Unverified Commit d8332aa3 authored by Wolfgang Walther's avatar Wolfgang Walther Committed by GitHub
Browse files

workflows/{pr,push}: init (#415006)

parents 371f309c c08b86e9

.github/workflows/README.md

+1 −1
Original line number Diff line number Diff line
@@ -29,7 +29,7 @@ Thus, it is important how to construct the group keys: 


- We don't want workflows of different Pull Requests to cancel each other, so we include `github.event.pull_request.number`. The [GitHub docs](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/control-the-concurrency-of-workflows-and-jobs#example-using-a-fallback-value) show using `github.head_ref` for this purpose, but this doesn't work well with forks: Different users could have the same head branch name in their forks and run CI for their PRs at the same time.



- Sometimes, there is no `pull_request.number`. That's the case for `push` or `workflow_run` events. To ensure non-PR runs are never cancelled, we add a fallback of `github.run_id`. This is a unique value for each workflow run.

- Sometimes, there is no `pull_request.number`. To ensure non-PR runs are never cancelled, we add a fallback of `github.run_id`. This is a unique value for each workflow run.



- Of course, we run multiple workflows at the same time, so we add `github.workflow` to the key. Otherwise workflows would cancel each other.

.github/workflows/build.yml

+4 −8
Original line number Diff line number Diff line 
name: Build



on:

  pull_request:

    paths:

      - .github/workflows/build.yml

  pull_request_target:



concurrency:

  group: build-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}

  cancel-in-progress: true

  workflow_call:

    secrets:

      CACHIX_AUTH_TOKEN:

        required: true



permissions: {}

.github/workflows/check.yml

+1 −8
Original line number Diff line number Diff line 
name: Check



on:

  pull_request:

    paths:

      - .github/workflows/check.yml

  pull_request_target:



concurrency:

  group: check-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}

  cancel-in-progress: true

  workflow_call:



permissions: {}

.github/workflows/eval-aliases.yml

deleted100644 → 0
+0 −42
Original line number Diff line number Diff line 
name: Eval aliases



on:

  pull_request:

    paths:

      - .github/workflows/eval-aliases.yml

  pull_request_target:



concurrency:

  group: eval-aliases-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}

  cancel-in-progress: true



permissions: {}



defaults:

  run:

    shell: bash



jobs:

  eval-aliases:

    name: Eval nixpkgs with aliases enabled

    runs-on: ubuntu-24.04-arm

    steps:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

        with:

          sparse-checkout: .github/actions

      - name: Check if the PR can be merged and checkout the merge commit

        uses: ./.github/actions/get-merge-commit

        with:

          merged-as-untrusted: true



      - name: Install Nix

        uses: cachix/install-nix-action@17fe5fb4a23ad6cbbe47d6b3f359611ad276644c # v31

        with:

          extra_nix_config: sandbox = true



      - name: Ensure flake outputs on all systems still evaluate

        run: nix flake check --all-systems --no-build ./untrusted



      - name: Query nixpkgs with aliases enabled to check for basic syntax errors

        run: |

          time nix-env -I ./untrusted -f ./untrusted -qa '*' --option restrict-eval true --option allow-import-from-derivation false >/dev/null

.github/workflows/eval.yml

+36 −27
Original line number Diff line number Diff line 
name: Eval



on:

  pull_request:

    paths:

      - .github/workflows/eval.yml

      - .github/workflows/reviewers.yml # needs eval results from the same event type

  pull_request_target:

  push:

    # Keep this synced with ci/request-reviews/dev-branches.txt

    branches:

      - master

      - staging

      - release-*

      - staging-*

      - haskell-updates

      - python-updates



concurrency:

  group: eval-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}

  cancel-in-progress: true

  workflow_call:

    secrets:

      OWNER_APP_PRIVATE_KEY:

        required: false



permissions: {}
@@ -28,7 +14,6 @@ defaults: 


jobs:

  prepare:

    name: Prepare

    runs-on: ubuntu-24.04-arm

    outputs:

      mergedSha: ${{ steps.get-merge-commit.outputs.mergedSha }}
@@ -49,14 +34,14 @@ jobs: 
        run: |

          echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"



  outpaths:

    name: Outpaths

  eval:

    runs-on: ubuntu-24.04-arm

    needs: [prepare]

    strategy:

      fail-fast: false

      matrix:

        system: ${{ fromJSON(needs.prepare.outputs.systems) }}

    name: ${{ matrix.system }}

    steps:

      - name: Enable swap

        run: |
@@ -109,12 +94,12 @@ jobs: 
              run_id = (await github.rest.actions.listWorkflowRuns({

                owner: context.repo.owner,

                repo: context.repo.repo,

                workflow_id: 'eval.yml',

                workflow_id: 'push.yml',

                event: 'push',

                head_sha: targetSha

              })).data.workflow_runs[0].id

            } catch {

              throw new Error(`Could not find an eval.yml workflow run for ${targetSha}.`)

              throw new Error(`Could not find an push.yml workflow run for ${targetSha}.`)

            }



            core.setOutput('targetRunId', run_id)
@@ -161,9 +146,8 @@ jobs: 
          path: diff/*



  compare:

    name: Comparison

    runs-on: ubuntu-24.04-arm

    needs: [prepare, outpaths]

    needs: [prepare, eval]

    if: needs.prepare.outputs.targetSha

    permissions:

      issues: write # needed to create *new* labels
@@ -262,7 +246,32 @@ jobs: 
    # No dependency on "compare", so that it can start at the same time.

    # We only wait for the "comparison" artifact to be available, which makes the start-to-finish time

    # for the eval workflow considerably faster.

    needs: [prepare, outpaths]

    needs: [prepare, eval]

    if: needs.prepare.outputs.targetSha

    uses: ./.github/workflows/reviewers.yml

    secrets: inherit
 
    secrets:

      OWNER_APP_PRIVATE_KEY: ${{ secrets.OWNER_APP_PRIVATE_KEY }}



  misc:

    if: ${{ github.event_name != 'push' }}

    runs-on: ubuntu-24.04-arm

    steps:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

        with:

          sparse-checkout: .github/actions

      - name: Check if the PR can be merged and checkout the merge commit

        uses: ./.github/actions/get-merge-commit

        with:

          merged-as-untrusted: true



      - name: Install Nix

        uses: cachix/install-nix-action@17fe5fb4a23ad6cbbe47d6b3f359611ad276644c # v31

        with:

          extra_nix_config: sandbox = true



      - name: Ensure flake outputs on all systems still evaluate

        run: nix flake check --all-systems --no-build ./untrusted



      - name: Query nixpkgs with aliases enabled to check for basic syntax errors

        run: |

          time nix-env -I ./untrusted -f ./untrusted -qa '*' --option restrict-eval true --option allow-import-from-derivation false >/dev/null