commit c8aea5f2e94fff16936e63fb7260e7a861c9bc1d · pyrox.dev/nixpkgs

+5 -3

.github/workflows/build.yml

···

       61
       61
        
       

     

       62
       62
        
             - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16

     

       63
       63
        
               with:

     

       64
       64
       -
                 # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.

     

       65
       65
       -
                 name: nixpkgs-ci

     

       66
       66
       -
                 authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"

     

       64
       64
       +
                 # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.

     

       65
       65
       +
                 name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}

     

       66
       66
       +
                 extraPullNames: nixpkgs-ci

     

       67
       67
       +
                 authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}

     

       68
       68
       +
                 pushFilter: '(-source$|-nixpkgs-tarball-)'

     

       67
       69
        
       

     

       68
       70
        
             - run: nix-env --install -f pinned -A nix-build-uncached

     

       69
       71

+5 -3

.github/workflows/check.yml

···

       112
       112
        
       

     

       113
       113
        
             - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16

     

       114
       114
        
               with:

     

       115
       115
       -
                 # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.

     

       116
       116
       -
                 name: nixpkgs-ci

     

       117
       117
       -
                 authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'

     

       115
       115
       +
                 # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.

     

       116
       116
       +
                 name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}

     

       117
       117
       +
                 extraPullNames: nixpkgs-ci

     

       118
       118
       +
                 authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}

     

       119
       119
       +
                 pushFilter: -source$

     

       118
       120
        
       

     

       119
       121
        
             - name: Build codeowners validator

     

       120
       122
        
               run: nix-build trusted/ci --arg nixpkgs ./pinned -A codeownersValidator

+10

.github/workflows/eval.yml

···

       16
       16
        
               default: false

     

       17
       17
        
               type: boolean

     

       18
       18
        
           secrets:

     

       19
       19
       +
             CACHIX_AUTH_TOKEN:

     

       20
       20
       +
               required: true

     

       19
       21
        
             OWNER_APP_PRIVATE_KEY:

     

       20
       22
        
               required: false

     

       21
       23
        
       

     
···

       96
       98
        
       

     

       97
       99
        
             - name: Install Nix

     

       98
       100
        
               uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31

     

       101
       101
       +
       

     

       102
       102
       +
             - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16

     

       103
       103
       +
               with:

     

       104
       104
       +
                 # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.

     

       105
       105
       +
                 name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}

     

       106
       106
       +
                 extraPullNames: nixpkgs-ci

     

       107
       107
       +
                 authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}

     

       108
       108
       +
                 pushFilter: '(-source|-single-chunk)$'

     

       99
       109
        
       

     

       100
       110
        
             - name: Evaluate the ${{ matrix.system }} output paths for all derivation attributes

     

       101
       111
        
               env:

+23

.github/workflows/lint.yml

···

       9
       9
        
             targetSha:

     

       10
       10
        
               required: true

     

       11
       11
        
               type: string

     

       12
       12
       +
           secrets:

     

       13
       13
       +
             CACHIX_AUTH_TOKEN:

     

       14
       14
       +
               required: true

     

       12
       15
        
       

     

       13
       16
        
       permissions: {}

     

       14
       17
        
       

     
···

       33
       36
        
       

     

       34
       37
        
             - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31

     

       35
       38
        
       

     

       39
       39
       +
             # TODO: Figure out how to best enable caching for the treefmt job. Cachix won't work well,

     

       40
       40
       +
             # because the cache would be invalidated on every commit - treefmt checks every file.

     

       41
       41
       +
             # Maybe we can cache treefmt's eval-cache somehow.

     

       42
       42
       +
       

     

       36
       43
        
             - name: Check that files are formatted

     

       37
       44
        
               run: |

     

       38
       45
        
                 # Note that it's fine to run this on untrusted code because:

     
···

       65
       72
        
       

     

       66
       73
        
             - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31

     

       67
       74
        
       

     

       75
       75
       +
             - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16

     

       76
       76
       +
               with:

     

       77
       77
       +
                 # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.

     

       78
       78
       +
                 name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}

     

       79
       79
       +
                 extraPullNames: nixpkgs-ci

     

       80
       80
       +
                 authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}

     

       81
       81
       +
                 pushFilter: -source$

     

       82
       82
       +
       

     

       68
       83
        
             - name: Parse all nix files

     

       69
       84
        
               run: |

     

       70
       85
        
                 # Tests multiple versions at once, let's make sure all of them run, so keep-going.

     
···

       87
       102
        
                 target-as-trusted: true

     

       88
       103
        
       

     

       89
       104
        
             - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31

     

       105
       105
       +
       

     

       106
       106
       +
             - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16

     

       107
       107
       +
               with:

     

       108
       108
       +
                 # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.

     

       109
       109
       +
                 name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}

     

       110
       110
       +
                 extraPullNames: nixpkgs-ci

     

       111
       111
       +
                 authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}

     

       112
       112
       +
                 pushFilter: -source$

     

       90
       113
        
       

     

       91
       114
        
             - name: Running nixpkgs-vet

     

       92
       115
        
               env:

+2

.github/workflows/merge-group.yml

···

       9
       9
        
         lint:

     

       10
       10
        
           name: Lint

     

       11
       11
        
           uses: ./.github/workflows/lint.yml

     

       12
       12
       +
           secrets:

     

       13
       13
       +
             CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

     

       12
       14
        
           with:

     

       13
       15
        
             mergedSha: ${{ github.event.merge_group.head_sha }}

     

       14
       16
        
             targetSha: ${{ github.event.merge_group.base_sha }}

+3

.github/workflows/pr.yml

···

       100
       100
        
           name: Lint

     

       101
       101
        
           needs: [prepare]

     

       102
       102
        
           uses: ./.github/workflows/lint.yml

     

       103
       103
       +
           secrets:

     

       104
       104
       +
             CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

     

       103
       105
        
           with:

     

       104
       106
        
             mergedSha: ${{ needs.prepare.outputs.mergedSha }}

     

       105
       107
        
             targetSha: ${{ needs.prepare.outputs.targetSha }}

     
···

       112
       114
        
             # compare

     

       113
       115
        
             statuses: write

     

       114
       116
        
           secrets:

     

       117
       117
       +
             CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

     

       115
       118
        
             OWNER_APP_PRIVATE_KEY: ${{ secrets.OWNER_APP_PRIVATE_KEY }}

     

       116
       119
        
           with:

     

       117
       120
        
             mergedSha: ${{ needs.prepare.outputs.mergedSha }}

+2

.github/workflows/push.yml

···

       43
       43
        
             issues: write

     

       44
       44
        
             pull-requests: write

     

       45
       45
        
             statuses: write

     

       46
       46
       +
           secrets:

     

       47
       47
       +
             CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

     

       46
       48
        
           with:

     

       47
       49
        
             mergedSha: ${{ github.sha }}

     

       48
       50
        
             systems: ${{ needs.prepare.outputs.systems }}

+10 -4

ci/nixpkgs-vet.nix

···

       13
       13
        
           with lib.fileset;

     

       14
       14
        
           path:

     

       15
       15
        
           toSource {

     

       16
       16
       -
             fileset = (gitTracked path);

     

       16
       16
       +
             fileset = difference (gitTracked path) (unions [

     

       17
       17
       +
               (path + /.github)

     

       18
       18
       +
               (path + /ci)

     

       19
       19
       +
             ]);

     

       17
       20
        
             root = path;

     

       18
       21
        
           };

     

       22
       22
       +
       

     

       23
       23
       +
         filteredBase = filtered base;

     

       24
       24
       +
         filteredHead = filtered head;

     

       19
       25
        
       in

     

       20
       26
        
       runCommand "nixpkgs-vet"

     

       21
       27
        
         {

     
···

       27
       33
        
         ''

     

       28
       34
        
           export NIX_STATE_DIR=$(mktemp -d)

     

       29
       35
        
       

     

       30
       30
       -
           nixpkgs-vet --base ${filtered base} ${filtered head}

     

       36
       36
       +
           nixpkgs-vet --base ${filteredBase} ${filteredHead}

     

       31
       37
        
       

     

       32
       38
        
           # TODO: Upstream into nixpkgs-vet, see:

     

       33
       39
        
           # https://github.com/NixOS/nixpkgs-vet/issues/164

     

       34
       34
       -
           badFiles=$(find ${filtered head}/pkgs -type f -name '*.nix' -print | xargs grep -l '^[^#]*<nixpkgs/' || true)

     

       40
       40
       +
           badFiles=$(find ${filteredHead}/pkgs -type f -name '*.nix' -print | xargs grep -l '^[^#]*<nixpkgs/' || true)

     

       35
       41
        
           if [[ -n $badFiles ]]; then

     

       36
       42
        
             echo "Nixpkgs is not allowed to use <nixpkgs> to refer to itself."

     

       37
       43
        
             echo "The offending files:"

     
···

       41
       47
        
       

     

       42
       48
        
           # TODO: Upstream into nixpkgs-vet, see:

     

       43
       49
        
           # https://github.com/NixOS/nixpkgs-vet/issues/166

     

       44
       44
       -
           conflictingPaths=$(find ${filtered head} | awk '{ print $1 " " tolower($1) }' | sort -k2 | uniq -D -f 1 | cut -d ' ' -f 1)

     

       50
       50
       +
           conflictingPaths=$(find ${filteredHead} | awk '{ print $1 " " tolower($1) }' | sort -k2 | uniq -D -f 1 | cut -d ' ' -f 1)

     

       45
       51
        
           if [[ -n $conflictingPaths ]]; then

     

       46
       52
        
             echo "Files in nixpkgs must not vary only by case."

     

       47
       53
        
             echo "The offending paths:"