commit b139d623114e18e229921b716762f4c23b9dadca · pyrox.dev/nixpkgs

+4 -42

.github/workflows/check.yml

···

       12
        
             mergedSha:

     

       13
        
               required: true

     

       14
        
               type: string

     

       15
       -
             ownersCanFail:

     

       16
       -
               required: true

     

       17
       -
               type: boolean

     

       18
        
             targetSha:

     

       19
        
               required: true

     

       20
        
               type: string

     

       21
        
           secrets:

     

       22
        
             CACHIX_AUTH_TOKEN:

     

       23
       -
               required: true

     

       24
       -
             OWNER_RO_APP_PRIVATE_KEY:

     

       25
        
               required: true

     

       26
        
       

     

       27
        
       permissions: {}

     
···

       72
        
                 GH_TOKEN: ${{ github.token }}

     

       73
        
               run: gh api /rate_limit | jq

     

       74
        
       

     

       75
       -
         # For checking code owners, this job depends on a GitHub App with the following permissions:

     

       76
       -
         # - Permissions:

     

       77
       -
         #   - Repository > Administration: read-only

     

       78
       -
         #   - Organization > Members: read-only

     

       79
       -
         # - Install App on this repository, setting these variables:

     

       80
       -
         #   - OWNER_RO_APP_ID (variable)

     

       81
       -
         #   - OWNER_RO_APP_PRIVATE_KEY (secret)

     

       82
       -
         #

     

       83
       -
         # This should not use the same app as the job to request reviewers, because this job requires

     

       84
       -
         # handling untrusted PR input.

     

       85
        
         owners:

     

       86
        
           runs-on: ubuntu-24.04-arm

     

       87
       -
           continue-on-error: ${{ inputs.ownersCanFail }}

     

       88
        
           timeout-minutes: 5

     

       89
        
           steps:

     

       90
        
             - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

     
···

       94
        
               uses: ./.github/actions/checkout

     

       95
        
               with:

     

       96
        
                 merged-as-untrusted-at: ${{ inputs.mergedSha }}

     

       97
       -
                 target-as-trusted-at: ${{ inputs.targetSha }}

     

       98
        
       

     

       99
        
             - uses: cachix/install-nix-action@9280e7aca88deada44c930f1e2c78e21c3ae3edd # v31

     

       100
        
       

     
···

       107
        
                 pushFilter: -source$

     

       108
        
       

     

       109
        
             - name: Build codeowners validator

     

       110
       -
               run: nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A codeownersValidator

     

       111
       -
       

     

       112
       -
             - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4

     

       113
       -
               if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID

     

       114
       -
               id: app-token

     

       115
       -
               with:

     

       116
       -
                 app-id: ${{ vars.OWNER_RO_APP_ID }}

     

       117
       -
                 private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}

     

       118
       -
                 permission-administration: read

     

       119
       -
                 permission-members: read

     

       120
       -
       

     

       121
       -
             - name: Log current API rate limits

     

       122
       -
               if: steps.app-token.outputs.token

     

       123
       -
               env:

     

       124
       -
                 GH_TOKEN: ${{ steps.app-token.outputs.token }}

     

       125
       -
               run: gh api /rate_limit | jq

     

       126
        
       

     

       127
        
             - name: Validate codeowners

     

       128
       -
               if: steps.app-token.outputs.token

     

       129
        
               env:

     

       130
        
                 OWNERS_FILE: nixpkgs/untrusted/ci/OWNERS

     

       131
       -
                 GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}

     

       132
        
                 REPOSITORY_PATH: nixpkgs/untrusted

     

       133
       -
                 OWNER_CHECKER_REPOSITORY: ${{ github.repository }}

     

       0
        
       
     

       0
        
       
     

       134
        
                 # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody

     

       135
        
                 EXPERIMENTAL_CHECKS: "avoid-shadowing"

     

       136
        
               run: result/bin/codeowners-validator

     

       137
       -
       

     

       138
       -
             - name: Log current API rate limits

     

       139
       -
               if: steps.app-token.outputs.token

     

       140
       -
               env:

     

       141
       -
                 GH_TOKEN: ${{ steps.app-token.outputs.token }}

     

       142
       -
               run: gh api /rate_limit | jq

···

       12
        
             mergedSha:

     

       13
        
               required: true

     

       14
        
               type: string

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       15
        
             targetSha:

     

       16
        
               required: true

     

       17
        
               type: string

     

       18
        
           secrets:

     

       19
        
             CACHIX_AUTH_TOKEN:

     

       0
        
       
     

       0
        
       
     

       20
        
               required: true

     

       21
        
       

     

       22
        
       permissions: {}

     
···

       67
        
                 GH_TOKEN: ${{ github.token }}

     

       68
        
               run: gh api /rate_limit | jq

     

       69
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       70
        
         owners:

     

       71
        
           runs-on: ubuntu-24.04-arm

     

       0
        
       
     

       72
        
           timeout-minutes: 5

     

       73
        
           steps:

     

       74
        
             - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

     
···

       78
        
               uses: ./.github/actions/checkout

     

       79
        
               with:

     

       80
        
                 merged-as-untrusted-at: ${{ inputs.mergedSha }}

     

       0
        
       
     

       81
        
       

     

       82
        
             - uses: cachix/install-nix-action@9280e7aca88deada44c930f1e2c78e21c3ae3edd # v31

     

       83
        
       

     
···

       90
        
                 pushFilter: -source$

     

       91
        
       

     

       92
        
             - name: Build codeowners validator

     

       93
       +
               run: nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A codeownersValidator

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       94
        
       

     

       95
        
             - name: Validate codeowners

     

       0
        
       
     

       96
        
               env:

     

       97
        
                 OWNERS_FILE: nixpkgs/untrusted/ci/OWNERS

     

       0
        
       
     

       98
        
                 REPOSITORY_PATH: nixpkgs/untrusted

     

       99
       +
                 # Omits "owners", which checks whether GitHub handles exist, but fails with nested team

     

       100
       +
                 # structures.

     

       101
       +
                 CHECKS: "duppatterns,files,syntax"

     

       102
        
                 # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody

     

       103
        
                 EXPERIMENTAL_CHECKS: "avoid-shadowing"

     

       104
        
               run: result/bin/codeowners-validator

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0

-4

.github/workflows/pr.yml

···

       11
        
             OWNER_APP_PRIVATE_KEY:

     

       12
        
               # The Test workflow should not actually request reviews from owners.

     

       13
        
               required: false

     

       14
       -
             OWNER_RO_APP_PRIVATE_KEY:

     

       15
       -
               required: true

     

       16
        
       

     

       17
        
       concurrency:

     

       18
        
         group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}

     
···

       59
        
             pull-requests: write

     

       60
        
           secrets:

     

       61
        
             CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

     

       62
       -
             OWNER_RO_APP_PRIVATE_KEY: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}

     

       63
        
           with:

     

       64
        
             baseBranch: ${{ needs.prepare.outputs.baseBranch }}

     

       65
        
             headBranch: ${{ needs.prepare.outputs.headBranch }}

     

       66
        
             mergedSha: ${{ needs.prepare.outputs.mergedSha }}

     

       67
        
             targetSha: ${{ needs.prepare.outputs.targetSha }}

     

       68
       -
             ownersCanFail: ${{ !contains(fromJSON(needs.prepare.outputs.touched), 'owners') }}

     

       69
        
       

     

       70
        
         lint:

     

       71
        
           name: Lint

···

       11
        
             OWNER_APP_PRIVATE_KEY:

     

       12
        
               # The Test workflow should not actually request reviews from owners.

     

       13
        
               required: false

     

       0
        
       
     

       0
        
       
     

       14
        
       

     

       15
        
       concurrency:

     

       16
        
         group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}

     
···

       57
        
             pull-requests: write

     

       58
        
           secrets:

     

       59
        
             CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

     

       0
        
       
     

       60
        
           with:

     

       61
        
             baseBranch: ${{ needs.prepare.outputs.baseBranch }}

     

       62
        
             headBranch: ${{ needs.prepare.outputs.headBranch }}

     

       63
        
             mergedSha: ${{ needs.prepare.outputs.mergedSha }}

     

       64
        
             targetSha: ${{ needs.prepare.outputs.targetSha }}

     

       0
        
       
     

       65
        
       

     

       66
        
         lint:

     

       67
        
           name: Lint

-1

.github/workflows/test.yml

···

       98
        
           secrets:

     

       99
        
             CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

     

       100
        
             NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}

     

       101
       -
             OWNER_RO_APP_PRIVATE_KEY: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}

     

       102
        
       

     

       103
        
         push:

     

       104
        
           if: needs.prepare.outputs.push

···

       98
        
           secrets:

     

       99
        
             CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

     

       100
        
             NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}

     

       0
        
       
     

       101
        
       

     

       102
        
         push:

     

       103
        
           if: needs.prepare.outputs.push

-1

ci/github-script/prepare.js

···

       221
        
       

     

       222
        
           const touched = []

     

       223
        
           if (files.includes('ci/pinned.json')) touched.push('pinned')

     

       224
       -
           if (files.includes('ci/OWNERS')) touched.push('owners')

     

       225
        
           core.setOutput('touched', touched)

     

       226
        
       

     

       227
        
           return

···

       221
        
       

     

       222
        
           const touched = []

     

       223
        
           if (files.includes('ci/pinned.json')) touched.push('pinned')

     

       0
        
       
     

       224
        
           core.setOutput('touched', touched)

     

       225
        
       

     

       226
        
           return