Loading .github/workflows/build.yml +14 −8 Original line number Diff line number Diff line Loading @@ -12,9 +12,14 @@ on: mergedSha: required: true type: string secrets: CACHIX_AUTH_TOKEN: targetSha: required: true type: string secrets: # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} Loading Loading @@ -55,21 +60,22 @@ jobs: uses: ./.github/actions/checkout with: merged-as-untrusted-at: ${{ inputs.mergedSha }} target-as-trusted-at: ${{ inputs.targetSha }} - uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 - uses: cachix/install-nix-action@7ec16f2c061ab07b235a7245e06ed46fe9a1cab6 # v31 with: # Sandbox is disabled on MacOS by default. extra_nix_config: sandbox = true - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} extraPullNames: nixpkgs-ci authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} extraPullNames: nixpkgs-gha authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: '(-source$|-nixpkgs-tarball-)' - run: nix-env --install -f nixpkgs/untrusted-pinned -A nix-build-uncached - run: nix-env --install -f nixpkgs/trusted-pinned -A nix-build-uncached - name: Build shell if: contains(matrix.builds, 'shell') Loading .github/workflows/check.yml +12 −9 Original line number Diff line number Diff line Loading @@ -4,10 +4,10 @@ on: workflow_call: inputs: baseBranch: required: true required: false type: string headBranch: required: true required: false type: string mergedSha: required: true Loading @@ -16,8 +16,10 @@ on: required: true type: string secrets: CACHIX_AUTH_TOKEN: required: true # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} Loading @@ -27,6 +29,7 @@ defaults: jobs: commits: if: inputs.baseBranch && inputs.headBranch permissions: pull-requests: write runs-on: ubuntu-24.04-arm Loading Loading @@ -82,14 +85,14 @@ jobs: merged-as-untrusted-at: ${{ inputs.mergedSha }} target-as-trusted-at: ${{ inputs.targetSha }} - uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 - uses: cachix/install-nix-action@7ec16f2c061ab07b235a7245e06ed46fe9a1cab6 # v31 - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} extraPullNames: nixpkgs-ci authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} extraPullNames: nixpkgs-gha authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: -source$ - name: Build codeowners validator Loading .github/workflows/eval.yml +12 −10 Original line number Diff line number Diff line Loading @@ -19,8 +19,10 @@ on: default: false type: boolean secrets: CACHIX_AUTH_TOKEN: required: true # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} Loading Loading @@ -52,7 +54,7 @@ jobs: ci/pinned.json - name: Install Nix uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 uses: cachix/install-nix-action@7ec16f2c061ab07b235a7245e06ed46fe9a1cab6 # v31 - name: Load supported versions id: versions Loading Loading @@ -98,14 +100,14 @@ jobs: target-as-trusted-at: ${{ inputs.targetSha }} - name: Install Nix uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 uses: cachix/install-nix-action@7ec16f2c061ab07b235a7245e06ed46fe9a1cab6 # v31 - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} extraPullNames: nixpkgs-ci authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} extraPullNames: nixpkgs-gha authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: '(-source|-single-chunk)$' - name: Evaluate the ${{ matrix.system }} output paths at the merge commit Loading Loading @@ -186,7 +188,7 @@ jobs: merge-multiple: true - name: Install Nix uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 uses: cachix/install-nix-action@7ec16f2c061ab07b235a7245e06ed46fe9a1cab6 # v31 - name: Combine all output paths and eval stats run: | Loading Loading @@ -349,7 +351,7 @@ jobs: merged-as-untrusted-at: ${{ inputs.mergedSha }} - name: Install Nix uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 uses: cachix/install-nix-action@7ec16f2c061ab07b235a7245e06ed46fe9a1cab6 # v31 - name: Run misc eval tasks in parallel run: | Loading .github/workflows/lint.yml +15 −13 Original line number Diff line number Diff line Loading @@ -10,8 +10,10 @@ on: required: true type: string secrets: CACHIX_AUTH_TOKEN: required: true # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} Loading @@ -33,7 +35,7 @@ jobs: with: merged-as-untrusted-at: ${{ inputs.mergedSha }} - uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 - uses: cachix/install-nix-action@7ec16f2c061ab07b235a7245e06ed46fe9a1cab6 # v31 # TODO: Figure out how to best enable caching for the treefmt job. Cachix won't work well, # because the cache would be invalidated on every commit - treefmt checks every file. Loading Loading @@ -68,14 +70,14 @@ jobs: with: merged-as-untrusted-at: ${{ inputs.mergedSha }} - uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 - uses: cachix/install-nix-action@7ec16f2c061ab07b235a7245e06ed46fe9a1cab6 # v31 - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} extraPullNames: nixpkgs-ci authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} extraPullNames: nixpkgs-gha authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: -source$ - name: Parse all nix files Loading @@ -97,14 +99,14 @@ jobs: merged-as-untrusted-at: ${{ inputs.mergedSha }} target-as-trusted-at: ${{ inputs.targetSha }} - uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 - uses: cachix/install-nix-action@7ec16f2c061ab07b235a7245e06ed46fe9a1cab6 # v31 - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} extraPullNames: nixpkgs-ci authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} extraPullNames: nixpkgs-gha authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: -source$ - name: Running nixpkgs-vet Loading .github/workflows/merge-group.yml +57 −14 Original line number Diff line number Diff line Loading @@ -13,9 +13,6 @@ on: targetSha: required: true type: string secrets: CACHIX_AUTH_TOKEN: required: true permissions: {} Loading @@ -23,7 +20,10 @@ jobs: prepare: runs-on: ubuntu-24.04-arm outputs: systems: ${{ steps.systems.outputs.systems }} baseBranch: ${{ steps.prepare.outputs.base }} mergedSha: ${{ steps.prepare.outputs.mergedSha }} targetSha: ${{ steps.prepare.outputs.targetSha }} systems: ${{ steps.prepare.outputs.systems }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: Loading @@ -31,19 +31,50 @@ jobs: sparse-checkout: | ci/supportedSystems.json - name: Load supported systems id: systems run: | echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT" - id: prepare uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: MERGED_SHA: ${{ inputs.mergedSha }} TARGET_SHA: ${{ inputs.targetSha }} with: script: | const { classify } = require('./ci/supportedBranches.js') const baseBranch = ( context.payload.merge_group?.base_ref ?? context.payload.pull_request.base.ref ).replace(/^refs\/heads\//, '') const baseClassification = classify(baseBranch) core.setOutput('base', baseClassification) core.info('base classification:', baseClassification) core.setOutput('mergedSha', context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA) core.info(`mergedSha: ${context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA}`) core.setOutput('targetSha', context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA) core.info(`targetSha: ${context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA}`) core.setOutput('systems', require('./ci/supportedSystems.json')) check: name: Check needs: [prepare] uses: ./.github/workflows/check.yml permissions: # cherry-picks; formality right now, but unused pull-requests: write secrets: CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} lint: name: Lint needs: [prepare] uses: ./.github/workflows/lint.yml secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} eval: name: Eval Loading @@ -55,13 +86,25 @@ jobs: # compare statuses: write secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: artifact-prefix: ${{ inputs.artifact-prefix }} mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} systems: ${{ needs.prepare.outputs.systems }} build: name: Build needs: [prepare] uses: ./.github/workflows/build.yml secrets: CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: artifact-prefix: ${{ inputs.artifact-prefix }} baseBranch: ${{ needs.prepare.outputs.baseBranch }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. # It "needs" all the jobs that should block the Merge Queue. unlock: Loading Loading
.github/workflows/build.yml +14 −8 Original line number Diff line number Diff line Loading @@ -12,9 +12,14 @@ on: mergedSha: required: true type: string secrets: CACHIX_AUTH_TOKEN: targetSha: required: true type: string secrets: # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} Loading Loading @@ -55,21 +60,22 @@ jobs: uses: ./.github/actions/checkout with: merged-as-untrusted-at: ${{ inputs.mergedSha }} target-as-trusted-at: ${{ inputs.targetSha }} - uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 - uses: cachix/install-nix-action@7ec16f2c061ab07b235a7245e06ed46fe9a1cab6 # v31 with: # Sandbox is disabled on MacOS by default. extra_nix_config: sandbox = true - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} extraPullNames: nixpkgs-ci authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} extraPullNames: nixpkgs-gha authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: '(-source$|-nixpkgs-tarball-)' - run: nix-env --install -f nixpkgs/untrusted-pinned -A nix-build-uncached - run: nix-env --install -f nixpkgs/trusted-pinned -A nix-build-uncached - name: Build shell if: contains(matrix.builds, 'shell') Loading
.github/workflows/check.yml +12 −9 Original line number Diff line number Diff line Loading @@ -4,10 +4,10 @@ on: workflow_call: inputs: baseBranch: required: true required: false type: string headBranch: required: true required: false type: string mergedSha: required: true Loading @@ -16,8 +16,10 @@ on: required: true type: string secrets: CACHIX_AUTH_TOKEN: required: true # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} Loading @@ -27,6 +29,7 @@ defaults: jobs: commits: if: inputs.baseBranch && inputs.headBranch permissions: pull-requests: write runs-on: ubuntu-24.04-arm Loading Loading @@ -82,14 +85,14 @@ jobs: merged-as-untrusted-at: ${{ inputs.mergedSha }} target-as-trusted-at: ${{ inputs.targetSha }} - uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 - uses: cachix/install-nix-action@7ec16f2c061ab07b235a7245e06ed46fe9a1cab6 # v31 - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} extraPullNames: nixpkgs-ci authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} extraPullNames: nixpkgs-gha authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: -source$ - name: Build codeowners validator Loading
.github/workflows/eval.yml +12 −10 Original line number Diff line number Diff line Loading @@ -19,8 +19,10 @@ on: default: false type: boolean secrets: CACHIX_AUTH_TOKEN: required: true # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} Loading Loading @@ -52,7 +54,7 @@ jobs: ci/pinned.json - name: Install Nix uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 uses: cachix/install-nix-action@7ec16f2c061ab07b235a7245e06ed46fe9a1cab6 # v31 - name: Load supported versions id: versions Loading Loading @@ -98,14 +100,14 @@ jobs: target-as-trusted-at: ${{ inputs.targetSha }} - name: Install Nix uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 uses: cachix/install-nix-action@7ec16f2c061ab07b235a7245e06ed46fe9a1cab6 # v31 - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} extraPullNames: nixpkgs-ci authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} extraPullNames: nixpkgs-gha authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: '(-source|-single-chunk)$' - name: Evaluate the ${{ matrix.system }} output paths at the merge commit Loading Loading @@ -186,7 +188,7 @@ jobs: merge-multiple: true - name: Install Nix uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 uses: cachix/install-nix-action@7ec16f2c061ab07b235a7245e06ed46fe9a1cab6 # v31 - name: Combine all output paths and eval stats run: | Loading Loading @@ -349,7 +351,7 @@ jobs: merged-as-untrusted-at: ${{ inputs.mergedSha }} - name: Install Nix uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 uses: cachix/install-nix-action@7ec16f2c061ab07b235a7245e06ed46fe9a1cab6 # v31 - name: Run misc eval tasks in parallel run: | Loading
.github/workflows/lint.yml +15 −13 Original line number Diff line number Diff line Loading @@ -10,8 +10,10 @@ on: required: true type: string secrets: CACHIX_AUTH_TOKEN: required: true # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} Loading @@ -33,7 +35,7 @@ jobs: with: merged-as-untrusted-at: ${{ inputs.mergedSha }} - uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 - uses: cachix/install-nix-action@7ec16f2c061ab07b235a7245e06ed46fe9a1cab6 # v31 # TODO: Figure out how to best enable caching for the treefmt job. Cachix won't work well, # because the cache would be invalidated on every commit - treefmt checks every file. Loading Loading @@ -68,14 +70,14 @@ jobs: with: merged-as-untrusted-at: ${{ inputs.mergedSha }} - uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 - uses: cachix/install-nix-action@7ec16f2c061ab07b235a7245e06ed46fe9a1cab6 # v31 - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} extraPullNames: nixpkgs-ci authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} extraPullNames: nixpkgs-gha authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: -source$ - name: Parse all nix files Loading @@ -97,14 +99,14 @@ jobs: merged-as-untrusted-at: ${{ inputs.mergedSha }} target-as-trusted-at: ${{ inputs.targetSha }} - uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 - uses: cachix/install-nix-action@7ec16f2c061ab07b235a7245e06ed46fe9a1cab6 # v31 - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} extraPullNames: nixpkgs-ci authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} extraPullNames: nixpkgs-gha authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: -source$ - name: Running nixpkgs-vet Loading
.github/workflows/merge-group.yml +57 −14 Original line number Diff line number Diff line Loading @@ -13,9 +13,6 @@ on: targetSha: required: true type: string secrets: CACHIX_AUTH_TOKEN: required: true permissions: {} Loading @@ -23,7 +20,10 @@ jobs: prepare: runs-on: ubuntu-24.04-arm outputs: systems: ${{ steps.systems.outputs.systems }} baseBranch: ${{ steps.prepare.outputs.base }} mergedSha: ${{ steps.prepare.outputs.mergedSha }} targetSha: ${{ steps.prepare.outputs.targetSha }} systems: ${{ steps.prepare.outputs.systems }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: Loading @@ -31,19 +31,50 @@ jobs: sparse-checkout: | ci/supportedSystems.json - name: Load supported systems id: systems run: | echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT" - id: prepare uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: MERGED_SHA: ${{ inputs.mergedSha }} TARGET_SHA: ${{ inputs.targetSha }} with: script: | const { classify } = require('./ci/supportedBranches.js') const baseBranch = ( context.payload.merge_group?.base_ref ?? context.payload.pull_request.base.ref ).replace(/^refs\/heads\//, '') const baseClassification = classify(baseBranch) core.setOutput('base', baseClassification) core.info('base classification:', baseClassification) core.setOutput('mergedSha', context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA) core.info(`mergedSha: ${context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA}`) core.setOutput('targetSha', context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA) core.info(`targetSha: ${context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA}`) core.setOutput('systems', require('./ci/supportedSystems.json')) check: name: Check needs: [prepare] uses: ./.github/workflows/check.yml permissions: # cherry-picks; formality right now, but unused pull-requests: write secrets: CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} lint: name: Lint needs: [prepare] uses: ./.github/workflows/lint.yml secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} eval: name: Eval Loading @@ -55,13 +86,25 @@ jobs: # compare statuses: write secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: artifact-prefix: ${{ inputs.artifact-prefix }} mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} systems: ${{ needs.prepare.outputs.systems }} build: name: Build needs: [prepare] uses: ./.github/workflows/build.yml secrets: CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: artifact-prefix: ${{ inputs.artifact-prefix }} baseBranch: ${{ needs.prepare.outputs.baseBranch }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. # It "needs" all the jobs that should block the Merge Queue. unlock: Loading
![nixpkgs-ci[bot]'s avatar](https://secure.gravatar.com/avatar/21d9e4256a026824783d9069d7622ceb22d44398fd318ddfee596c72e5556369?s=48&d=identicon "nixpkgs-ci[bot]")