Loading .github/workflows/check.yml +4 −33 Original line number Diff line number Diff line Loading @@ -16,14 +16,6 @@ on: required: true type: string secrets: # Can be provided in pull requests because the job it is used in does # not evaluate untrusted code. NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: required: false # Can be provided in pull requests because the job it is used in does # not evaluate untrusted code. NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: required: false # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: Loading Loading @@ -53,19 +45,9 @@ jobs: - name: Install dependencies run: npm install bottleneck@2.19.5 # It's fine to reuse this app in the 'pull-request-target / prepare' job, # because that job has to run before this one. - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: github.event_name != 'pull_request' && vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write - name: Log current API rate limits env: GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} GH_TOKEN: ${{ github.token }} run: gh api /rate_limit | jq - name: Check commits Loading @@ -74,7 +56,6 @@ jobs: env: TARGETS_STABLE: ${{ fromJSON(inputs.baseBranch).stable && !contains(fromJSON(inputs.headBranch).type, 'development') }} with: github-token: ${{ steps.app-token.outputs.token || github.token }} script: | const targetsStable = JSON.parse(process.env.TARGETS_STABLE) require('./trusted/ci/github-script/commits.js')({ Loading @@ -87,7 +68,7 @@ jobs: - name: Log current API rate limits env: GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} GH_TOKEN: ${{ github.token }} run: gh api /rate_limit | jq manual-file-edits: Loading @@ -104,35 +85,25 @@ jobs: sparse-checkout: | ci/github-script - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: github.event_name != 'pull_request' && vars.NIXPKGS_MANUAL_EDIT_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_MANUAL_EDIT_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write - name: Log current API rate limits env: GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} GH_TOKEN: ${{ github.token }} run: gh api /rate_limit | jq - name: Discourage manual edits to certain files uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ steps.app-token.outputs.token || github.token }} script: | require('./trusted/ci/github-script/manual-file-edits.js')({ github, context, core, dry: context.eventName == 'pull_request', repoPath: 'trusted', }) - name: Log current API rate limits env: GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} GH_TOKEN: ${{ github.token }} run: gh api /rate_limit | jq owners: Loading .github/workflows/eval.yml +0 −14 Original line number Diff line number Diff line Loading @@ -23,10 +23,6 @@ on: default: false type: boolean secrets: # Can be provided in pull requests because the job it is used in does # not evaluate untrusted code. NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: required: false # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: Loading Loading @@ -353,20 +349,10 @@ jobs: description, target_url }) - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: github.event_name == 'pull_request_target' && vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write - name: Request changes if PR is against an inappropriate branch if: ${{ github.event_name == 'pull_request_target' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ steps.app-token.outputs.token || github.token }} script: | require('./nixpkgs/trusted/ci/github-script/check-target-branch.js')({ github, Loading .github/workflows/pull-request-target.yml +0 −22 Original line number Diff line number Diff line Loading @@ -10,12 +10,6 @@ on: secrets: NIXPKGS_CI_APP_PRIVATE_KEY: required: true NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: required: false NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: required: false NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: required: false concurrency: group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }} Loading @@ -42,17 +36,6 @@ jobs: sparse-checkout-cone-mode: true # default, for clarity sparse-checkout: | ci/github-script # It's fine to reuse this app in the 'check / commits' job, # because this job has to run before that one. - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write - id: prepare uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: Loading @@ -77,9 +60,6 @@ jobs: permissions: # cherry-picks pull-requests: write secrets: NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }} NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }} with: baseBranch: ${{ needs.prepare.outputs.baseBranch }} headBranch: ${{ needs.prepare.outputs.headBranch }} Loading @@ -102,8 +82,6 @@ jobs: # compare pull-requests: write statuses: write secrets: NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }} with: artifact-prefix: ${{ inputs.artifact-prefix }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} Loading ci/github-script/check-target-branch.js +7 −3 Original line number Diff line number Diff line Loading @@ -151,9 +151,11 @@ async function checkTargetBranch({ github, context, core, dry }) { core, dry, body, event: 'REQUEST_CHANGES', event: 'COMMENT', reviewKey, }) throw new Error('This PR is against the wrong branch.') } else if (rebuildsAllTests && !isExemptKernelUpdate) { let branchText if (base === 'master' && maxRebuildCount >= 500) { Loading @@ -177,9 +179,11 @@ async function checkTargetBranch({ github, context, core, dry }) { core, dry, body, event: 'REQUEST_CHANGES', event: 'COMMENT', reviewKey, }) throw new Error('This PR is against the wrong branch.') } else if ( maxRebuildCount >= 500 && !isExemptKernelUpdate && Loading @@ -200,7 +204,7 @@ async function checkTargetBranch({ github, context, core, dry }) { core, dry, body, event: 'REQUEST_CHANGES', event: 'COMMENT', reviewKey, }) } else { Loading ci/github-script/manual-file-edits.js +4 −22 Original line number Diff line number Diff line Loading @@ -7,13 +7,9 @@ const { getCommitDetailsForPR } = require('./get-pr-commit-details') * context: import('@actions/github/lib/context').Context, * core: import('@actions/core'), * repoPath?: string, * dry: boolean, * }} CheckManualFileEditsProps */ async function checkManualFileEdits({ github, context, core, repoPath, dry }) { const { dismissReviews, postReview } = require('./reviews.js') const reviewKey = 'manual-file-edits' async function checkManualFileEdits({ github, context, core, repoPath }) { const pull_number = context.payload.pull_request?.number if (!pull_number) { core.info('This is not a pull request. Skipping checks.') Loading @@ -39,13 +35,8 @@ async function checkManualFileEdits({ github, context, core, repoPath, dry }) { changedPaths.includes('maintainers/github-teams.json'), ) ) { postReview({ github, context, core, dry, event: 'REQUEST_CHANGES', body: [ core.setFailed( [ 'maintainers/github-teams.json is supposed to accurately reflect the state of the teams in GitHub.\n', 'Therefore, it should not be edited manually.\n', 'All changes to teams listed in maintainers/github-teams.json should be performed in GitHub by a team maintainer.\n', Loading @@ -57,16 +48,7 @@ async function checkManualFileEdits({ github, context, core, repoPath, dry }) { (prev, curr) => prev + (!prev || prev.endsWith('\n') ? '' : ' ') + curr, '', ), reviewKey, }) } else { dismissReviews({ github, context, core, dry, reviewKey, }) ) } } Loading Loading
.github/workflows/check.yml +4 −33 Original line number Diff line number Diff line Loading @@ -16,14 +16,6 @@ on: required: true type: string secrets: # Can be provided in pull requests because the job it is used in does # not evaluate untrusted code. NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: required: false # Can be provided in pull requests because the job it is used in does # not evaluate untrusted code. NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: required: false # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: Loading Loading @@ -53,19 +45,9 @@ jobs: - name: Install dependencies run: npm install bottleneck@2.19.5 # It's fine to reuse this app in the 'pull-request-target / prepare' job, # because that job has to run before this one. - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: github.event_name != 'pull_request' && vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write - name: Log current API rate limits env: GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} GH_TOKEN: ${{ github.token }} run: gh api /rate_limit | jq - name: Check commits Loading @@ -74,7 +56,6 @@ jobs: env: TARGETS_STABLE: ${{ fromJSON(inputs.baseBranch).stable && !contains(fromJSON(inputs.headBranch).type, 'development') }} with: github-token: ${{ steps.app-token.outputs.token || github.token }} script: | const targetsStable = JSON.parse(process.env.TARGETS_STABLE) require('./trusted/ci/github-script/commits.js')({ Loading @@ -87,7 +68,7 @@ jobs: - name: Log current API rate limits env: GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} GH_TOKEN: ${{ github.token }} run: gh api /rate_limit | jq manual-file-edits: Loading @@ -104,35 +85,25 @@ jobs: sparse-checkout: | ci/github-script - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: github.event_name != 'pull_request' && vars.NIXPKGS_MANUAL_EDIT_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_MANUAL_EDIT_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write - name: Log current API rate limits env: GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} GH_TOKEN: ${{ github.token }} run: gh api /rate_limit | jq - name: Discourage manual edits to certain files uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ steps.app-token.outputs.token || github.token }} script: | require('./trusted/ci/github-script/manual-file-edits.js')({ github, context, core, dry: context.eventName == 'pull_request', repoPath: 'trusted', }) - name: Log current API rate limits env: GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} GH_TOKEN: ${{ github.token }} run: gh api /rate_limit | jq owners: Loading
.github/workflows/eval.yml +0 −14 Original line number Diff line number Diff line Loading @@ -23,10 +23,6 @@ on: default: false type: boolean secrets: # Can be provided in pull requests because the job it is used in does # not evaluate untrusted code. NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: required: false # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN_GHA: Loading Loading @@ -353,20 +349,10 @@ jobs: description, target_url }) - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: github.event_name == 'pull_request_target' && vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write - name: Request changes if PR is against an inappropriate branch if: ${{ github.event_name == 'pull_request_target' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ steps.app-token.outputs.token || github.token }} script: | require('./nixpkgs/trusted/ci/github-script/check-target-branch.js')({ github, Loading
.github/workflows/pull-request-target.yml +0 −22 Original line number Diff line number Diff line Loading @@ -10,12 +10,6 @@ on: secrets: NIXPKGS_CI_APP_PRIVATE_KEY: required: true NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: required: false NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: required: false NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: required: false concurrency: group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }} Loading @@ -42,17 +36,6 @@ jobs: sparse-checkout-cone-mode: true # default, for clarity sparse-checkout: | ci/github-script # It's fine to reuse this app in the 'check / commits' job, # because this job has to run before that one. - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 if: vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID id: app-token with: client-id: ${{ vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }} permission-pull-requests: write - id: prepare uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: Loading @@ -77,9 +60,6 @@ jobs: permissions: # cherry-picks pull-requests: write secrets: NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }} NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }} with: baseBranch: ${{ needs.prepare.outputs.baseBranch }} headBranch: ${{ needs.prepare.outputs.headBranch }} Loading @@ -102,8 +82,6 @@ jobs: # compare pull-requests: write statuses: write secrets: NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }} with: artifact-prefix: ${{ inputs.artifact-prefix }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} Loading
ci/github-script/check-target-branch.js +7 −3 Original line number Diff line number Diff line Loading @@ -151,9 +151,11 @@ async function checkTargetBranch({ github, context, core, dry }) { core, dry, body, event: 'REQUEST_CHANGES', event: 'COMMENT', reviewKey, }) throw new Error('This PR is against the wrong branch.') } else if (rebuildsAllTests && !isExemptKernelUpdate) { let branchText if (base === 'master' && maxRebuildCount >= 500) { Loading @@ -177,9 +179,11 @@ async function checkTargetBranch({ github, context, core, dry }) { core, dry, body, event: 'REQUEST_CHANGES', event: 'COMMENT', reviewKey, }) throw new Error('This PR is against the wrong branch.') } else if ( maxRebuildCount >= 500 && !isExemptKernelUpdate && Loading @@ -200,7 +204,7 @@ async function checkTargetBranch({ github, context, core, dry }) { core, dry, body, event: 'REQUEST_CHANGES', event: 'COMMENT', reviewKey, }) } else { Loading
ci/github-script/manual-file-edits.js +4 −22 Original line number Diff line number Diff line Loading @@ -7,13 +7,9 @@ const { getCommitDetailsForPR } = require('./get-pr-commit-details') * context: import('@actions/github/lib/context').Context, * core: import('@actions/core'), * repoPath?: string, * dry: boolean, * }} CheckManualFileEditsProps */ async function checkManualFileEdits({ github, context, core, repoPath, dry }) { const { dismissReviews, postReview } = require('./reviews.js') const reviewKey = 'manual-file-edits' async function checkManualFileEdits({ github, context, core, repoPath }) { const pull_number = context.payload.pull_request?.number if (!pull_number) { core.info('This is not a pull request. Skipping checks.') Loading @@ -39,13 +35,8 @@ async function checkManualFileEdits({ github, context, core, repoPath, dry }) { changedPaths.includes('maintainers/github-teams.json'), ) ) { postReview({ github, context, core, dry, event: 'REQUEST_CHANGES', body: [ core.setFailed( [ 'maintainers/github-teams.json is supposed to accurately reflect the state of the teams in GitHub.\n', 'Therefore, it should not be edited manually.\n', 'All changes to teams listed in maintainers/github-teams.json should be performed in GitHub by a team maintainer.\n', Loading @@ -57,16 +48,7 @@ async function checkManualFileEdits({ github, context, core, repoPath, dry }) { (prev, curr) => prev + (!prev || prev.endsWith('\n') ? '' : ' ') + curr, '', ), reviewKey, }) } else { dismissReviews({ github, context, core, dry, reviewKey, }) ) } } Loading
