.github/workflows/check.yml at c6cf49a05523fe704f74438f80f9dba302f43bdf · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / .github / workflows / check.yml
at c6cf49a05523fe704f74438f80f9dba302f43bdf 3.2 kB view raw
  1name: Check
  2
  3on:
  4  workflow_call:
  5    inputs:
  6      baseBranch:
  7        required: true
  8        type: string
  9      headBranch:
 10        required: true
 11        type: string
 12      mergedSha:
 13        required: true
 14        type: string
 15      targetSha:
 16        required: true
 17        type: string
 18    secrets:
 19      CACHIX_AUTH_TOKEN:
 20        required: true
 21
 22permissions: {}
 23
 24defaults:
 25  run:
 26    shell: bash
 27
 28jobs:
 29  commits:
 30    permissions:
 31      pull-requests: write
 32    runs-on: ubuntu-24.04-arm
 33    timeout-minutes: 3
 34    steps:
 35      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 36        with:
 37          path: trusted
 38          sparse-checkout: |
 39            ci/github-script
 40
 41      - name: Install dependencies
 42        run: npm install bottleneck
 43
 44      - name: Log current API rate limits
 45        env:
 46          GH_TOKEN: ${{ github.token }}
 47        run: gh api /rate_limit | jq
 48
 49      - name: Check commits
 50        id: check
 51        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
 52        env:
 53          TARGETS_STABLE: ${{ fromJSON(inputs.baseBranch).stable && !contains(fromJSON(inputs.headBranch).type, 'development') }}
 54        with:
 55          script: |
 56            const targetsStable = JSON.parse(process.env.TARGETS_STABLE)
 57            require('./trusted/ci/github-script/commits.js')({
 58              github,
 59              context,
 60              core,
 61              dry: context.eventName == 'pull_request',
 62              cherryPicks: context.eventName == 'pull_request' || targetsStable,
 63            })
 64
 65      - name: Log current API rate limits
 66        env:
 67          GH_TOKEN: ${{ github.token }}
 68        run: gh api /rate_limit | jq
 69
 70  owners:
 71    runs-on: ubuntu-24.04-arm
 72    timeout-minutes: 5
 73    steps:
 74      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 75        with:
 76          sparse-checkout: .github/actions
 77      - name: Checkout merge and target commits
 78        uses: ./.github/actions/checkout
 79        with:
 80          merged-as-untrusted-at: ${{ inputs.mergedSha }}
 81
 82      - uses: cachix/install-nix-action@9280e7aca88deada44c930f1e2c78e21c3ae3edd # v31
 83
 84      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
 85        with:
 86          # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
 87          name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
 88          extraPullNames: nixpkgs-ci
 89          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
 90          pushFilter: -source$
 91
 92      - name: Build codeowners validator
 93        run: nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A codeownersValidator
 94
 95      - name: Validate codeowners
 96        env:
 97          OWNERS_FILE: nixpkgs/untrusted/ci/OWNERS
 98          REPOSITORY_PATH: nixpkgs/untrusted
 99          # Omits "owners", which checks whether GitHub handles exist, but fails with nested team
100          # structures.
101          CHECKS: "duppatterns,files,syntax"
102          # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
103          EXPERIMENTAL_CHECKS: "avoid-shadowing"
104        run: result/bin/codeowners-validator