pyrox.dev / nixpkgs
lol
fork atom

ci/nixpkgs-vet: remove left-over pin

We're now consuming nixpkgs-vet from the pinned-nixpkgs, but apparently
forgot to remove all of this.

Wolfgang Walther f2479721 9e2e91b7

options
unified split
Changed files
-46
ci
README.md
nixpkgs-vet
pinned-version.txt
update-pinned-tool.sh
nixpkgs-vet.sh
-20
ci/README.md 
···

       
20

       
20

       
 

       



     

       
21

       
21

       
 

       
- `BASE_BRANCH`: The base branch to use, e.g. master or release-24.05


     

       
22

       
22

       
 

       
- `REPOSITORY`: The repository from which to fetch the base branch. Defaults to <https://github.com/NixOS/nixpkgs.git>.


     

       
23

       

       
-

       



     

       
24

       

       
-

       
## `ci/nixpkgs-vet`


     

       
25

       

       
-

       



     

       
26

       

       
-

       
This directory contains scripts and files used and related to [`nixpkgs-vet`](https://github.com/NixOS/nixpkgs-vet/), which the CI uses to implement `pkgs/by-name` checks, along with many other Nixpkgs architecture rules.


     

       
27

       

       
-

       
See also the [CI GitHub Action](../.github/workflows/nixpkgs-vet.yml).


     

       
28

       

       
-

       



     

       
29

       

       
-

       
## `ci/nixpkgs-vet/update-pinned-tool.sh`


     

       
30

       

       
-

       



     

       
31

       

       
-

       
Updates the pinned [`nixpkgs-vet` tool](https://github.com/NixOS/nixpkgs-vet) in [`ci/nixpkgs-vet/pinned-version.txt`](./nixpkgs-vet/pinned-version.txt) to the latest [release](https://github.com/NixOS/nixpkgs-vet/releases).


     

       
32

       

       
-

       



     

       
33

       

       
-

       
Each release contains a pre-built `x86_64-linux` version of the tool which is used by CI.


     

       
34

       

       
-

       



     

       
35

       

       
-

       
This script currently needs to be called manually when the CI tooling needs to be updated.


     

       
36

       

       
-

       



     

       
37

       

       
-

       
Why not just build the tooling right from the PRs Nixpkgs version?


     

       
38

       

       
-

       



     

       
39

       

       
-

       
- Because it allows CI to check all PRs, even if they would break the CI tooling.


     

       
40

       

       
-

       
- Because it makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds.


     

       
41

       

       
-

       
- Because it improves security, since we don't have to build potentially untrusted code from PRs.


     

       
42

       

       
-

       
  The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval).
-3
ci/nixpkgs-vet.sh 
···

       
61

       
61

       
 

       
trace -n "Merging base branch into the HEAD commit in $tmp/merged.. "


     

       
62

       
62

       
 

       
git -C "$tmp/merged" merge -q --no-edit "$baseSha"


     

       
63

       
63

       
 

       
trace -e "\e[34m$(git -C "$tmp/merged" rev-parse HEAD)\e[0m"


     

       
64

       

       
-

       
trace -n "Reading pinned nixpkgs-vet version from pinned-version.txt.. "


     

       
65

       

       
-

       
toolVersion=$(<"$tmp/merged/ci/nixpkgs-vet/pinned-version.txt")


     

       
66

       

       
-

       
trace -e "\e[34m$toolVersion\e[0m"


     

       
67

       
64

       
 

       



     

       
68

       
65

       
 

       
trace "Running nixpkgs-vet.."


     

       
69

       
66

       
 

       
nix-build ci -A nixpkgs-vet --argstr base "$tmp/base" --argstr head "$tmp/merged"
-1
ci/nixpkgs-vet/pinned-version.txt 
···

       
1

       

       
-

       
0.1.4
-22
ci/nixpkgs-vet/update-pinned-tool.sh 
···

       
1

       

       
-

       
#!/usr/bin/env nix-shell


     

       
2

       

       
-

       
#!nix-shell -i bash -p jq curl


     

       
3

       

       
-

       



     

       
4

       

       
-

       
set -o pipefail -o errexit -o nounset


     

       
5

       

       
-

       



     

       
6

       

       
-

       
trace() { echo >&2 "$@"; }


     

       
7

       

       
-

       



     

       
8

       

       
-

       
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )


     

       
9

       

       
-

       



     

       
10

       

       
-

       
repository=NixOS/nixpkgs-vet


     

       
11

       

       
-

       
pin_file=$SCRIPT_DIR/pinned-version.txt


     

       
12

       

       
-

       



     

       
13

       

       
-

       
trace -n "Fetching latest release of $repository.. "


     

       
14

       

       
-

       
latestRelease=$(curl -sSfL \


     

       
15

       

       
-

       
  -H "Accept: application/vnd.github+json" \


     

       
16

       

       
-

       
  -H "X-GitHub-Api-Version: 2022-11-28" \


     

       
17

       

       
-

       
  https://api.github.com/repos/"$repository"/releases/latest)


     

       
18

       

       
-

       
latestVersion=$(jq .tag_name -r <<< "$latestRelease")


     

       
19

       

       
-

       
trace "$latestVersion"


     

       
20

       

       
-

       



     

       
21

       

       
-

       
trace "Updating $pin_file"


     

       
22

       

       
-

       
echo "$latestVersion" > "$pin_file"