Loading .github/workflows/check.yml +4 −42 Original line number Diff line number Diff line Loading @@ -12,17 +12,12 @@ on: mergedSha: required: true type: string ownersCanFail: required: true type: boolean targetSha: required: true type: string secrets: CACHIX_AUTH_TOKEN: required: true OWNER_RO_APP_PRIVATE_KEY: required: true permissions: {} Loading Loading @@ -72,19 +67,8 @@ jobs: GH_TOKEN: ${{ github.token }} run: gh api /rate_limit | jq # For checking code owners, this job depends on a GitHub App with the following permissions: # - Permissions: # - Repository > Administration: read-only # - Organization > Members: read-only # - Install App on this repository, setting these variables: # - OWNER_RO_APP_ID (variable) # - OWNER_RO_APP_PRIVATE_KEY (secret) # # This should not use the same app as the job to request reviewers, because this job requires # handling untrusted PR input. owners: runs-on: ubuntu-24.04-arm continue-on-error: ${{ inputs.ownersCanFail }} timeout-minutes: 5 steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 Loading @@ -94,7 +78,6 @@ jobs: uses: ./.github/actions/checkout with: merged-as-untrusted-at: ${{ inputs.mergedSha }} target-as-trusted-at: ${{ inputs.targetSha }} - uses: cachix/install-nix-action@9280e7aca88deada44c930f1e2c78e21c3ae3edd # v31 Loading @@ -107,36 +90,15 @@ jobs: pushFilter: -source$ - name: Build codeowners validator run: nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A codeownersValidator - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID id: app-token with: app-id: ${{ vars.OWNER_RO_APP_ID }} private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} permission-administration: read permission-members: read - name: Log current API rate limits if: steps.app-token.outputs.token env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh api /rate_limit | jq run: nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A codeownersValidator - name: Validate codeowners if: steps.app-token.outputs.token env: OWNERS_FILE: nixpkgs/untrusted/ci/OWNERS GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} REPOSITORY_PATH: nixpkgs/untrusted OWNER_CHECKER_REPOSITORY: ${{ github.repository }} # Omits "owners", which checks whether GitHub handles exist, but fails with nested team # structures. CHECKS: "duppatterns,files,syntax" # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody EXPERIMENTAL_CHECKS: "avoid-shadowing" run: result/bin/codeowners-validator - name: Log current API rate limits if: steps.app-token.outputs.token env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh api /rate_limit | jq .github/workflows/pr.yml +0 −4 Original line number Diff line number Diff line Loading @@ -11,8 +11,6 @@ on: OWNER_APP_PRIVATE_KEY: # The Test workflow should not actually request reviews from owners. required: false OWNER_RO_APP_PRIVATE_KEY: required: true concurrency: group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }} Loading Loading @@ -59,13 +57,11 @@ jobs: pull-requests: write secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} OWNER_RO_APP_PRIVATE_KEY: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} with: baseBranch: ${{ needs.prepare.outputs.baseBranch }} headBranch: ${{ needs.prepare.outputs.headBranch }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} ownersCanFail: ${{ !contains(fromJSON(needs.prepare.outputs.touched), 'owners') }} lint: name: Lint Loading .github/workflows/test.yml +0 −1 Original line number Diff line number Diff line Loading @@ -98,7 +98,6 @@ jobs: secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }} OWNER_RO_APP_PRIVATE_KEY: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} push: if: needs.prepare.outputs.push Loading ci/github-script/prepare.js +0 −1 Original line number Diff line number Diff line Loading @@ -221,7 +221,6 @@ module.exports = async ({ github, context, core, dry }) => { const touched = [] if (files.includes('ci/pinned.json')) touched.push('pinned') if (files.includes('ci/OWNERS')) touched.push('owners') core.setOutput('touched', touched) return Loading maintainers/README.md +8 −1 Original line number Diff line number Diff line Loading @@ -155,8 +155,15 @@ When reviewing changes to a team, read the team's scope and the context around t In any case, request reviews from the existing team members. If the team lists no specific membership policy, feel free to merge changes to the team after giving the existing members a few days to respond. *Important:* If a team says it is a closed group, do not merge additions to the team without an approval by at least one existing member. > [!IMPORTANT] > If a team says it is a closed group, do not merge additions to the team without an approval by at least one existing member. A corresponding GitHub team can be created by any org member. When creating the team it should be created with the `nixpkgs-maintainers` team as parent. Once approved, the team will have the right privileges to be pinged and requested for review in Nixpkgs. > [!TIP] > The team name should be as short as possible; because it is nested under the maintainers group, no -maintainers suffix is needed. # Maintainer scripts Loading Loading
.github/workflows/check.yml +4 −42 Original line number Diff line number Diff line Loading @@ -12,17 +12,12 @@ on: mergedSha: required: true type: string ownersCanFail: required: true type: boolean targetSha: required: true type: string secrets: CACHIX_AUTH_TOKEN: required: true OWNER_RO_APP_PRIVATE_KEY: required: true permissions: {} Loading Loading @@ -72,19 +67,8 @@ jobs: GH_TOKEN: ${{ github.token }} run: gh api /rate_limit | jq # For checking code owners, this job depends on a GitHub App with the following permissions: # - Permissions: # - Repository > Administration: read-only # - Organization > Members: read-only # - Install App on this repository, setting these variables: # - OWNER_RO_APP_ID (variable) # - OWNER_RO_APP_PRIVATE_KEY (secret) # # This should not use the same app as the job to request reviewers, because this job requires # handling untrusted PR input. owners: runs-on: ubuntu-24.04-arm continue-on-error: ${{ inputs.ownersCanFail }} timeout-minutes: 5 steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 Loading @@ -94,7 +78,6 @@ jobs: uses: ./.github/actions/checkout with: merged-as-untrusted-at: ${{ inputs.mergedSha }} target-as-trusted-at: ${{ inputs.targetSha }} - uses: cachix/install-nix-action@9280e7aca88deada44c930f1e2c78e21c3ae3edd # v31 Loading @@ -107,36 +90,15 @@ jobs: pushFilter: -source$ - name: Build codeowners validator run: nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A codeownersValidator - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID id: app-token with: app-id: ${{ vars.OWNER_RO_APP_ID }} private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} permission-administration: read permission-members: read - name: Log current API rate limits if: steps.app-token.outputs.token env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh api /rate_limit | jq run: nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A codeownersValidator - name: Validate codeowners if: steps.app-token.outputs.token env: OWNERS_FILE: nixpkgs/untrusted/ci/OWNERS GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} REPOSITORY_PATH: nixpkgs/untrusted OWNER_CHECKER_REPOSITORY: ${{ github.repository }} # Omits "owners", which checks whether GitHub handles exist, but fails with nested team # structures. CHECKS: "duppatterns,files,syntax" # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody EXPERIMENTAL_CHECKS: "avoid-shadowing" run: result/bin/codeowners-validator - name: Log current API rate limits if: steps.app-token.outputs.token env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh api /rate_limit | jq
.github/workflows/pr.yml +0 −4 Original line number Diff line number Diff line Loading @@ -11,8 +11,6 @@ on: OWNER_APP_PRIVATE_KEY: # The Test workflow should not actually request reviews from owners. required: false OWNER_RO_APP_PRIVATE_KEY: required: true concurrency: group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }} Loading Loading @@ -59,13 +57,11 @@ jobs: pull-requests: write secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} OWNER_RO_APP_PRIVATE_KEY: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} with: baseBranch: ${{ needs.prepare.outputs.baseBranch }} headBranch: ${{ needs.prepare.outputs.headBranch }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} ownersCanFail: ${{ !contains(fromJSON(needs.prepare.outputs.touched), 'owners') }} lint: name: Lint Loading
.github/workflows/test.yml +0 −1 Original line number Diff line number Diff line Loading @@ -98,7 +98,6 @@ jobs: secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }} OWNER_RO_APP_PRIVATE_KEY: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} push: if: needs.prepare.outputs.push Loading
ci/github-script/prepare.js +0 −1 Original line number Diff line number Diff line Loading @@ -221,7 +221,6 @@ module.exports = async ({ github, context, core, dry }) => { const touched = [] if (files.includes('ci/pinned.json')) touched.push('pinned') if (files.includes('ci/OWNERS')) touched.push('owners') core.setOutput('touched', touched) return Loading
maintainers/README.md +8 −1 Original line number Diff line number Diff line Loading @@ -155,8 +155,15 @@ When reviewing changes to a team, read the team's scope and the context around t In any case, request reviews from the existing team members. If the team lists no specific membership policy, feel free to merge changes to the team after giving the existing members a few days to respond. *Important:* If a team says it is a closed group, do not merge additions to the team without an approval by at least one existing member. > [!IMPORTANT] > If a team says it is a closed group, do not merge additions to the team without an approval by at least one existing member. A corresponding GitHub team can be created by any org member. When creating the team it should be created with the `nixpkgs-maintainers` team as parent. Once approved, the team will have the right privileges to be pinged and requested for review in Nixpkgs. > [!TIP] > The team name should be as short as possible; because it is nested under the maintainers group, no -maintainers suffix is needed. # Maintainer scripts Loading
![nixpkgs-ci[bot]'s avatar](https://secure.gravatar.com/avatar/21d9e4256a026824783d9069d7622ceb22d44398fd318ddfee596c72e5556369?s=48&d=identicon "nixpkgs-ci[bot]")