commit 89cbfde96de175f6134b6605d9d52fd38e2b3f6d · pyrox.dev/nixpkgs

+5 -8

.github/CODEOWNERS

···

       14
        
       # CI

     

       15
        
       /.github/workflows @NixOS/Security @Mic92 @zowoq

     

       16
        
       /.github/workflows/check-nix-format.yml @infinisil

     

       17
       -
       /ci @infinisil @NixOS/Security

     

       0
        
       
     

       18
        
       

     

       19
       -
       # Develompent support

     

       20
        
       /.editorconfig @Mic92 @zowoq

     

       21
        
       /shell.nix @infinisil @NixOS/Security

     

       22
        
       

     
···

       43
        
       /pkgs/top-level/stage.nix                        @Ericson2314

     

       44
        
       /pkgs/top-level/splice.nix                       @Ericson2314

     

       45
        
       /pkgs/top-level/release-cross.nix                @Ericson2314

     

       0
        
       
     

       46
        
       /pkgs/stdenv                                     @philiptaron

     

       47
        
       /pkgs/stdenv/generic                             @Ericson2314

     

       48
        
       /pkgs/stdenv/generic/check-meta.nix              @Ericson2314

     
···

       58
        
       /pkgs/pkgs-lib/formats/libconfig                 @h7x4

     

       59
        
       /pkgs/pkgs-lib/formats/hocon                     @h7x4

     

       60
        
       

     

       61
       -
       # pkgs/by-name

     

       62
       -
       /pkgs/test/check-by-name @infinisil

     

       63
       -
       /pkgs/by-name/README.md @infinisil

     

       64
       -
       /pkgs/top-level/by-name-overlay.nix @infinisil

     

       65
       -
       /.github/workflows/check-by-name.yml @infinisil

     

       66
       -
       

     

       67
        
       # Nixpkgs build-support

     

       68
        
       /pkgs/build-support/writers @lassulus @Profpatsch

     

       69
        
       

     
···

       91
        
       /doc/README.md @infinisil

     

       92
        
       /nixos/README.md @infinisil

     

       93
        
       /pkgs/README.md @infinisil

     

       0
        
       
     

       94
        
       /maintainers/README.md @infinisil

     

       95
        
       

     

       96
        
       # User-facing development documentation

···

       14
        
       # CI

     

       15
        
       /.github/workflows @NixOS/Security @Mic92 @zowoq

     

       16
        
       /.github/workflows/check-nix-format.yml @infinisil

     

       17
       +
       /.github/workflows/nixpkgs-vet.yml @infinisil @philiptaron

     

       18
       +
       /ci @infinisil @philiptaron @NixOS/Security

     

       19
        
       

     

       20
       +
       # Development support

     

       21
        
       /.editorconfig @Mic92 @zowoq

     

       22
        
       /shell.nix @infinisil @NixOS/Security

     

       23
        
       

     
···

       44
        
       /pkgs/top-level/stage.nix                        @Ericson2314

     

       45
        
       /pkgs/top-level/splice.nix                       @Ericson2314

     

       46
        
       /pkgs/top-level/release-cross.nix                @Ericson2314

     

       47
       +
       /pkgs/top-level/by-name-overlay.nix              @infinisil @philiptaron

     

       48
        
       /pkgs/stdenv                                     @philiptaron

     

       49
        
       /pkgs/stdenv/generic                             @Ericson2314

     

       50
        
       /pkgs/stdenv/generic/check-meta.nix              @Ericson2314

     
···

       60
        
       /pkgs/pkgs-lib/formats/libconfig                 @h7x4

     

       61
        
       /pkgs/pkgs-lib/formats/hocon                     @h7x4

     

       62
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       63
        
       # Nixpkgs build-support

     

       64
        
       /pkgs/build-support/writers @lassulus @Profpatsch

     

       65
        
       

     
···

       87
        
       /doc/README.md @infinisil

     

       88
        
       /nixos/README.md @infinisil

     

       89
        
       /pkgs/README.md @infinisil

     

       90
       +
       /pkgs/by-name/README.md @infinisil

     

       91
        
       /maintainers/README.md @infinisil

     

       92
        
       

     

       93
        
       # User-facing development documentation

+25 -36

.github/workflows/check-by-name.yml .github/workflows/nixpkgs-vet.yml

···

       1
       -
       # Checks pkgs/by-name (see pkgs/by-name/README.md)

     

       2
       -
       # using the nixpkgs-check-by-name tool (see https://github.com/NixOS/nixpkgs-check-by-name)

     

       3
       -
       #

     

       4
       -
       # When you make changes to this workflow, also update pkgs/test/check-by-name/run-local.sh adequately

     

       5
        
       name: Check pkgs/by-name

     

       6
        
       

     

       7
        
       on:

     

       8
       -
         # Using pull_request_target instead of pull_request avoids having to approve first time contributors

     

       9
        
         pull_request_target:

     

       10
       -
           # This workflow depends on the base branch of the PR,

     

       11
       -
           # but changing the base branch is not included in the default trigger events,

     

       12
       -
           # which would be `opened`, `synchronize` or `reopened`.

     

       13
       -
           # Instead it causes an `edited` event, so we need to add it explicitly here

     

       14
       -
           # While `edited` is also triggered when the PR title/body is changed,

     

       15
       -
           # this PR action is fairly quick, and PR's don't get edited that often,

     

       16
       -
           # so it shouldn't be a problem

     

       17
       -
           # There is a feature request for adding a `base_changed` event:

     

       18
       -
           # https://github.com/orgs/community/discussions/35058

     

       19
        
           types: [opened, synchronize, reopened, edited]

     

       20
        
       

     

       21
        
       permissions: {}

     

       22
        
       

     

       23
       -
       # We don't use a concurrency group here, because the action is triggered quite often (due to the PR edit

     

       24
       -
       # trigger), and contributers would get notified on any canceled run.

     

       25
       -
       # There is a feature request for supressing notifications on concurrency-canceled runs:

     

       26
       -
       # https://github.com/orgs/community/discussions/13015

     

       27
        
       

     

       28
        
       jobs:

     

       29
        
         check:

     

       30
        
           name: pkgs-by-name-check

     

       31
       -
           # This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases

     

       32
        
           runs-on: ubuntu-latest

     

       33
       -
           # This should take 1 minute at most, but let's be generous.

     

       34
       -
           # The default of 6 hours is definitely too long

     

       35
        
           timeout-minutes: 10

     

       36
        
           steps:

     

       37
       -
             # This step has to be in this file,

     

       38
       -
             # because it's needed to determine which revision of the repository to fetch,

     

       39
       -
             # and we can only use other files from the repository once it's fetched.

     

       40
        
             - name: Resolving the merge commit

     

       41
        
               env:

     

       42
        
                 GH_TOKEN: ${{ github.token }}

     
···

       99
        
               if: env.mergedSha

     

       100
        
             - name: Fetching the pinned tool

     

       101
        
               if: env.mergedSha

     

       102
       -
               # Update the pinned version using pkgs/test/check-by-name/update-pinned-tool.sh

     

       103
        
               run: |

     

       104
       -
                 # The pinned version of the tooling to use

     

       105
       -
                 toolVersion=$(<pkgs/test/check-by-name/pinned-version.txt)

     

       106
       -
                 # Fetch the x86_64-linux-specific release artifact containing the Gzipped NAR of the pre-built tool

     

       107
       -
                 toolPath=$(curl -sSfL https://github.com/NixOS/nixpkgs-check-by-name/releases/download/"$toolVersion"/x86_64-linux.nar.gz \

     

       0
        
       
     

       108
        
                   | gzip -cd | nix-store --import | tail -1)

     

       109
       -
                 # Adds a result symlink as a GC root

     

       0
        
       
     

       110
        
                 nix-store --realise "$toolPath" --add-root result

     

       111
       -
             - name: Running nixpkgs-check-by-name

     

       112
        
               if: env.mergedSha

     

       113
        
               env:

     

       114
       -
                 # Force terminal colors to be enabled. The library that

     

       115
       -
                 # nixpkgs-check-by-name uses respects: https://bixense.com/clicolors/

     

       116
        
                 CLICOLOR_FORCE: 1

     

       117
        
               run: |

     

       118
       -
                 if result/bin/nixpkgs-check-by-name --base "$base" .; then

     

       119
        
                   exit 0

     

       120
        
                 else

     

       121
        
                   exitCode=$?

     

       122
       -
                   echo "To run locally: ./maintainers/scripts/check-by-name.sh $GITHUB_BASE_REF https://github.com/$GITHUB_REPOSITORY.git"

     

       123
       -
                   echo "If you're having trouble, ping @NixOS/nixpkgs-check-by-name"

     

       124
        
                   exit "$exitCode"

     

       125
        
                 fi

···

       1
       +
       # Checks pkgs/by-name (see pkgs/by-name/README.md) using the `nixpkgs-vet` tool (see https://github.com/NixOS/nixpkgs-vet)

     

       2
       +
       # When you make changes to this workflow, please also update `ci/nixpkgs-vet.sh` to reflect the impact of your work to the CI.

     

       0
        
       
     

       0
        
       
     

       3
        
       name: Check pkgs/by-name

     

       4
        
       

     

       5
        
       on:

     

       6
       +
         # Using pull_request_target instead of pull_request avoids having to approve first time contributors.

     

       7
        
         pull_request_target:

     

       8
       +
           # This workflow depends on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`.

     

       9
       +
           # Instead it causes an `edited` event, so we need to add it explicitly here.

     

       10
       +
           # While `edited` is also triggered when the PR title/body is changed, this PR action is fairly quick, and PRs don't get edited **that** often, so it shouldn't be a problem.

     

       11
       +
           # There is a feature request for adding a `base_changed` event: https://github.com/orgs/community/discussions/35058

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       12
        
           types: [opened, synchronize, reopened, edited]

     

       13
        
       

     

       14
        
       permissions: {}

     

       15
        
       

     

       16
       +
       # We don't use a concurrency group here, because the action is triggered quite often (due to the PR edit trigger), and contributors would get notified on any canceled run.

     

       17
       +
       # There is a feature request for suppressing notifications on concurrency-canceled runs: https://github.com/orgs/community/discussions/13015

     

       0
        
       
     

       0
        
       
     

       18
        
       

     

       19
        
       jobs:

     

       20
        
         check:

     

       21
        
           name: pkgs-by-name-check

     

       22
       +
           # This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases.

     

       23
        
           runs-on: ubuntu-latest

     

       24
       +
           # This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long.

     

       0
        
       
     

       25
        
           timeout-minutes: 10

     

       26
        
           steps:

     

       27
       +
             # This step has to be in this file, because it's needed to determine which revision of the repository to fetch, and we can only use other files from the repository once it's fetched.

     

       0
        
       
     

       0
        
       
     

       28
        
             - name: Resolving the merge commit

     

       29
        
               env:

     

       30
        
                 GH_TOKEN: ${{ github.token }}

     
···

       87
        
               if: env.mergedSha

     

       88
        
             - name: Fetching the pinned tool

     

       89
        
               if: env.mergedSha

     

       90
       +
               # Update the pinned version using ci/nixpkgs-vet/update-pinned-tool.sh

     

       91
        
               run: |

     

       92
       +
                 # The pinned version of the tooling to use.

     

       93
       +
                 toolVersion=$(<ci/nixpkgs-vet/pinned-version.txt)

     

       94
       +
       

     

       95
       +
                 # Fetch the x86_64-linux-specific release artifact containing the gzipped NAR of the pre-built tool.

     

       96
       +
                 toolPath=$(curl -sSfL https://github.com/NixOS/nixpkgs-vet/releases/download/"$toolVersion"/x86_64-linux.nar.gz \

     

       97
        
                   | gzip -cd | nix-store --import | tail -1)

     

       98
       +
       

     

       99
       +
                 # Adds a result symlink as a GC root.

     

       100
        
                 nix-store --realise "$toolPath" --add-root result

     

       101
       +
             - name: Running nixpkgs-vet

     

       102
        
               if: env.mergedSha

     

       103
        
               env:

     

       104
       +
                 # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/

     

       0
        
       
     

       105
        
                 CLICOLOR_FORCE: 1

     

       106
        
               run: |

     

       107
       +
                 if result/bin/nixpkgs-vet --base "$base" .; then

     

       108
        
                   exit 0

     

       109
        
                 else

     

       110
        
                   exitCode=$?

     

       111
       +
                   echo "To run locally: ./ci/nixpkgs-vet.sh $GITHUB_BASE_REF https://github.com/$GITHUB_REPOSITORY.git"

     

       112
       +
                   echo "If you're having trouble, ping @NixOS/nixpkgs-vet"

     

       113
        
                   exit "$exitCode"

     

       114
        
                 fi

+1 -1

.github/workflows/check-nix-format.yml

···

       7
        
       

     

       8
        
       on:

     

       9
        
         pull_request_target:

     

       10
       -
           # See the comment at the same location in ./check-by-name.yml

     

       11
        
           types: [opened, synchronize, reopened, edited]

     

       12
        
       permissions:

     

       13
        
         contents: read

···

       7
        
       

     

       8
        
       on:

     

       9
        
         pull_request_target:

     

       10
       +
           # See the comment at the same location in ./nixpkgs-vet.yml

     

       11
        
           types: [opened, synchronize, reopened, edited]

     

       12
        
       permissions:

     

       13
        
         contents: read

+31

ci/README.md

···

       10
        
       [`pinned-nixpkgs.json`](./pinned-nixpkgs.json) contains a pinned Nixpkgs version tested by Hydra.

     

       11
        
       

     

       12
        
       Run [`update-pinned-nixpkgs.sh`](./update-pinned-nixpkgs.sh) to update it.

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0

···

       10
        
       [`pinned-nixpkgs.json`](./pinned-nixpkgs.json) contains a pinned Nixpkgs version tested by Hydra.

     

       11
        
       

     

       12
        
       Run [`update-pinned-nixpkgs.sh`](./update-pinned-nixpkgs.sh) to update it.

     

       13
       +
       

     

       14
       +
       ## `ci/nixpkgs-vet.sh BASE_BRANCH [REPOSITORY]`

     

       15
       +
       

     

       16
       +
       Runs the [`nixpkgs-vet` tool](https://github.com/NixOS/nixpkgs-vet) on the HEAD commit, closely matching what CI does. This can't do exactly the same as CI, because CI needs to rely on GitHub's server-side Git history to compute the mergeability of PRs before the check can be started.

     

       17
       +
       In turn, when contributors are running this tool locally, we don't want to have to push commits to test them, and we can also rely on the local Git history to do the mergeability check.

     

       18
       +
       

     

       19
       +
       Arguments:

     

       20
       +
       

     

       21
       +
       - `BASE_BRANCH`: The base branch to use, e.g. master or release-24.05

     

       22
       +
       - `REPOSITORY`: The repository from which to fetch the base branch. Defaults to <https://github.com/NixOS/nixpkgs.git>.

     

       23
       +
       

     

       24
       +
       ## `ci/nixpkgs-vet`

     

       25
       +
       

     

       26
       +
       This directory contains scripts and files used and related to [`nixpkgs-vet`](https://github.com/NixOS/nixpkgs-vet/), which the CI uses to implement `pkgs/by-name` checks, along with many other Nixpkgs architecture rules.

     

       27
       +
       See also the [CI GitHub Action](../.github/workflows/nixpkgs-vet.yml).

     

       28
       +
       

     

       29
       +
       ## `ci/nixpkgs-vet/update-pinned-tool.sh`

     

       30
       +
       

     

       31
       +
       Updates the pinned [`nixpkgs-vet` tool](https://github.com/NixOS/nixpkgs-vet) in [`ci/nixpkgs-vet/pinned-version.txt`](./nixpkgs-vet/pinned-version.txt) to the latest [release](https://github.com/NixOS/nixpkgs-vet/releases).

     

       32
       +
       

     

       33
       +
       Each release contains a pre-built `x86_64-linux` version of the tool which is used by CI.

     

       34
       +
       

     

       35
       +
       This script currently needs to be called manually when the CI tooling needs to be updated.

     

       36
       +
       

     

       37
       +
       Why not just build the tooling right from the PRs Nixpkgs version?

     

       38
       +
       

     

       39
       +
       - Because it allows CI to check all PRs, even if they would break the CI tooling.

     

       40
       +
       - Because it makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds.

     

       41
       +
       - Because it improves security, since we don't have to build potentially untrusted code from PRs.

     

       42
       +
         The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval).

     

       43
       +

+71

ci/nixpkgs-vet.sh

···

       1
       +
       #!/usr/bin/env nix-shell

     

       2
       +
       #!nix-shell -i bash -p jq

     

       3
       +
       

     

       4
       +
       set -o pipefail -o errexit -o nounset

     

       5
       +
       

     

       6
       +
       trace() { echo >&2 "$@"; }

     

       7
       +
       

     

       8
       +
       tmp=$(mktemp -d)

     

       9
       +
       cleanup() {

     

       10
       +
           # Don't exit early if anything fails to cleanup

     

       11
       +
           set +o errexit

     

       12
       +
       

     

       13
       +
           trace -n "Cleaning up.. "

     

       14
       +
       

     

       15
       +
           [[ -e "$tmp/base" ]] && git worktree remove --force "$tmp/base"

     

       16
       +
           [[ -e "$tmp/merged" ]] && git worktree remove --force "$tmp/merged"

     

       17
       +
       

     

       18
       +
           rm -rf "$tmp"

     

       19
       +
       

     

       20
       +
           trace "Done"

     

       21
       +
       }

     

       22
       +
       trap cleanup exit

     

       23
       +
       

     

       24
       +
       

     

       25
       +
       repo=https://github.com/NixOS/nixpkgs.git

     

       26
       +
       

     

       27
       +
       if (( $# != 0 )); then

     

       28
       +
           baseBranch=$1

     

       29
       +
           shift

     

       30
       +
       else

     

       31
       +
           trace "Usage: $0 BASE_BRANCH [REPOSITORY]"

     

       32
       +
           trace "BASE_BRANCH: The base branch to use, e.g. master or release-23.11"

     

       33
       +
           trace "REPOSITORY: The repository to fetch the base branch from, defaults to $repo"

     

       34
       +
           exit 1

     

       35
       +
       fi

     

       36
       +
       

     

       37
       +
       if (( $# != 0 )); then

     

       38
       +
           repo=$1

     

       39
       +
           shift

     

       40
       +
       fi

     

       41
       +
       

     

       42
       +
       if [[ -n "$(git status --porcelain)" ]]; then

     

       43
       +
           trace -e "\e[33mWarning: Dirty tree, uncommitted changes won't be taken into account\e[0m"

     

       44
       +
       fi

     

       45
       +
       headSha=$(git rev-parse HEAD)

     

       46
       +
       trace -e "Using HEAD commit \e[34m$headSha\e[0m"

     

       47
       +
       

     

       48
       +
       trace -n "Creating Git worktree for the HEAD commit in $tmp/merged.. "

     

       49
       +
       git worktree add --detach -q "$tmp/merged" HEAD

     

       50
       +
       trace "Done"

     

       51
       +
       

     

       52
       +
       trace -n "Fetching base branch $baseBranch to compare against.. "

     

       53
       +
       git fetch -q "$repo" refs/heads/"$baseBranch"

     

       54
       +
       baseSha=$(git rev-parse FETCH_HEAD)

     

       55
       +
       trace -e "\e[34m$baseSha\e[0m"

     

       56
       +
       

     

       57
       +
       trace -n "Creating Git worktree for the base branch in $tmp/base.. "

     

       58
       +
       git worktree add -q "$tmp/base" "$baseSha"

     

       59
       +
       trace "Done"

     

       60
       +
       

     

       61
       +
       trace -n "Merging base branch into the HEAD commit in $tmp/merged.. "

     

       62
       +
       git -C "$tmp/merged" merge -q --no-edit "$baseSha"

     

       63
       +
       trace -e "\e[34m$(git -C "$tmp/merged" rev-parse HEAD)\e[0m"

     

       64
       +
       trace -n "Reading pinned nixpkgs-vet version from pinned-version.txt.. "

     

       65
       +
       toolVersion=$(<"$tmp/merged/ci/nixpkgs-vet/pinned-version.txt")

     

       66
       +
       trace -e "\e[34m$toolVersion\e[0m"

     

       67
       +
       

     

       68
       +
       trace -n "Building tool.. "

     

       69
       +
       nix-build https://github.com/NixOS/nixpkgs-vet/tarball/"$toolVersion" -o "$tmp/tool" -A build

     

       70
       +
       trace "Running nixpkgs-vet.."

     

       71
       +
       "$tmp/tool/bin/nixpkgs-vet" --base "$tmp/base" "$tmp/merged"

ci/nixpkgs-vet/pinned-version.txt

···

       0

+22

ci/nixpkgs-vet/update-pinned-tool.sh

···

       1
       +
       #!/usr/bin/env nix-shell

     

       2
       +
       #!nix-shell -i bash -p jq curl

     

       3
       +
       

     

       4
       +
       set -o pipefail -o errexit -o nounset

     

       5
       +
       

     

       6
       +
       trace() { echo >&2 "$@"; }

     

       7
       +
       

     

       8
       +
       SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )

     

       9
       +
       

     

       10
       +
       repository=NixOS/nixpkgs-vet

     

       11
       +
       pin_file=$SCRIPT_DIR/pinned-version.txt

     

       12
       +
       

     

       13
       +
       trace -n "Fetching latest release of $repository.. "

     

       14
       +
       latestRelease=$(curl -sSfL \

     

       15
       +
         -H "Accept: application/vnd.github+json" \

     

       16
       +
         -H "X-GitHub-Api-Version: 2022-11-28" \

     

       17
       +
         https://api.github.com/repos/"$repository"/releases/latest)

     

       18
       +
       latestVersion=$(jq .tag_name -r <<< "$latestRelease")

     

       19
       +
       trace "$latestVersion"

     

       20
       +
       

     

       21
       +
       trace "Updating $pin_file"

     

       22
       +
       echo "$latestVersion" > "$pin_file"

-4

maintainers/scripts/README.md

···

       9
        
       

     

       10
        
       ## Metadata

     

       11
        
       

     

       12
       -
       ### `check-by-name.sh`

     

       13
       -
       

     

       14
       -
       An alias for `pkgs/test/check-by-name/run-local.sh`, see [documentation](../../pkgs/test/check-by-name/README.md).

     

       15
       -
       

     

       16
        
       ### `get-maintainer.sh`

     

       17
        
       

     

       18
        
       `get-maintainer.sh [selector] value` returns a JSON object describing

···

       9
        
       

     

       10
        
       ## Metadata

     

       11
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       12
        
       ### `get-maintainer.sh`

     

       13
        
       

     

       14
        
       `get-maintainer.sh [selector] value` returns a JSON object describing

+1 -1

maintainers/scripts/check-by-name.sh

···

       1
       -
       ../../pkgs/test/check-by-name/run-local.sh

···

       1
       +
       ../../ci/nixpkgs-vet.sh

+4 -4

pkgs/by-name/README.md

···

       110
        
       

     

       111
        
       ## Validation

     

       112
        
       

     

       113
       -
       CI performs [certain checks](https://github.com/NixOS/nixpkgs-check-by-name?tab=readme-ov-file#validity-checks) on the `pkgs/by-name` structure.

     

       114
       -
       This is done using the [`nixpkgs-check-by-name` tool](https://github.com/NixOS/nixpkgs-check-by-name).

     

       115
        
       

     

       116
        
       You can locally emulate the CI check using

     

       117
        
       

     

       118
        
       ```

     

       119
       -
       $ ./maintainers/scripts/check-by-name.sh master

     

       120
        
       ```

     

       121
        
       

     

       122
       -
       See [here](../../.github/workflows/check-by-name.yml) for more info.

     

       123
        
       

     

       124
        
       ## Recommendation for new packages with multiple versions

     

       125

···

       110
        
       

     

       111
        
       ## Validation

     

       112
        
       

     

       113
       +
       CI performs [certain checks](https://github.com/NixOS/nixpkgs-vet?tab=readme-ov-file#validity-checks) on the `pkgs/by-name` structure.

     

       114
       +
       This is done using the [`nixpkgs-vet` tool](https://github.com/NixOS/nixpkgs-vet).

     

       115
        
       

     

       116
        
       You can locally emulate the CI check using

     

       117
        
       

     

       118
        
       ```

     

       119
       +
       $ ./ci/nixpkgs-vet.sh master

     

       120
        
       ```

     

       121
        
       

     

       122
       +
       See [here](../../.github/workflows/nixpkgs-vet.yml) for more info.

     

       123
        
       

     

       124
        
       ## Recommendation for new packages with multiple versions

     

       125

-31

pkgs/test/check-by-name/README.md

···

       1
       -
       # `pkgs/by-name` check CI scripts

     

       2
       -
       

     

       3
       -
       This directory contains scripts and files used and related to the CI running the `pkgs/by-name` checks in Nixpkgs.

     

       4
       -
       See also the [CI GitHub Action](../../../.github/workflows/check-by-name.yml).

     

       5
       -
       

     

       6
       -
       ## `./run-local.sh BASE_BRANCH [REPOSITORY]`

     

       7
       -
       

     

       8
       -
       Runs the `pkgs/by-name` check on the HEAD commit, closely matching what CI does.

     

       9
       -
       

     

       10
       -
       Note that this can't do exactly the same as CI,

     

       11
       -
       because CI needs to rely on GitHub's server-side Git history to compute the mergeability of PRs before the check can be started.

     

       12
       -
       In turn when running locally, we don't want to have to push commits to test them,

     

       13
       -
       and we can also rely on the local Git history to do the mergeability check.

     

       14
       -
       

     

       15
       -
       Arguments:

     

       16
       -
       - `BASE_BRANCH`: The base branch to use, e.g. master or release-24.05

     

       17
       -
       - `REPOSITORY`: The repository to fetch the base branch from, defaults to https://github.com/NixOS/nixpkgs.git

     

       18
       -
       

     

       19
       -
       ## `./update-pinned-tool.sh`

     

       20
       -
       

     

       21
       -
       Updates the pinned [nixpkgs-check-by-name tool](https://github.com/NixOS/nixpkgs-check-by-name) in [`./pinned-version.txt`](./pinned-version.txt) to the latest [release](https://github.com/NixOS/nixpkgs-check-by-name/releases).

     

       22
       -
       Each release contains a pre-built x86_64-linux version of the tool which is used by CI.

     

       23
       -
       

     

       24
       -
       This script currently needs to be called manually when the CI tooling needs to be updated.

     

       25
       -
       

     

       26
       -
       Why not just build the tooling right from the PRs Nixpkgs version?

     

       27
       -
       - Because it allows CI to check all PRs, even if they would break the CI tooling.

     

       28
       -
       - Because it makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds.

     

       29
       -
       - Because it improves security, since we don't have to build potentially untrusted code from PRs.

     

       30
       -
         The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval).

     

       31
       -

-73

pkgs/test/check-by-name/run-local.sh

···

       1
       -
       #!/usr/bin/env nix-shell

     

       2
       -
       #!nix-shell -i bash -p jq

     

       3
       -
       

     

       4
       -
       set -o pipefail -o errexit -o nounset

     

       5
       -
       

     

       6
       -
       trace() { echo >&2 "$@"; }

     

       7
       -
       

     

       8
       -
       tmp=$(mktemp -d)

     

       9
       -
       cleanup() {

     

       10
       -
           # Don't exit early if anything fails to cleanup

     

       11
       -
           set +o errexit

     

       12
       -
       

     

       13
       -
           trace -n "Cleaning up.. "

     

       14
       -
       

     

       15
       -
           [[ -e "$tmp/base" ]] && git worktree remove --force "$tmp/base"

     

       16
       -
           [[ -e "$tmp/merged" ]] && git worktree remove --force "$tmp/merged"

     

       17
       -
       

     

       18
       -
           rm -rf "$tmp"

     

       19
       -
       

     

       20
       -
           trace "Done"

     

       21
       -
       }

     

       22
       -
       trap cleanup exit

     

       23
       -
       

     

       24
       -
       

     

       25
       -
       repo=https://github.com/NixOS/nixpkgs.git

     

       26
       -
       

     

       27
       -
       if (( $# != 0 )); then

     

       28
       -
           baseBranch=$1

     

       29
       -
           shift

     

       30
       -
       else

     

       31
       -
           trace "Usage: $0 BASE_BRANCH [REPOSITORY]"

     

       32
       -
           trace "BASE_BRANCH: The base branch to use, e.g. master or release-23.11"

     

       33
       -
           trace "REPOSITORY: The repository to fetch the base branch from, defaults to $repo"

     

       34
       -
           exit 1

     

       35
       -
       fi

     

       36
       -
       

     

       37
       -
       if (( $# != 0 )); then

     

       38
       -
           repo=$1

     

       39
       -
           shift

     

       40
       -
       fi

     

       41
       -
       

     

       42
       -
       if [[ -n "$(git status --porcelain)" ]]; then

     

       43
       -
           trace -e "\e[33mWarning: Dirty tree, uncommitted changes won't be taken into account\e[0m"

     

       44
       -
       fi

     

       45
       -
       headSha=$(git rev-parse HEAD)

     

       46
       -
       trace -e "Using HEAD commit \e[34m$headSha\e[0m"

     

       47
       -
       

     

       48
       -
       trace -n "Creating Git worktree for the HEAD commit in $tmp/merged.. "

     

       49
       -
       git worktree add --detach -q "$tmp/merged" HEAD

     

       50
       -
       trace "Done"

     

       51
       -
       

     

       52
       -
       trace -n "Fetching base branch $baseBranch to compare against.. "

     

       53
       -
       git fetch -q "$repo" refs/heads/"$baseBranch"

     

       54
       -
       baseSha=$(git rev-parse FETCH_HEAD)

     

       55
       -
       trace -e "\e[34m$baseSha\e[0m"

     

       56
       -
       

     

       57
       -
       trace -n "Creating Git worktree for the base branch in $tmp/base.. "

     

       58
       -
       git worktree add -q "$tmp/base" "$baseSha"

     

       59
       -
       trace "Done"

     

       60
       -
       

     

       61
       -
       trace -n "Merging base branch into the HEAD commit in $tmp/merged.. "

     

       62
       -
       git -C "$tmp/merged" merge -q --no-edit "$baseSha"

     

       63
       -
       trace -e "\e[34m$(git -C "$tmp/merged" rev-parse HEAD)\e[0m"

     

       64
       -
       

     

       65
       -
       trace -n "Reading pinned nixpkgs-check-by-name version from pinned-version.txt.. "

     

       66
       -
       toolVersion=$(<"$tmp/merged/pkgs/test/check-by-name/pinned-version.txt")

     

       67
       -
       trace -e "\e[34m$toolVersion\e[0m"

     

       68
       -
       

     

       69
       -
       trace -n "Building tool.. "

     

       70
       -
       nix-build https://github.com/NixOS/nixpkgs-check-by-name/tarball/"$toolVersion" -o "$tmp/tool" -A build

     

       71
       -
       

     

       72
       -
       trace "Running nixpkgs-check-by-name.."

     

       73
       -
       "$tmp/tool/bin/nixpkgs-check-by-name" --base "$tmp/base" "$tmp/merged"

-22

pkgs/test/check-by-name/update-pinned-tool.sh

···

       1
       -
       #!/usr/bin/env nix-shell

     

       2
       -
       #!nix-shell -i bash -p jq curl

     

       3
       -
       

     

       4
       -
       set -o pipefail -o errexit -o nounset

     

       5
       -
       

     

       6
       -
       trace() { echo >&2 "$@"; }

     

       7
       -
       

     

       8
       -
       SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )

     

       9
       -
       

     

       10
       -
       repository=NixOS/nixpkgs-check-by-name

     

       11
       -
       pin_file=$SCRIPT_DIR/pinned-version.txt

     

       12
       -
       

     

       13
       -
       trace -n "Fetching latest release of $repository.. "

     

       14
       -
       latestRelease=$(curl -sSfL \

     

       15
       -
         -H "Accept: application/vnd.github+json" \

     

       16
       -
         -H "X-GitHub-Api-Version: 2022-11-28" \

     

       17
       -
         https://api.github.com/repos/"$repository"/releases/latest)

     

       18
       -
       latestVersion=$(jq .tag_name -r <<< "$latestRelease")

     

       19
       -
       trace "$latestVersion"

     

       20
       -
       

     

       21
       -
       trace "Updating $pin_file"

     

       22
       -
       echo "$latestVersion" > "$pin_file"