.github/workflows/pr.yml at c6cf49a05523fe704f74438f80f9dba302f43bdf · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / .github / workflows / pr.yml
at c6cf49a05523fe704f74438f80f9dba302f43bdf 5.0 kB view raw
  1name: PR
  2
  3on:
  4  pull_request_target:
  5  workflow_call:
  6    secrets:
  7      CACHIX_AUTH_TOKEN:
  8        required: true
  9      NIXPKGS_CI_APP_PRIVATE_KEY:
 10        required: true
 11      OWNER_APP_PRIVATE_KEY:
 12        # The Test workflow should not actually request reviews from owners.
 13        required: false
 14
 15concurrency:
 16  group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
 17  cancel-in-progress: true
 18
 19permissions: {}
 20
 21jobs:
 22  prepare:
 23    runs-on: ubuntu-24.04-arm
 24    permissions:
 25      # wrong branch review comment
 26      pull-requests: write
 27    outputs:
 28      baseBranch: ${{ steps.prepare.outputs.base }}
 29      headBranch: ${{ steps.prepare.outputs.head }}
 30      mergedSha: ${{ steps.prepare.outputs.mergedSha }}
 31      targetSha: ${{ steps.prepare.outputs.targetSha }}
 32      systems: ${{ steps.prepare.outputs.systems }}
 33      touched: ${{ steps.prepare.outputs.touched }}
 34    steps:
 35      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 36        with:
 37          sparse-checkout-cone-mode: true # default, for clarity
 38          sparse-checkout: |
 39            ci/github-script
 40      - id: prepare
 41        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
 42        with:
 43          script: |
 44            require('./ci/github-script/prepare.js')({
 45              github,
 46              context,
 47              core,
 48              dry: context.eventName == 'pull_request',
 49            })
 50
 51  check:
 52    name: Check
 53    needs: [prepare]
 54    uses: ./.github/workflows/check.yml
 55    permissions:
 56      # cherry-picks
 57      pull-requests: write
 58    secrets:
 59      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
 60    with:
 61      baseBranch: ${{ needs.prepare.outputs.baseBranch }}
 62      headBranch: ${{ needs.prepare.outputs.headBranch }}
 63      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
 64      targetSha: ${{ needs.prepare.outputs.targetSha }}
 65
 66  lint:
 67    name: Lint
 68    needs: [prepare]
 69    uses: ./.github/workflows/lint.yml
 70    secrets:
 71      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
 72    with:
 73      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
 74      targetSha: ${{ needs.prepare.outputs.targetSha }}
 75
 76  eval:
 77    name: Eval
 78    needs: [prepare]
 79    uses: ./.github/workflows/eval.yml
 80    permissions:
 81      # compare
 82      statuses: write
 83    secrets:
 84      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
 85    with:
 86      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
 87      targetSha: ${{ needs.prepare.outputs.targetSha }}
 88      systems: ${{ needs.prepare.outputs.systems }}
 89      testVersions: ${{ contains(fromJSON(needs.prepare.outputs.touched), 'pinned') && !contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development') }}
 90
 91  labels:
 92    name: Labels
 93    needs: [prepare, eval]
 94    uses: ./.github/workflows/labels.yml
 95    permissions:
 96      issues: write
 97      pull-requests: write
 98    secrets:
 99      NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
100    with:
101      headBranch: ${{ needs.prepare.outputs.headBranch }}
102
103  reviewers:
104    name: Reviewers
105    needs: [prepare, eval]
106    if: |
107      needs.prepare.outputs.targetSha &&
108      !contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development')
109    uses: ./.github/workflows/reviewers.yml
110    secrets:
111      OWNER_APP_PRIVATE_KEY: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
112
113  build:
114    name: Build
115    needs: [prepare]
116    uses: ./.github/workflows/build.yml
117    secrets:
118      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
119    with:
120      baseBranch: ${{ needs.prepare.outputs.baseBranch }}
121      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
122
123  # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset.
124  # It "needs" all the jobs that should block merging a PR.
125  unlock:
126    if: github.event_name != 'pull_request' && always()
127    # Modify this list to add or remove jobs from required status checks.
128    needs:
129      - check
130      - lint
131      - eval
132      - build
133    runs-on: ubuntu-24.04-arm
134    permissions:
135      statuses: write
136    steps:
137      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
138        env:
139          RESULTS: ${{ toJSON(needs.*.result) }}
140        with:
141          script: |
142            const { serverUrl, repo, runId, payload } = context
143            const target_url =
144              `${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}?pr=${payload.pull_request.number}`
145            await github.rest.repos.createCommitStatus({
146              ...repo,
147              sha: payload.pull_request.head.sha,
148              // WARNING:
149              // Do NOT change the name of this, otherwise the rule will not catch it anymore.
150              // This would prevent all PRs from merging.
151              context: 'no PR failures',
152              state: JSON.parse(process.env.RESULTS).every(status => status == 'success') ? 'success' : 'error',
153              target_url,
154            })