6 @@ on: targetSha: required: true type: string secrets: CACHIX_AUTH_TOKEN: required: true permissions: {} Loading @@ -23,7 +20,10 @@ jobs: prepare: runs-on: ubuntu-24.04-arm outputs: systems: ${{ steps.systems.outputs.systems }} baseBranch: ${{ steps.prepare.outputs.base }} mergedSha: ${{ steps.prepare.outputs.mergedSha }} targetSha: ${{ steps.prepare.outputs.targetSha }} systems: ${{ steps.prepare.outputs.systems }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: Loading @@ -31,19 +31,50 @@ jobs: sparse-checkout: | ci/supportedSystems.json - name: Load supported systems id: systems run: | echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT" - id: prepare uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: MERGED_SHA: ${{ inputs.mergedSha }} TARGET_SHA: ${{ inputs.targetSha }} with: script: | const { classify } = require('./ci/supportedBranches.js') const baseBranch = ( context.payload.merge_group?.base_ref ?? context.payload.pull_request.base.ref ).replace(/^refs\/heads\//, '') const baseClassification = classify(baseBranch) core.setOutput('base', baseClassification) core.info('base classification:', baseClassification) core.setOutput('mergedSha', context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA) core.info(`mergedSha: ${context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA}`) core.setOutput('targetSha', context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA) core.info(`targetSha: ${context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA}`) core.setOutput('systems', require('./ci/supportedSystems.json')) check: name: Check needs: [prepare] uses: ./.github/workflows/check.yml permissions: # cherry-picks; formality right now, but unused pull-requests: write secrets: CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} lint: name: Lint needs: [prepare] uses: ./.github/workflows/lint.yml secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} eval: name: Eval Loading @@ -55,13 +86,25 @@ jobs: # compare statuses: write secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: artifact-prefix: ${{ inputs.artifact-prefix }} mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} systems: ${{ needs.prepare.outputs.systems }} build: name: Build needs: [prepare] uses: ./.github/workflows/build.yml secrets: CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: artifact-prefix: ${{ inputs.artifact-prefix }} baseBranch: ${{ needs.prepare.outputs.baseBranch }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. # It "needs" all the jobs that should block the Merge Queue. unlock: Loading Loading
.github/workflows/build.yml +13 −7 Original line number Diff line number Diff line Loading @@ -12,9 +12,14 @@ on: mergedSha: required: true type: string secrets: CACHIX_AUTH_TOKEN: targetSha: required: true type: string secrets: # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} Loading Loading @@ -55,6 +60,7 @@ jobs: uses: ./.github/actions/checkout with: merged-as-untrusted-at: ${{ inputs.mergedSha }} target-as-trusted-at: ${{ inputs.targetSha }} - uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 with: Loading @@ -63,13 +69,13 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} extraPullNames: nixpkgs-ci authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} extraPullNames: nixpkgs-gha authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: '(-source$|-nixpkgs-tarball-)' - run: nix-env --install -f nixpkgs/untrusted-pinned -A nix-build-uncached - run: nix-env --install -f nixpkgs/trusted-pinned -A nix-build-uncached - name: Build shell if: contains(matrix.builds, 'shell') Loading
.github/workflows/check.yml +11 −8 Original line number Diff line number Diff line Loading @@ -4,10 +4,10 @@ on: workflow_call: inputs: baseBranch: required: true required: false type: string headBranch: required: true required: false type: string mergedSha: required: true Loading @@ -16,8 +16,10 @@ on: required: true type: string secrets: CACHIX_AUTH_TOKEN: required: true # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} Loading @@ -27,6 +29,7 @@ defaults: jobs: commits: if: inputs.baseBranch && inputs.headBranch permissions: pull-requests: write runs-on: ubuntu-24.04-arm Loading Loading @@ -86,10 +89,10 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} extraPullNames: nixpkgs-ci authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} extraPullNames: nixpkgs-gha authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: -source$ - name: Build codeowners validator Loading
.github/workflows/eval.yml +8 −6 Original line number Diff line number Diff line Loading @@ -19,8 +19,10 @@ on: default: false type: boolean secrets: CACHIX_AUTH_TOKEN: required: true # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} Loading Loading @@ -102,10 +104,10 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} extraPullNames: nixpkgs-ci authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} extraPullNames: nixpkgs-gha authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: '(-source|-single-chunk)$' - name: Evaluate the ${{ matrix.system }} output paths at the merge commit Loading
.github/workflows/lint.yml +12 −10 Original line number Diff line number Diff line Loading @@ -10,8 +10,10 @@ on: required: true type: string secrets: CACHIX_AUTH_TOKEN: required: true # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} Loading Loading @@ -72,10 +74,10 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} extraPullNames: nixpkgs-ci authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} extraPullNames: nixpkgs-gha authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: -source$ - name: Parse all nix files Loading @@ -101,10 +103,10 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} extraPullNames: nixpkgs-ci authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} extraPullNames: nixpkgs-gha authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: -source$ - name: Running nixpkgs-vet Loading
.github/workflows/merge-group.yml +57 −14 Original line number Diff line number Diff line Loading @@ -13,9 +13,6 @@ on: targetSha: required: true type: string secrets: CACHIX_AUTH_TOKEN: required: true permissions: {} Loading @@ -23,7 +20,10 @@ jobs: prepare: runs-on: ubuntu-24.04-arm outputs: systems: ${{ steps.systems.outputs.systems }} baseBranch: ${{ steps.prepare.outputs.base }} mergedSha: ${{ steps.prepare.outputs.mergedSha }} targetSha: ${{ steps.prepare.outputs.targetSha }} systems: ${{ steps.prepare.outputs.systems }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: Loading @@ -31,19 +31,50 @@ jobs: sparse-checkout: | ci/supportedSystems.json - name: Load supported systems id: systems run: | echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT" - id: prepare uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: MERGED_SHA: ${{ inputs.mergedSha }} TARGET_SHA: ${{ inputs.targetSha }} with: script: | const { classify } = require('./ci/supportedBranches.js') const baseBranch = ( context.payload.merge_group?.base_ref ?? context.payload.pull_request.base.ref ).replace(/^refs\/heads\//, '') const baseClassification = classify(baseBranch) core.setOutput('base', baseClassification) core.info('base classification:', baseClassification) core.setOutput('mergedSha', context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA) core.info(`mergedSha: ${context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA}`) core.setOutput('targetSha', context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA) core.info(`targetSha: ${context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA}`) core.setOutput('systems', require('./ci/supportedSystems.json')) check: name: Check needs: [prepare] uses: ./.github/workflows/check.yml permissions: # cherry-picks; formality right now, but unused pull-requests: write secrets: CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} lint: name: Lint needs: [prepare] uses: ./.github/workflows/lint.yml secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} eval: name: Eval Loading @@ -55,13 +86,25 @@ jobs: # compare statuses: write secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: artifact-prefix: ${{ inputs.artifact-prefix }} mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} systems: ${{ needs.prepare.outputs.systems }} build: name: Build needs: [prepare] uses: ./.github/workflows/build.yml secrets: CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: artifact-prefix: ${{ inputs.artifact-prefix }} baseBranch: ${{ needs.prepare.outputs.baseBranch }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. # It "needs" all the jobs that should block the Merge Queue. unlock: Loading
