workflows: sync merge commits

This fixes a problem where each workflow would get their own merge
commit. This happens frequently when the target branch is merged into a
the same time, different workflows in the same run will run
get-merge-commit at different times and thus have different merge
commits.

Since the jobs don't really depend on each other, this doesn't cause
practical problems, yet. But it has already led to strange CI failures
in a still unmerged PR, which can be prevented from happening with this
clean approach.

And yes, this saves a few API calls on every run.

(cherry picked from commit 09ddb1a8a0)

.github/actions/get-merge-commit/action.yml

@@ -3,9 +3,15 @@ name: Get merge commit
 description: 'Checks whether the Pull Request is mergeable and checks out the repo at up to two commits: The result of a temporary merge of the head branch into the target branch ("merged"), and the parent of that commit on the target branch ("target"). Handles push events and merge conflicts gracefully.'
 
 inputs:
+  mergedSha:
+    description: "The merge commit SHA, previously collected."
+    type: string
   merged-as-untrusted:
     description: "Whether to checkout the merge commit in the ./untrusted folder."
     type: boolean
+  targetSha:
+    description: "The target commit SHA, previously collected."
+    type: string
   target-as-trusted:
     description: "Whether to checkout the target commit in the ./trusted folder."
     type: boolean
@@ -22,6 +28,7 @@ runs:
   using: composite
   steps:
     - id: commits
+      if: ${{ !inputs.mergedSha && !inputs.targetSha }}
       uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
@@ -72,17 +79,17 @@ runs:
           }
           throw new Error("Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com.")
 
-    - if: inputs.merged-as-untrusted && steps.commits.outputs.mergedSha
+    - if: inputs.merged-as-untrusted && (inputs.mergedSha || steps.commits.outputs.mergedSha)
       # Would be great to do the checkouts in git worktrees of the existing spare checkout instead,
       # but Nix is broken with them:
       # https://github.com/NixOS/nix/issues/6073
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        ref: ${{ steps.commits.outputs.mergedSha }}
+        ref: ${{ inputs.mergedSha || steps.commits.outputs.mergedSha }}
         path: untrusted
 
-    - if: inputs.target-as-trusted && steps.commits.outputs.targetSha
+    - if: inputs.target-as-trusted && (inputs.targetSha || steps.commits.outputs.targetSha)
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        ref: ${{ steps.commits.outputs.targetSha }}
+        ref: ${{ inputs.targetSha || steps.commits.outputs.targetSha }}
         path: trusted

.github/workflows/build.yml

@@ -2,6 +2,10 @@ name: Build
 
 on:
   workflow_call:
+    inputs:
+      mergedSha:
+        required: true
+        type: string
     secrets:
       CACHIX_AUTH_TOKEN:
         required: true
@@ -39,6 +43,7 @@ jobs:
       - name: Check if the PR can be merged and checkout the merge commit
         uses: ./.github/actions/get-merge-commit
         with:
+          mergedSha: ${{ inputs.mergedSha }}
           merged-as-untrusted: true
 
       - uses: cachix/install-nix-action@17fe5fb4a23ad6cbbe47d6b3f359611ad276644c # v31

.github/workflows/lint.yml

@@ -2,6 +2,13 @@ name: Lint
 
 on:
   workflow_call:
+    inputs:
+      mergedSha:
+        required: true
+        type: string
+      targetSha:
+        required: true
+        type: string
 
 permissions: {}
 
@@ -19,6 +26,7 @@ jobs:
       - name: Check if the PR can be merged and checkout the merge commit
         uses: ./.github/actions/get-merge-commit
         with:
+          mergedSha: ${{ inputs.mergedSha }}
           merged-as-untrusted: true
 
       - uses: cachix/install-nix-action@17fe5fb4a23ad6cbbe47d6b3f359611ad276644c # v31
@@ -50,6 +58,7 @@ jobs:
       - name: Check if the PR can be merged and checkout the merge commit
         uses: ./.github/actions/get-merge-commit
         with:
+          mergedSha: ${{ inputs.mergedSha }}
           merged-as-untrusted: true
 
       - uses: cachix/install-nix-action@17fe5fb4a23ad6cbbe47d6b3f359611ad276644c # v31
@@ -72,7 +81,9 @@ jobs:
       - name: Check if the PR can be merged and checkout merged and target commits
         uses: ./.github/actions/get-merge-commit
         with:
+          mergedSha: ${{ inputs.mergedSha }}
           merged-as-untrusted: true
+          targetSha: ${{ inputs.targetSha }}
           target-as-trusted: true
 
       - uses: cachix/install-nix-action@17fe5fb4a23ad6cbbe47d6b3f359611ad276644c # v31

.github/workflows/pr.yml

@@ -48,7 +48,11 @@ jobs:
 
   lint:
     name: Lint
+    needs: [prepare]
     uses: ./.github/workflows/lint.yml
+    with:
+      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
+      targetSha: ${{ needs.prepare.outputs.targetSha }}
 
   eval:
     name: Eval
@@ -68,6 +72,9 @@ jobs:
 
   build:
     name: Build
+    needs: [prepare]
     uses: ./.github/workflows/build.yml
     secrets:
       CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
+    with:
+      mergedSha: ${{ needs.prepare.outputs.mergedSha }}