Merge 1d8fe405469bc32a6c205d17b02a4a07afab85e4 into haskell-updates (b3ec670a) · Commits · nix / nixpkgs

.github/workflows/check-nix-format.yml→.github/workflows/check-format.yml

+4 −7

Original line number	Diff line number	Diff line
		# NOTE: Formatting with the RFC-style nixfmt command is not yet stable.
		# See https://github.com/NixOS/rfcs/pull/166.

		name: Check that Nix files are formatted
		name: Check that files are formatted

		on:
		pull_request_target:
		@@ -14,7 +11,7 @@ jobs:
		uses: ./.github/workflows/get-merge-commit.yml

		nixos:
		name: nixfmt-check
		name: fmt-check
		runs-on: ubuntu-24.04
		needs: get-merge-commit
		if: needs.get-merge-commit.outputs.mergedSha
		@@ -27,13 +24,13 @@ jobs:
		with:
		extra_nix_config: sandbox = true

		- name: Check that Nix files are formatted
		- name: Check that files are formatted
		run: \|
		# Note that it's fine to run this on untrusted code because:
		# - There's no secrets accessible here
		# - The build is sandboxed
		if ! nix-build ci -A fmt.check; then
		echo "Some Nix files are not properly formatted"
		echo "Some files are not properly formatted"
		echo "Please format them by going to the Nixpkgs root directory and running one of:"
		echo " nix-shell --run treefmt"
		echo " nix develop --command treefmt"

.github/workflows/check-nixf-tidy.yml

deleted100644 → 0

+0 −132

Original line number	Diff line number	Diff line
		name: Check changed Nix files with nixf-tidy (experimental)

		on:
		pull_request_target:
		types: [opened, synchronize, reopened, edited]

		permissions: {}

		jobs:
		nixos:
		name: exp-nixf-tidy-check
		runs-on: ubuntu-24.04
		if: "!contains(github.event.pull_request.title, '[skip treewide]')"
		steps:
		- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
		with:
		ref: refs/pull/${{ github.event.pull_request.number }}/merge
		# Fetches the merge commit and its parents
		fetch-depth: 2

		- name: Checking out target branch
		run: \|
		target=$(mktemp -d)
		targetRev=$(git rev-parse HEAD^1)
		git worktree add "$target" "$targetRev"
		echo "targetRev=$targetRev" >> "$GITHUB_ENV"
		echo "target=$target" >> "$GITHUB_ENV"

		- name: Get Nixpkgs revision for nixf
		run: \|
		# pin to a commit from nixpkgs-unstable to avoid e.g. building nixf
		# from staging
		# This should not be a URL, because it would allow PRs to run arbitrary code in CI!
		rev=$(jq -r .rev ci/pinned-nixpkgs.json)
		echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"

		- uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
		with:
		extra_nix_config: sandbox = true
		nix_path: nixpkgs=${{ env.url }}

		- name: Install nixf and jq
		# provided jq is incompatible with our expression
		run: "nix-env -f '<nixpkgs>' -iAP nixf jq"

		- name: Check that Nix files pass nixf-tidy
		run: \|
		# Filtering error messages we don't like
		nixf_wrapper(){
		nixf-tidy --variable-lookup < "$1" \| jq -r '
		[
		"sema-escaping-with"
		]
		as $ignored_errors\|[.[]\|select(.sname as $s\|$ignored_errors\|index($s)\|not)]
		'
		}

		failedFiles=()

		# Don't report errors to file overview
		# to avoid duplicates when editing title and description
		if [[ "${{ github.event.action }}" == 'edited' ]] && [[ -z "${{ github.event.edited.changes.base }}" ]]; then
		DONT_REPORT_ERROR=1
		else
		DONT_REPORT_ERROR=
		fi
		# TODO: Make this more parallel

		# Loop through all Nix files touched by the PR
		while readarray -d '' -n 2 entry && (( ${#entry[@]} != 0 )); do
		type=${entry[0]}
		file=${entry[1]}
		case $type in
		A*)
		source=""
		dest=$file
		;;
		M*)
		source=$file
		dest=$file
		;;
		C\|R)
		source=$file
		read -r -d '' dest
		;;
		*)
		echo "Ignoring file $file with type $type"
		continue
		esac

		if [[ -n "$source" ]] && [[ "$(nixf_wrapper ${{ env.target }}/"$source")" != '[]' ]] 2>/dev/null; then
		echo "Ignoring file $file because it doesn't pass nixf-tidy in the target commit"
		echo # insert blank line
		else
		nixf_report="$(nixf_wrapper "$dest")"
		if [[ "$nixf_report" != '[]' ]]; then
		echo "$dest doesn't pass nixf-tidy. Reported by nixf-tidy:"
		errors=$(echo "$nixf_report" \| jq -r --arg dest "$dest" '
		def getLCur: "line=" + (.line+1\|tostring) + ",col=" + (.column\|tostring);
		def getRCur: "endLine=" + (.line+1\|tostring) + ",endColumn=" + (.column\|tostring);
		def getRange: "file=\($dest)," + (.lCur\|getLCur) + "," + (.rCur\|getRCur);
		def getBody: . as $top\|(.range\|getRange) + ",title="+ .sname + "::" +
		(.message\|sub("{}" ; ($top.args.[]\|tostring)));
		def getNote: "\n::notice " + (.\|getBody);
		def getMessage: "::error " + (.\|getBody) + (if (.notes\|length)>0 then
		([.notes.[]\|getNote]\|add) else "" end);
		.[]\|getMessage
		')
		if [[ -z "$DONT_REPORT_ERROR" ]]; then
		echo "$errors"
		else
		# just print in plain text
		echo "${errors/::/}"
		echo # add one empty line
		fi
		failedFiles+=("$dest")
		fi
		fi
		done < <(git diff -z --name-status ${{ env.targetRev }} -- '*.nix')

		if [[ -n "$DONT_REPORT_ERROR" ]]; then
		echo "Edited the PR but didn't change the base branch, only the description/title."
		echo "Not reporting errors again to avoid duplication."
		echo # add one empty line
		fi

		if (( "${#failedFiles[@]}" > 0 )); then
		echo "Some new/changed Nix files don't pass nixf-tidy."
		echo "See ${{ github.event.pull_request.html_url }}/files for reported errors."
		echo "If you believe this is a false positive, ping @Aleksanaa and @inclyc in this PR."
		exit 1
		fi

.github/workflows/editorconfig-v2.yml

deleted100644 → 0

+0 −52

Original line number	Diff line number	Diff line
		name: "Checking EditorConfig v2"

		on:
		pull_request_target:

		permissions: {}

		jobs:
		get-merge-commit:
		uses: ./.github/workflows/get-merge-commit.yml

		tests:
		name: editorconfig-check
		runs-on: ubuntu-24.04
		needs: get-merge-commit
		if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')"
		steps:
		- name: Get list of changed files from PR
		env:
		GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
		run: \|
		gh api \
		repos/${{ github.repository }}/pulls/${{ github.event.number }}/files --paginate \
		\| jq '.[] \| select(.status != "removed") \| .filename' \
		> "$HOME/changed_files"

		- name: print list of changed files
		run: \|
		cat "$HOME/changed_files"

		- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
		with:
		ref: ${{ needs.get-merge-commit.outputs.mergedSha }}

		- name: Get Nixpkgs revision for editorconfig-checker
		run: \|
		# Pin to a commit from nixpkgs-unstable to avoid building from e.g. staging.
		# This should not be a URL, because it would allow PRs to run arbitrary code in CI!
		rev=$(jq -r .rev ci/pinned-nixpkgs.json)
		echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"

		- uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
		with:
		nix_path: nixpkgs=${{ env.url }}

		- name: Checking EditorConfig
		run: \|
		< "$HOME/changed_files" nix-shell -p editorconfig-checker --run 'xargs -r editorconfig-checker -disable-indent-size'

		- if: ${{ failure() }}
		run: \|
		echo "::error :: Hey! It looks like your changes don't follow our editorconfig settings. Read https://editorconfig.org/#download to configure your editor so you never see this error again."

.github/workflows/keep-sorted.yml

deleted100644 → 0

+0 −41

Original line number	Diff line number	Diff line
		name: Check that files are sorted

		on:
		pull_request_target:
		types: [opened, synchronize, reopened]

		permissions: {}

		jobs:
		get-merge-commit:
		uses: ./.github/workflows/get-merge-commit.yml

		nixos:
		name: keep-sorted
		runs-on: ubuntu-24.04
		needs: get-merge-commit
		if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')"
		steps:
		- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
		with:
		ref: ${{ needs.get-merge-commit.outputs.mergedSha }}

		- name: Get Nixpkgs revision for keep-sorted
		run: \|
		# Pin to a commit from nixpkgs-unstable to avoid e.g. building nixfmt from staging.
		# This should not be a URL, because it would allow PRs to run arbitrary code in CI!
		rev=$(jq -r .rev ci/pinned-nixpkgs.json)
		echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"

		- uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
		with:
		extra_nix_config: sandbox = true
		nix_path: nixpkgs=${{ env.url }}

		- name: Install keep-sorted
		run: "nix-env -f '<nixpkgs>' -iAP keep-sorted jq"

		- name: Check that Nix files are sorted
		shell: bash
		run: \|
		git ls-files \| xargs keep-sorted --mode lint \| jq --raw-output '.[] \| "Please make sure any new entries in \(.path) are sorted alphabetically."'

ci/OWNERS

+1 −1

Original line number	Diff line number	Diff line
		@@ -16,7 +16,7 @@
		# CI
		/.github/_TEMPLATE @SigmaSquadron
		/.github/workflows @NixOS/Security @Mic92 @zowoq @infinisil @azuwis @wolfgangwalther
		/.github/workflows/check-nix-format.yml @infinisil @wolfgangwalther
		/.github/workflows/check-format.yml @infinisil @wolfgangwalther
		/.github/workflows/codeowners-v2.yml @infinisil @wolfgangwalther
		/.github/workflows/nixpkgs-vet.yml @infinisil @philiptaron @wolfgangwalther
		/ci @infinisil @philiptaron @NixOS/Security @wolfgangwalther