From 7d405339b3c59d0162d329aeb91ca3cd21a69ec9 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Mon, 18 Aug 2025 20:55:12 +0200 Subject: [PATCH 1/8] actions/checkout: rename from actions/get-merge-commit This moves the logic to "check whether the PR can be merged and determine the relevant commits" into the PR / prepare job directly - since that's the only place where it is supposed to be used. Because of the if condition in get-merge-commit, this logic was run multiple times, for example in the lint workflow, where only one of targetSha or mergedSha was provided as input. However, this input was thrown away directly. This might not be a big problem, because this was not expensive, so far. But with the next commit, this will become more so. This also separates the logic a bit cleaner - `prepare` figures out all the parameters for the whole PR workflow, while `checkout` handles the consistency around these checkouts. (cherry picked from commit b51e104439587fabc53e3f644bcef0af43f10c23) --- .github/actions/checkout/action.yml | 54 ++++++++++++++ .github/actions/get-merge-commit/action.yml | 80 --------------------- .github/workflows/README.md | 2 +- .github/workflows/build.yml | 7 +- .github/workflows/check.yml | 10 ++- .github/workflows/eval.yml | 17 ++--- .github/workflows/lint.yml | 24 +++---- .github/workflows/pr.yml | 21 +++--- 8 files changed, 91 insertions(+), 124 deletions(-) create mode 100644 .github/actions/checkout/action.yml delete mode 100644 .github/actions/get-merge-commit/action.yml diff --git a/.github/actions/checkout/action.yml b/.github/actions/checkout/action.yml new file mode 100644 index 000000000000..e3c592f6e53a --- /dev/null +++ b/.github/actions/checkout/action.yml @@ -0,0 +1,54 @@ +name: Checkout + +description: 'Checkout into trusted / untrusted / pinned folders consistently.' + +inputs: + merged-as-untrusted-at: + description: "Whether and which SHA to checkout for the merge commit in the ./untrusted folder." + type: boolean + pinnedFrom: + description: "Whether to checkout the pinned nixpkgs for CI and from where (trusted, untrusted)." + type: string + target-as-trusted-at: + description: "Whether and which SHA to checkout for the target commit in the ./trusted folder." + type: boolean + +runs: + using: composite + steps: + - if: inputs.merged-as-untrusted-at + # Would be great to do the checkouts in git worktrees of the existing spare checkout instead, + # but Nix is broken with them: + # https://github.com/NixOS/nix/issues/6073 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + ref: ${{ inputs.merged-as-untrusted-at }} + path: untrusted + + - if: inputs.target-as-trusted-at + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + ref: ${{ inputs.target-as-trusted-at }} + path: trusted + + - if: inputs.pinnedFrom + id: pinned + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + env: + PINNED_FROM: ${{ inputs.pinnedFrom }} + with: + script: | + const path = require('node:path') + const pinned = require(path.resolve(path.join(process.env.PINNED_FROM, 'ci', 'pinned.json'))) + core.setOutput('pinnedSha', pinned.pins.nixpkgs.revision) + + - if: steps.pinned.outputs.pinnedSha + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + ref: ${{ steps.pinned.outputs.pinnedSha }} + path: pinned + sparse-checkout: | + lib + maintainers + nixos/lib + pkgs diff --git a/.github/actions/get-merge-commit/action.yml b/.github/actions/get-merge-commit/action.yml deleted file mode 100644 index 1d37ef6abd43..000000000000 --- a/.github/actions/get-merge-commit/action.yml +++ /dev/null @@ -1,80 +0,0 @@ -name: Get merge commit - -description: 'Checks whether the Pull Request is mergeable and checks out the repo at up to two commits: The result of a temporary merge of the head branch into the target branch ("merged"), and the parent of that commit on the target branch ("target"). Handles push events and merge conflicts gracefully.' - -inputs: - mergedSha: - description: "The merge commit SHA, previously collected." - type: string - merged-as-untrusted: - description: "Whether to checkout the merge commit in the ./untrusted folder." - type: boolean - pinnedFrom: - description: "Whether to checkout the pinned nixpkgs for CI and from where (trusted, untrusted)." - type: string - targetSha: - description: "The target commit SHA, previously collected." - type: string - target-as-trusted: - description: "Whether to checkout the target commit in the ./trusted folder." - type: boolean - -outputs: - mergedSha: - description: "The merge commit SHA" - value: ${{ steps.commits.outputs.mergedSha }} - targetSha: - description: "The target commit SHA" - value: ${{ steps.commits.outputs.targetSha }} - -runs: - using: composite - steps: - - id: commits - if: ${{ !inputs.mergedSha && !inputs.targetSha }} - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - script: | - require('./ci/github-script/prepare.js')({ - github, - context, - core, - }) - - - if: inputs.merged-as-untrusted && (inputs.mergedSha || steps.commits.outputs.mergedSha) - # Would be great to do the checkouts in git worktrees of the existing spare checkout instead, - # but Nix is broken with them: - # https://github.com/NixOS/nix/issues/6073 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - ref: ${{ inputs.mergedSha || steps.commits.outputs.mergedSha }} - path: untrusted - - - if: inputs.target-as-trusted && (inputs.targetSha || steps.commits.outputs.targetSha) - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - ref: ${{ inputs.targetSha || steps.commits.outputs.targetSha }} - path: trusted - - - if: inputs.pinnedFrom - id: pinned - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - env: - PINNED_FROM: ${{ inputs.pinnedFrom }} - with: - script: | - const path = require('node:path') - const pinned = require(path.resolve(path.join(process.env.PINNED_FROM, 'ci', 'pinned.json'))) - core.setOutput('pinnedSha', pinned.pins.nixpkgs.revision) - - - if: steps.pinned.outputs.pinnedSha - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - ref: ${{ steps.pinned.outputs.pinnedSha }} - path: pinned - sparse-checkout: | - lib - maintainers - nixos/lib - pkgs - diff --git a/.github/workflows/README.md b/.github/workflows/README.md index 10b0276be144..2c739bd56129 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -17,7 +17,7 @@ Some architectural notes about key decisions and concepts in our workflows: This is a temporary commit that GitHub creates automatically as "what would happen, if this PR was merged into the base branch now?". The checkout could be done via the virtual branch `refs/pull//merge`, but doing so would cause failures when this virtual branch doesn't exist (anymore). This can happen when the PR has conflicts, in which case the virtual branch is not created, or when the PR is getting merged while workflows are still running, in which case the branch won't exist anymore at the time of checkout. - Thus, we use the `get-merge-commit.yml` workflow to check whether the PR is mergeable and the test merge commit exists and only then run the relevant jobs. + Thus, we use the `prepare` job to check whether the PR is mergeable and the test merge commit exists and only then run the relevant jobs. - Various workflows need to make comparisons against the base branch. In this case, we checkout the parent of the "test merge commit" for best results. diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ef3c71ca4fbe..d8fe8272d625 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -47,11 +47,10 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: sparse-checkout: .github/actions - - name: Check if the PR can be merged and checkout the merge commit - uses: ./.github/actions/get-merge-commit + - name: Checkout the merge commit + uses: ./.github/actions/checkout with: - mergedSha: ${{ inputs.mergedSha }} - merged-as-untrusted: true + merged-as-untrusted-at: ${{ inputs.mergedSha }} pinnedFrom: untrusted - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index c06729fa7f5d..aca22eddff6b 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -99,14 +99,12 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: sparse-checkout: .github/actions - - name: Check if the PR can be merged and checkout the merge and target commits - uses: ./.github/actions/get-merge-commit + - name: Checkout merge and target commits + uses: ./.github/actions/checkout with: - mergedSha: ${{ inputs.mergedSha }} - merged-as-untrusted: true + merged-as-untrusted-at: ${{ inputs.mergedSha }} pinnedFrom: trusted - targetSha: ${{ inputs.targetSha }} - target-as-trusted: true + target-as-trusted-at: ${{ inputs.targetSha }} - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml index a89f2e4d5f9b..a92e64de6715 100644 --- a/.github/workflows/eval.yml +++ b/.github/workflows/eval.yml @@ -88,10 +88,9 @@ jobs: with: sparse-checkout: .github/actions - name: Check out the PR at the test merge commit - uses: ./.github/actions/get-merge-commit + uses: ./.github/actions/checkout with: - mergedSha: ${{ inputs.mergedSha }} - merged-as-untrusted: true + merged-as-untrusted-at: ${{ inputs.mergedSha }} pinnedFrom: untrusted - name: Install Nix @@ -206,10 +205,9 @@ jobs: with: sparse-checkout: .github/actions - name: Check out the PR at the target commit - uses: ./.github/actions/get-merge-commit + uses: ./.github/actions/checkout with: - targetSha: ${{ inputs.targetSha }} - target-as-trusted: true + target-as-trusted-at: ${{ inputs.targetSha }} pinnedFrom: trusted - name: Download output paths and eval stats for all systems @@ -375,11 +373,10 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: sparse-checkout: .github/actions - - name: Check if the PR can be merged and checkout the merge commit - uses: ./.github/actions/get-merge-commit + - name: Checkout the merge commit + uses: ./.github/actions/checkout with: - mergedSha: ${{ inputs.mergedSha }} - merged-as-untrusted: true + merged-as-untrusted-at: ${{ inputs.mergedSha }} - name: Install Nix uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 44cb7fe7bada..817f42d496ad 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -24,11 +24,10 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: sparse-checkout: .github/actions - - name: Check if the PR can be merged and checkout the merge commit - uses: ./.github/actions/get-merge-commit + - name: Checkout the merge commit + uses: ./.github/actions/checkout with: - mergedSha: ${{ inputs.mergedSha }} - merged-as-untrusted: true + merged-as-untrusted-at: ${{ inputs.mergedSha }} pinnedFrom: untrusted - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 @@ -56,11 +55,10 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: sparse-checkout: .github/actions - - name: Check if the PR can be merged and checkout the merge commit - uses: ./.github/actions/get-merge-commit + - name: Checkout the merge commit + uses: ./.github/actions/checkout with: - mergedSha: ${{ inputs.mergedSha }} - merged-as-untrusted: true + merged-as-untrusted-at: ${{ inputs.mergedSha }} pinnedFrom: untrusted - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 @@ -77,14 +75,12 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: sparse-checkout: .github/actions - - name: Check if the PR can be merged and checkout merged and target commits - uses: ./.github/actions/get-merge-commit + - name: Checkout merge and target commits + uses: ./.github/actions/checkout with: - mergedSha: ${{ inputs.mergedSha }} - merged-as-untrusted: true + merged-as-untrusted-at: ${{ inputs.mergedSha }} pinnedFrom: untrusted - targetSha: ${{ inputs.targetSha }} - target-as-trusted: true + target-as-trusted-at: ${{ inputs.targetSha }} - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 1de7d6614c9c..a2636d75022f 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -3,7 +3,7 @@ name: PR on: pull_request: paths: - - .github/actions/get-merge-commit/action.yml + - .github/actions/checkout/action.yml - .github/workflows/build.yml - .github/workflows/check.yml - .github/workflows/eval.yml @@ -25,21 +25,24 @@ jobs: outputs: baseBranch: ${{ steps.branches.outputs.base }} headBranch: ${{ steps.branches.outputs.head }} - mergedSha: ${{ steps.get-merge-commit.outputs.mergedSha }} - targetSha: ${{ steps.get-merge-commit.outputs.targetSha }} + mergedSha: ${{ steps.prepare.outputs.mergedSha }} + targetSha: ${{ steps.prepare.outputs.targetSha }} systems: ${{ steps.systems.outputs.systems }} touched: ${{ steps.files.outputs.touched }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: sparse-checkout: | - .github/actions ci/github-script - ci/supportedBranches.js - ci/supportedSystems.json - - name: Check if the PR can be merged and get the test merge commit - uses: ./.github/actions/get-merge-commit - id: get-merge-commit + - id: prepare + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + require('./ci/github-script/prepare.js')({ + github, + context, + core, + }) - name: Load supported systems id: systems From 70fc919bde014d1b33fa341abd594e40e0ea77f8 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Mon, 18 Aug 2025 21:03:25 +0200 Subject: [PATCH 2/8] actions/checkout: rename inconsistent pinned-from input (cherry picked from commit 7ab632b30f6d53ede5ed1fc6ac8318d2e656e972) --- .github/actions/checkout/action.yml | 12 ++++++------ .github/workflows/build.yml | 2 +- .github/workflows/check.yml | 2 +- .github/workflows/eval.yml | 4 ++-- .github/workflows/lint.yml | 6 +++--- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/actions/checkout/action.yml b/.github/actions/checkout/action.yml index e3c592f6e53a..751eef7600cd 100644 --- a/.github/actions/checkout/action.yml +++ b/.github/actions/checkout/action.yml @@ -6,7 +6,7 @@ inputs: merged-as-untrusted-at: description: "Whether and which SHA to checkout for the merge commit in the ./untrusted folder." type: boolean - pinnedFrom: + pinned-from: description: "Whether to checkout the pinned nixpkgs for CI and from where (trusted, untrusted)." type: string target-as-trusted-at: @@ -31,21 +31,21 @@ runs: ref: ${{ inputs.target-as-trusted-at }} path: trusted - - if: inputs.pinnedFrom + - if: inputs.pinned-from id: pinned uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: - PINNED_FROM: ${{ inputs.pinnedFrom }} + PINNED_FROM: ${{ inputs.pinned-from }} with: script: | const path = require('node:path') const pinned = require(path.resolve(path.join(process.env.PINNED_FROM, 'ci', 'pinned.json'))) - core.setOutput('pinnedSha', pinned.pins.nixpkgs.revision) + core.setOutput('pinned-at', pinned.pins.nixpkgs.revision) - - if: steps.pinned.outputs.pinnedSha + - if: steps.pinned.outputs.pinned-at uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - ref: ${{ steps.pinned.outputs.pinnedSha }} + ref: ${{ steps.pinned.outputs.pinned-at }} path: pinned sparse-checkout: | lib diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d8fe8272d625..9cfc329107ad 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -51,7 +51,7 @@ jobs: uses: ./.github/actions/checkout with: merged-as-untrusted-at: ${{ inputs.mergedSha }} - pinnedFrom: untrusted + pinned-from: untrusted - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 with: diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index aca22eddff6b..dcbc5af199b8 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -103,7 +103,7 @@ jobs: uses: ./.github/actions/checkout with: merged-as-untrusted-at: ${{ inputs.mergedSha }} - pinnedFrom: trusted + pinned-from: trusted target-as-trusted-at: ${{ inputs.targetSha }} - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml index a92e64de6715..c19549a4eb47 100644 --- a/.github/workflows/eval.yml +++ b/.github/workflows/eval.yml @@ -91,7 +91,7 @@ jobs: uses: ./.github/actions/checkout with: merged-as-untrusted-at: ${{ inputs.mergedSha }} - pinnedFrom: untrusted + pinned-from: untrusted - name: Install Nix uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 @@ -208,7 +208,7 @@ jobs: uses: ./.github/actions/checkout with: target-as-trusted-at: ${{ inputs.targetSha }} - pinnedFrom: trusted + pinned-from: trusted - name: Download output paths and eval stats for all systems uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 817f42d496ad..97387126eb57 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -28,7 +28,7 @@ jobs: uses: ./.github/actions/checkout with: merged-as-untrusted-at: ${{ inputs.mergedSha }} - pinnedFrom: untrusted + pinned-from: untrusted - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 @@ -59,7 +59,7 @@ jobs: uses: ./.github/actions/checkout with: merged-as-untrusted-at: ${{ inputs.mergedSha }} - pinnedFrom: untrusted + pinned-from: untrusted - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 @@ -79,7 +79,7 @@ jobs: uses: ./.github/actions/checkout with: merged-as-untrusted-at: ${{ inputs.mergedSha }} - pinnedFrom: untrusted + pinned-from: untrusted target-as-trusted-at: ${{ inputs.targetSha }} - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 From 51298d2e28f9b1e790fb7297926b552a839a3f0d Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Mon, 18 Aug 2025 21:49:29 +0200 Subject: [PATCH 3/8] ci/github-script/prepare: load systems (cherry picked from commit 9caf45544114ed16710374b9d107ed14767f7f51) --- .github/workflows/pr.yml | 7 +------ ci/github-script/prepare.js | 3 +++ 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index a2636d75022f..d22641c085ad 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -27,7 +27,7 @@ jobs: headBranch: ${{ steps.branches.outputs.head }} mergedSha: ${{ steps.prepare.outputs.mergedSha }} targetSha: ${{ steps.prepare.outputs.targetSha }} - systems: ${{ steps.systems.outputs.systems }} + systems: ${{ steps.prepare.outputs.systems }} touched: ${{ steps.files.outputs.touched }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -44,11 +44,6 @@ jobs: core, }) - - name: Load supported systems - id: systems - run: | - echo "systems=$(jq -c > "$GITHUB_OUTPUT" - - name: Determine branch type id: branches uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 diff --git a/ci/github-script/prepare.js b/ci/github-script/prepare.js index 96f433126785..bd1457249a27 100644 --- a/ci/github-script/prepare.js +++ b/ci/github-script/prepare.js @@ -49,6 +49,9 @@ module.exports = async ({ github, context, core }) => { ) core.setOutput('mergedSha', mergedSha) core.setOutput('targetSha', targetSha) + + core.setOutput('systems', require('../supportedSystems.json')) + return } throw new Error( From 5b6133762099874b2a9b2bc354c538b969aa1012 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Mon, 18 Aug 2025 21:53:55 +0200 Subject: [PATCH 4/8] ci/github-script/prepare: classify branches (cherry picked from commit 4220a03df8744ded7a6594a940a3316d4ff5e702) --- .github/workflows/pr.yml | 24 ++---------------------- ci/github-script/prepare.js | 18 +++++++++++++++++- 2 files changed, 19 insertions(+), 23 deletions(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index d22641c085ad..51b0d41ddf1d 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -23,8 +23,8 @@ jobs: prepare: runs-on: ubuntu-24.04-arm outputs: - baseBranch: ${{ steps.branches.outputs.base }} - headBranch: ${{ steps.branches.outputs.head }} + baseBranch: ${{ steps.prepare.outputs.base }} + headBranch: ${{ steps.prepare.outputs.head }} mergedSha: ${{ steps.prepare.outputs.mergedSha }} targetSha: ${{ steps.prepare.outputs.targetSha }} systems: ${{ steps.prepare.outputs.systems }} @@ -44,26 +44,6 @@ jobs: core, }) - - name: Determine branch type - id: branches - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - script: | - const { classify } = require('./ci/supportedBranches.js') - const { base, head } = context.payload.pull_request - - const baseClassification = classify(base.ref) - core.setOutput('base', baseClassification) - core.info('base classification:', baseClassification) - - const headClassification = - (base.repo.full_name == head.repo.full_name) ? - classify(head.ref) : - // PRs from forks are always considered WIP. - { type: ['wip'] } - core.setOutput('head', headClassification) - core.info('head classification:', headClassification) - - name: Determine changed files id: files uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 diff --git a/ci/github-script/prepare.js b/ci/github-script/prepare.js index bd1457249a27..1f56a502ca8a 100644 --- a/ci/github-script/prepare.js +++ b/ci/github-script/prepare.js @@ -1,3 +1,5 @@ +const { classify } = require('../supportedBranches.js') + module.exports = async ({ github, context, core }) => { const pull_number = context.payload.pull_request.number @@ -20,6 +22,8 @@ module.exports = async ({ github, context, core }) => { continue } + const { base, head } = prInfo + let mergedSha, targetSha if (prInfo.mergeable) { @@ -39,7 +43,7 @@ module.exports = async ({ github, context, core }) => { targetSha = ( await github.rest.repos.compareCommitsWithBasehead({ ...context.repo, - basehead: `${prInfo.base.sha}...${prInfo.head.sha}`, + basehead: `${base.sha}...${head.sha}`, }) ).data.merge_base_commit.sha } @@ -52,6 +56,18 @@ module.exports = async ({ github, context, core }) => { core.setOutput('systems', require('../supportedSystems.json')) + const baseClassification = classify(base.ref) + core.setOutput('base', baseClassification) + core.info('base classification:', baseClassification) + + const headClassification = + base.repo.full_name === head.repo.full_name + ? classify(head.ref) + : // PRs from forks are always considered WIP. + { type: ['wip'] } + core.setOutput('head', headClassification) + core.info('head classification:', headClassification) + return } throw new Error( From 9b0135b3477b07c53dcf0c58dfe0963e5e2e96e4 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Mon, 18 Aug 2025 21:56:02 +0200 Subject: [PATCH 5/8] ci/github-script/prepare: determine changed files (cherry picked from commit 46a1b0a7bc7a424a84f7660f31ab205ddee68368) --- .github/workflows/pr.yml | 16 +--------------- ci/github-script/prepare.js | 11 +++++++++++ 2 files changed, 12 insertions(+), 15 deletions(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 51b0d41ddf1d..a09c51eeae7e 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -28,7 +28,7 @@ jobs: mergedSha: ${{ steps.prepare.outputs.mergedSha }} targetSha: ${{ steps.prepare.outputs.targetSha }} systems: ${{ steps.prepare.outputs.systems }} - touched: ${{ steps.files.outputs.touched }} + touched: ${{ steps.prepare.outputs.touched }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: @@ -44,20 +44,6 @@ jobs: core, }) - - name: Determine changed files - id: files - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - script: | - const files = (await github.paginate(github.rest.pulls.listFiles, { - ...context.repo, - pull_number: context.payload.pull_request.number, - per_page: 100, - })).map(file => file.filename) - - if (files.includes('ci/pinned.json')) core.setOutput('touched', ['pinned']) - else core.setOutput('touched', []) - check: name: Check needs: [prepare] diff --git a/ci/github-script/prepare.js b/ci/github-script/prepare.js index 1f56a502ca8a..d47dd86308dd 100644 --- a/ci/github-script/prepare.js +++ b/ci/github-script/prepare.js @@ -68,6 +68,17 @@ module.exports = async ({ github, context, core }) => { core.setOutput('head', headClassification) core.info('head classification:', headClassification) + const files = ( + await github.paginate(github.rest.pulls.listFiles, { + ...context.repo, + pull_number: context.payload.pull_request.number, + per_page: 100, + }) + ).map((file) => file.filename) + + if (files.includes('ci/pinned.json')) core.setOutput('touched', ['pinned']) + else core.setOutput('touched', []) + return } throw new Error( From 1e8419b52e69ca0189a41e83f71329ccaaabe1f1 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Wed, 20 Aug 2025 17:59:27 +0200 Subject: [PATCH 6/8] ci/github-script/prepare: fix logging of branch classification Logging objects to stdout is not possible with `core.info`, so we fallback to `console.log` instead. There's no functional difference for these anyway. (cherry picked from commit f94fd64d53b9b5ca371bbd908a70b719beec3d90) --- ci/github-script/prepare.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/github-script/prepare.js b/ci/github-script/prepare.js index d47dd86308dd..fb000cb6820a 100644 --- a/ci/github-script/prepare.js +++ b/ci/github-script/prepare.js @@ -58,7 +58,7 @@ module.exports = async ({ github, context, core }) => { const baseClassification = classify(base.ref) core.setOutput('base', baseClassification) - core.info('base classification:', baseClassification) + console.log('base classification:', baseClassification) const headClassification = base.repo.full_name === head.repo.full_name @@ -66,7 +66,7 @@ module.exports = async ({ github, context, core }) => { : // PRs from forks are always considered WIP. { type: ['wip'] } core.setOutput('head', headClassification) - core.info('head classification:', headClassification) + console.log('head classification:', headClassification) const files = ( await github.paginate(github.rest.pulls.listFiles, { From 599c6c4e7fde7a0d2d2dca8f4250f326b3ff6cd2 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Wed, 20 Aug 2025 18:03:41 +0200 Subject: [PATCH 7/8] workflows/pr.prepare: specify cone mode explicitly This is the default, but who's supposed to know about that? Let's make it explicit to be clear about the availability of files in `ci/`. (cherry picked from commit f35d1cd2cc4e703530a003e2e6d4ea08d40cab8e) --- .github/workflows/pr.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index a09c51eeae7e..80deea95624c 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -32,6 +32,7 @@ jobs: steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: + sparse-checkout-cone-mode: true # default, for clarity sparse-checkout: | ci/github-script - id: prepare From 1d5b0b9e95539ec5af44def19c215f4a99850f52 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Wed, 20 Aug 2025 18:52:20 +0200 Subject: [PATCH 8/8] actions/checkout: remove unused input types The two as-at inputs, were not boolean anymore, but GHA didn't complain. Input types are actually not a thing for composite actions - they are only documented for callable workflows. (cherry picked from commit f01b6b4754c46d89f40e5d4be5539ad066558dd7) --- .github/actions/checkout/action.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/actions/checkout/action.yml b/.github/actions/checkout/action.yml index 751eef7600cd..a07edb097d7b 100644 --- a/.github/actions/checkout/action.yml +++ b/.github/actions/checkout/action.yml @@ -5,13 +5,10 @@ description: 'Checkout into trusted / untrusted / pinned folders consistently.' inputs: merged-as-untrusted-at: description: "Whether and which SHA to checkout for the merge commit in the ./untrusted folder." - type: boolean pinned-from: description: "Whether to checkout the pinned nixpkgs for CI and from where (trusted, untrusted)." - type: string target-as-trusted-at: description: "Whether and which SHA to checkout for the target commit in the ./trusted folder." - type: boolean runs: using: composite