pyrox.dev
1name: Lint
2
3on:
4 workflow_call:
5 inputs:
6 mergedSha:
7 required: true
8 type: string
9 targetSha:
10 required: true
11 type: string
12 secrets:
13 CACHIX_AUTH_TOKEN:
14 required: true
15
16permissions: {}
17
18defaults:
19 run:
20 shell: bash
21
22jobs:
23 treefmt:
24 runs-on: ubuntu-24.04-arm
25 timeout-minutes: 10
26 steps:
27 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
28 with:
29 sparse-checkout: .github/actions
30 - name: Checkout the merge commit
31 uses: ./.github/actions/checkout
32 with:
33 merged-as-untrusted-at: ${{ inputs.mergedSha }}
34
35 - uses: cachix/install-nix-action@9280e7aca88deada44c930f1e2c78e21c3ae3edd # v31
36
37 # TODO: Figure out how to best enable caching for the treefmt job. Cachix won't work well,
38 # because the cache would be invalidated on every commit - treefmt checks every file.
39 # Maybe we can cache treefmt's eval-cache somehow.
40
41 - name: Check that files are formatted
42 run: |
43 # Note that it's fine to run this on untrusted code because:
44 # - There's no secrets accessible here
45 # - The build is sandboxed
46 if ! nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A fmt.check; then
47 echo "Some files are not properly formatted"
48 echo "Please format them by going to the Nixpkgs root directory and running one of:"
49 echo " nix-shell --run treefmt"
50 echo " nix develop --command treefmt"
51 echo " nix fmt"
52 echo "Make sure your branch is up to date with master; rebase if not."
53 echo "If you're having trouble, please ping @NixOS/nix-formatting"
54 exit 1
55 fi
56
57 parse:
58 runs-on: ubuntu-24.04-arm
59 timeout-minutes: 10
60 steps:
61 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
62 with:
63 sparse-checkout: .github/actions
64 - name: Checkout the merge commit
65 uses: ./.github/actions/checkout
66 with:
67 merged-as-untrusted-at: ${{ inputs.mergedSha }}
68
69 - uses: cachix/install-nix-action@9280e7aca88deada44c930f1e2c78e21c3ae3edd # v31
70
71 - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
72 with:
73 # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
74 name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
75 extraPullNames: nixpkgs-ci
76 authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
77 pushFilter: -source$
78
79 - name: Parse all nix files
80 run: |
81 # Tests multiple versions at once, let's make sure all of them run, so keep-going.
82 nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A parse --keep-going
83
84 nixpkgs-vet:
85 runs-on: ubuntu-24.04-arm
86 timeout-minutes: 10
87 steps:
88 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
89 with:
90 sparse-checkout: .github/actions
91 - name: Checkout merge and target commits
92 uses: ./.github/actions/checkout
93 with:
94 merged-as-untrusted-at: ${{ inputs.mergedSha }}
95 target-as-trusted-at: ${{ inputs.targetSha }}
96
97 - uses: cachix/install-nix-action@9280e7aca88deada44c930f1e2c78e21c3ae3edd # v31
98
99 - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
100 with:
101 # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
102 name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
103 extraPullNames: nixpkgs-ci
104 authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
105 pushFilter: -source$
106
107 - name: Running nixpkgs-vet
108 env:
109 # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
110 CLICOLOR_FORCE: 1
111 run: |
112 if nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A nixpkgs-vet --arg base "./nixpkgs/trusted" --arg head "./nixpkgs/untrusted"; then
113 exit 0
114 else
115 exitCode=$?
116 echo "To run locally: ./ci/nixpkgs-vet.sh $GITHUB_BASE_REF https://github.com/$GITHUB_REPOSITORY.git"
117 echo "If you're having trouble, ping @NixOS/nixpkgs-vet"
118 exit "$exitCode"
119 fi