commit f2479721e4d19357bbe5c2a9287cc74ed6dd6475 · pyrox.dev/nixpkgs

-20

ci/README.md

···

       20
        
       

     

       21
        
       - `BASE_BRANCH`: The base branch to use, e.g. master or release-24.05

     

       22
        
       - `REPOSITORY`: The repository from which to fetch the base branch. Defaults to <https://github.com/NixOS/nixpkgs.git>.

     

       23
       -
       

     

       24
       -
       ## `ci/nixpkgs-vet`

     

       25
       -
       

     

       26
       -
       This directory contains scripts and files used and related to [`nixpkgs-vet`](https://github.com/NixOS/nixpkgs-vet/), which the CI uses to implement `pkgs/by-name` checks, along with many other Nixpkgs architecture rules.

     

       27
       -
       See also the [CI GitHub Action](../.github/workflows/nixpkgs-vet.yml).

     

       28
       -
       

     

       29
       -
       ## `ci/nixpkgs-vet/update-pinned-tool.sh`

     

       30
       -
       

     

       31
       -
       Updates the pinned [`nixpkgs-vet` tool](https://github.com/NixOS/nixpkgs-vet) in [`ci/nixpkgs-vet/pinned-version.txt`](./nixpkgs-vet/pinned-version.txt) to the latest [release](https://github.com/NixOS/nixpkgs-vet/releases).

     

       32
       -
       

     

       33
       -
       Each release contains a pre-built `x86_64-linux` version of the tool which is used by CI.

     

       34
       -
       

     

       35
       -
       This script currently needs to be called manually when the CI tooling needs to be updated.

     

       36
       -
       

     

       37
       -
       Why not just build the tooling right from the PRs Nixpkgs version?

     

       38
       -
       

     

       39
       -
       - Because it allows CI to check all PRs, even if they would break the CI tooling.

     

       40
       -
       - Because it makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds.

     

       41
       -
       - Because it improves security, since we don't have to build potentially untrusted code from PRs.

     

       42
       -
         The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval).

···

       20
        
       

     

       21
        
       - `BASE_BRANCH`: The base branch to use, e.g. master or release-24.05

     

       22
        
       - `REPOSITORY`: The repository from which to fetch the base branch. Defaults to <https://github.com/NixOS/nixpkgs.git>.

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0

-3

ci/nixpkgs-vet.sh

···

       61
        
       trace -n "Merging base branch into the HEAD commit in $tmp/merged.. "

     

       62
        
       git -C "$tmp/merged" merge -q --no-edit "$baseSha"

     

       63
        
       trace -e "\e[34m$(git -C "$tmp/merged" rev-parse HEAD)\e[0m"

     

       64
       -
       trace -n "Reading pinned nixpkgs-vet version from pinned-version.txt.. "

     

       65
       -
       toolVersion=$(<"$tmp/merged/ci/nixpkgs-vet/pinned-version.txt")

     

       66
       -
       trace -e "\e[34m$toolVersion\e[0m"

     

       67
        
       

     

       68
        
       trace "Running nixpkgs-vet.."

     

       69
        
       nix-build ci -A nixpkgs-vet --argstr base "$tmp/base" --argstr head "$tmp/merged"

···

       61
        
       trace -n "Merging base branch into the HEAD commit in $tmp/merged.. "

     

       62
        
       git -C "$tmp/merged" merge -q --no-edit "$baseSha"

     

       63
        
       trace -e "\e[34m$(git -C "$tmp/merged" rev-parse HEAD)\e[0m"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       64
        
       

     

       65
        
       trace "Running nixpkgs-vet.."

     

       66
        
       nix-build ci -A nixpkgs-vet --argstr base "$tmp/base" --argstr head "$tmp/merged"

-1

ci/nixpkgs-vet/pinned-version.txt

···

       0

-22

ci/nixpkgs-vet/update-pinned-tool.sh

···

       1
       -
       #!/usr/bin/env nix-shell

     

       2
       -
       #!nix-shell -i bash -p jq curl

     

       3
       -
       

     

       4
       -
       set -o pipefail -o errexit -o nounset

     

       5
       -
       

     

       6
       -
       trace() { echo >&2 "$@"; }

     

       7
       -
       

     

       8
       -
       SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )

     

       9
       -
       

     

       10
       -
       repository=NixOS/nixpkgs-vet

     

       11
       -
       pin_file=$SCRIPT_DIR/pinned-version.txt

     

       12
       -
       

     

       13
       -
       trace -n "Fetching latest release of $repository.. "

     

       14
       -
       latestRelease=$(curl -sSfL \

     

       15
       -
         -H "Accept: application/vnd.github+json" \

     

       16
       -
         -H "X-GitHub-Api-Version: 2022-11-28" \

     

       17
       -
         https://api.github.com/repos/"$repository"/releases/latest)

     

       18
       -
       latestVersion=$(jq .tag_name -r <<< "$latestRelease")

     

       19
       -
       trace "$latestVersion"

     

       20
       -
       

     

       21
       -
       trace "Updating $pin_file"

     

       22
       -
       echo "$latestVersion" > "$pin_file"