Loading .github/workflows/eval.yml +8 −23 Original line number Diff line number Diff line Loading @@ -11,6 +11,9 @@ on: systems: required: true type: string defaultVersion: required: true type: string testVersions: required: false default: false Loading Loading @@ -105,7 +108,7 @@ jobs: - name: Evaluate the ${{ matrix.system }} output paths at the merge commit env: MATRIX_SYSTEM: ${{ matrix.system }} MATRIX_VERSION: ${{ matrix.version || 'nixVersions.latest' }} MATRIX_VERSION: ${{ matrix.version || inputs.defaultVersion }} run: | nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A eval.singleSystem \ --argstr evalSystem "$MATRIX_SYSTEM" \ Loading @@ -115,36 +118,18 @@ jobs: # If it uses too much memory, slightly decrease chunkSize. # Note: Keep the same further down in sync! # Running the attrpath generation step separately from the outpath step afterwards. # The idea is that, *if* Eval on the target branch has not finished, yet, we will # generate the attrpaths in the meantime - and the separate command command afterwards # will check cachix again for whether Eval has finished. If no Eval result from the # target branch can be found the second time, we proceed to run it in here. Attrpaths # generation takes roughly 30 seconds, so for every normal use-case this should be more # than enough of a head start for Eval on the target branch to finish. # This edge-case, that Eval on the target branch is delayed is unlikely to happen anyway: # For a commit to become the target commit of a PR, it must *already* be on the branch. # Normally, CI should always start running on that push event *before* it starts running # on the PR. - name: Evaluate the ${{ matrix.system }} attribute paths at the target commit if: inputs.targetSha env: MATRIX_SYSTEM: ${{ matrix.system }} run: | nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A eval.attrpathsSuperset \ --argstr evalSystem "$MATRIX_SYSTEM" \ --argstr nixPath "nixVersions.latest" - name: Evaluate the ${{ matrix.system }} output paths at the target commit if: inputs.targetSha env: MATRIX_SYSTEM: ${{ matrix.system }} # This should be very quick, because it pulls the eval results from Cachix. # This must match the default version set in the Merge Queue. VERSION: lixPackageSets.latest.lix # This is very quick, because it pulls the eval results from Cachix. run: | nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A eval.singleSystem \ --argstr evalSystem "$MATRIX_SYSTEM" \ --arg chunkSize 8000 \ --argstr nixPath "nixVersions.latest" \ --argstr nixPath "$VERSION" \ --out-link target - name: Compare outpaths against the target branch Loading .github/workflows/merge-group.yml +33 −0 Original line number Diff line number Diff line Loading @@ -17,6 +17,21 @@ on: permissions: {} jobs: prepare: runs-on: ubuntu-24.04-arm outputs: systems: ${{ steps.systems.outputs.systems }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: sparse-checkout: | ci/supportedSystems.json - name: Load supported systems id: systems run: | echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT" lint: name: Lint uses: ./.github/workflows/lint.yml Loading @@ -26,6 +41,23 @@ jobs: mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }} eval: name: Eval needs: [prepare] uses: ./.github/workflows/eval.yml # The eval workflow requests these permissions so we must explicitly allow them, # even though they are unused when working with the merge queue. permissions: # compare statuses: write secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} with: mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} systems: ${{ needs.prepare.outputs.systems }} # This must match the version in Eval's target step. defaultVersion: lixPackageSets.latest.lix # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. # It "needs" all the jobs that should block the Merge Queue. unlock: Loading @@ -33,6 +65,7 @@ jobs: # Modify this list to add or remove jobs from required status checks. needs: - lint - eval runs-on: ubuntu-24.04-arm permissions: statuses: write Loading .github/workflows/pr.yml +1 −0 Original line number Diff line number Diff line Loading @@ -86,6 +86,7 @@ jobs: mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} systems: ${{ needs.prepare.outputs.systems }} defaultVersion: nixVersions.latest testVersions: ${{ contains(fromJSON(needs.prepare.outputs.touched), 'pinned') && !contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development') }} labels: Loading .github/workflows/push.ymldeleted 100644 → 0 +0 −50 Original line number Diff line number Diff line name: Push on: push: branches: - master - staging - release-* - staging-* - haskell-updates workflow_call: inputs: mergedSha: required: true type: string secrets: CACHIX_AUTH_TOKEN: required: true permissions: {} jobs: prepare: runs-on: ubuntu-24.04-arm outputs: systems: ${{ steps.systems.outputs.systems }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: sparse-checkout: | ci/supportedSystems.json - name: Load supported systems id: systems run: | echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT" eval: name: Eval needs: [prepare] uses: ./.github/workflows/eval.yml # Those are not actually used on push, but will throw an error if not set. permissions: # compare statuses: write secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} with: mergedSha: ${{ inputs.mergedSha || github.sha }} systems: ${{ needs.prepare.outputs.systems }} .github/workflows/test.yml +1 −19 Original line number Diff line number Diff line Loading @@ -48,6 +48,7 @@ jobs: })).map(file => file.filename) if (files.some(file => [ '.github/workflows/eval.yml', '.github/workflows/lint.yml', '.github/workflows/merge-group.yml', '.github/workflows/test.yml', Loading @@ -65,12 +66,6 @@ jobs: '.github/workflows/test.yml', ].includes(file))) core.setOutput('pr', true) if (files.some(file => [ '.github/workflows/eval.yml', '.github/workflows/push.yml', '.github/workflows/test.yml', ].includes(file))) core.setOutput('push', true) merge-group: if: needs.prepare.outputs.merge-group name: Merge Group Loading Loading @@ -98,16 +93,3 @@ jobs: secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }} push: if: needs.prepare.outputs.push name: Push needs: [prepare] uses: ./.github/workflows/push.yml # Those are not actually used on the push or pull_request events, but will throw an error if not set. permissions: statuses: write secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} with: mergedSha: ${{ needs.prepare.outputs.mergedSha }} Loading
.github/workflows/eval.yml +8 −23 Original line number Diff line number Diff line Loading @@ -11,6 +11,9 @@ on: systems: required: true type: string defaultVersion: required: true type: string testVersions: required: false default: false Loading Loading @@ -105,7 +108,7 @@ jobs: - name: Evaluate the ${{ matrix.system }} output paths at the merge commit env: MATRIX_SYSTEM: ${{ matrix.system }} MATRIX_VERSION: ${{ matrix.version || 'nixVersions.latest' }} MATRIX_VERSION: ${{ matrix.version || inputs.defaultVersion }} run: | nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A eval.singleSystem \ --argstr evalSystem "$MATRIX_SYSTEM" \ Loading @@ -115,36 +118,18 @@ jobs: # If it uses too much memory, slightly decrease chunkSize. # Note: Keep the same further down in sync! # Running the attrpath generation step separately from the outpath step afterwards. # The idea is that, *if* Eval on the target branch has not finished, yet, we will # generate the attrpaths in the meantime - and the separate command command afterwards # will check cachix again for whether Eval has finished. If no Eval result from the # target branch can be found the second time, we proceed to run it in here. Attrpaths # generation takes roughly 30 seconds, so for every normal use-case this should be more # than enough of a head start for Eval on the target branch to finish. # This edge-case, that Eval on the target branch is delayed is unlikely to happen anyway: # For a commit to become the target commit of a PR, it must *already* be on the branch. # Normally, CI should always start running on that push event *before* it starts running # on the PR. - name: Evaluate the ${{ matrix.system }} attribute paths at the target commit if: inputs.targetSha env: MATRIX_SYSTEM: ${{ matrix.system }} run: | nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A eval.attrpathsSuperset \ --argstr evalSystem "$MATRIX_SYSTEM" \ --argstr nixPath "nixVersions.latest" - name: Evaluate the ${{ matrix.system }} output paths at the target commit if: inputs.targetSha env: MATRIX_SYSTEM: ${{ matrix.system }} # This should be very quick, because it pulls the eval results from Cachix. # This must match the default version set in the Merge Queue. VERSION: lixPackageSets.latest.lix # This is very quick, because it pulls the eval results from Cachix. run: | nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A eval.singleSystem \ --argstr evalSystem "$MATRIX_SYSTEM" \ --arg chunkSize 8000 \ --argstr nixPath "nixVersions.latest" \ --argstr nixPath "$VERSION" \ --out-link target - name: Compare outpaths against the target branch Loading
.github/workflows/merge-group.yml +33 −0 Original line number Diff line number Diff line Loading @@ -17,6 +17,21 @@ on: permissions: {} jobs: prepare: runs-on: ubuntu-24.04-arm outputs: systems: ${{ steps.systems.outputs.systems }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: sparse-checkout: | ci/supportedSystems.json - name: Load supported systems id: systems run: | echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT" lint: name: Lint uses: ./.github/workflows/lint.yml Loading @@ -26,6 +41,23 @@ jobs: mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }} eval: name: Eval needs: [prepare] uses: ./.github/workflows/eval.yml # The eval workflow requests these permissions so we must explicitly allow them, # even though they are unused when working with the merge queue. permissions: # compare statuses: write secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} with: mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} systems: ${{ needs.prepare.outputs.systems }} # This must match the version in Eval's target step. defaultVersion: lixPackageSets.latest.lix # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. # It "needs" all the jobs that should block the Merge Queue. unlock: Loading @@ -33,6 +65,7 @@ jobs: # Modify this list to add or remove jobs from required status checks. needs: - lint - eval runs-on: ubuntu-24.04-arm permissions: statuses: write Loading
.github/workflows/pr.yml +1 −0 Original line number Diff line number Diff line Loading @@ -86,6 +86,7 @@ jobs: mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} systems: ${{ needs.prepare.outputs.systems }} defaultVersion: nixVersions.latest testVersions: ${{ contains(fromJSON(needs.prepare.outputs.touched), 'pinned') && !contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development') }} labels: Loading
.github/workflows/push.ymldeleted 100644 → 0 +0 −50 Original line number Diff line number Diff line name: Push on: push: branches: - master - staging - release-* - staging-* - haskell-updates workflow_call: inputs: mergedSha: required: true type: string secrets: CACHIX_AUTH_TOKEN: required: true permissions: {} jobs: prepare: runs-on: ubuntu-24.04-arm outputs: systems: ${{ steps.systems.outputs.systems }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: sparse-checkout: | ci/supportedSystems.json - name: Load supported systems id: systems run: | echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT" eval: name: Eval needs: [prepare] uses: ./.github/workflows/eval.yml # Those are not actually used on push, but will throw an error if not set. permissions: # compare statuses: write secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} with: mergedSha: ${{ inputs.mergedSha || github.sha }} systems: ${{ needs.prepare.outputs.systems }}
.github/workflows/test.yml +1 −19 Original line number Diff line number Diff line Loading @@ -48,6 +48,7 @@ jobs: })).map(file => file.filename) if (files.some(file => [ '.github/workflows/eval.yml', '.github/workflows/lint.yml', '.github/workflows/merge-group.yml', '.github/workflows/test.yml', Loading @@ -65,12 +66,6 @@ jobs: '.github/workflows/test.yml', ].includes(file))) core.setOutput('pr', true) if (files.some(file => [ '.github/workflows/eval.yml', '.github/workflows/push.yml', '.github/workflows/test.yml', ].includes(file))) core.setOutput('push', true) merge-group: if: needs.prepare.outputs.merge-group name: Merge Group Loading Loading @@ -98,16 +93,3 @@ jobs: secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }} push: if: needs.prepare.outputs.push name: Push needs: [prepare] uses: ./.github/workflows/push.yml # Those are not actually used on the push or pull_request events, but will throw an error if not set. permissions: statuses: write secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} with: mergedSha: ${{ needs.prepare.outputs.mergedSha }}
![nixpkgs-ci[bot]'s avatar](https://secure.gravatar.com/avatar/21d9e4256a026824783d9069d7622ceb22d44398fd318ddfee596c72e5556369?s=48&d=identicon "nixpkgs-ci[bot]")