diff --git a/.github/actions/checkout/action.yml b/.github/actions/checkout/action.yml index e14c5936e62d..868d832bf8f3 100644 --- a/.github/actions/checkout/action.yml +++ b/.github/actions/checkout/action.yml @@ -5,8 +5,6 @@ description: 'Checkout into trusted / untrusted / pinned folders consistently.' inputs: merged-as-untrusted-at: description: "Whether and which SHA to checkout for the merge commit in the ./untrusted folder." - pinned-from: - description: "Whether to checkout the pinned nixpkgs for CI and from where (trusted, untrusted)." target-as-trusted-at: description: "Whether and which SHA to checkout for the target commit in the ./trusted folder." @@ -16,7 +14,6 @@ runs: - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: MERGED_SHA: ${{ inputs.merged-as-untrusted-at }} - PINNED_FROM: ${{ inputs.pinned-from }} TARGET_SHA: ${{ inputs.target-as-trusted-at }} with: script: | @@ -45,6 +42,7 @@ runs: // A single fetch call comes with a lot less overhead. The fetch takes essentially the // same time no matter whether its 1, 2 or 3 commits at once. async function getPinnedSha(ref) { + if (!ref) return undefined const { content, encoding } = (await github.rest.repos.getContent({ ...context.repo, path: 'ci/pinned.json', @@ -60,16 +58,16 @@ runs: path: 'untrusted', }, { - sha: process.env.PINNED_FROM === 'untrusted' && (await getPinnedSha(process.env.MERGED_SHA)), - path: 'pinned' + sha: await getPinnedSha(process.env.MERGED_SHA), + path: 'untrusted-pinned' }, { sha: process.env.TARGET_SHA, path: 'trusted', }, { - sha: process.env.PINNED_FROM === 'trusted' && (await getPinnedSha(process.env.TARGET_SHA)), - path: 'pinned' + sha: await getPinnedSha(process.env.TARGET_SHA), + path: 'trusted-pinned' } ].filter(({ sha }) => Boolean(sha)) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 20fcb47dc7a0..0acb7dab64f0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -51,7 +51,6 @@ jobs: uses: ./.github/actions/checkout with: merged-as-untrusted-at: ${{ inputs.mergedSha }} - pinned-from: untrusted - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 with: @@ -66,33 +65,33 @@ jobs: authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} pushFilter: '(-source$|-nixpkgs-tarball-)' - - run: nix-env --install -f nixpkgs/pinned -A nix-build-uncached + - run: nix-env --install -f nixpkgs/untrusted-pinned -A nix-build-uncached - name: Build shell if: contains(matrix.builds, 'shell') - run: echo "${{ matrix.systems }}" | xargs -n1 nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/pinned -A shell --argstr system + run: echo "${{ matrix.systems }}" | xargs -n1 nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A shell --argstr system - name: Build NixOS manual if: | contains(matrix.builds, 'manual-nixos') && !cancelled() && contains(fromJSON(inputs.baseBranch).type, 'primary') - run: nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/pinned -A manual-nixos --out-link nixos-manual + run: nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A manual-nixos --out-link nixos-manual - name: Build Nixpkgs manual if: contains(matrix.builds, 'manual-nixpkgs') && !cancelled() - run: nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/pinned -A manual-nixpkgs -A manual-nixpkgs-tests + run: nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A manual-nixpkgs -A manual-nixpkgs-tests - name: Build Nixpkgs manual tests if: contains(matrix.builds, 'manual-nixpkgs-tests') && !cancelled() - run: nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/pinned -A manual-nixpkgs-tests + run: nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A manual-nixpkgs-tests - name: Build lib tests if: contains(matrix.builds, 'lib-tests') && !cancelled() - run: nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/pinned -A lib-tests + run: nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A lib-tests - name: Build tarball if: contains(matrix.builds, 'tarball') && !cancelled() - run: nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/pinned -A tarball + run: nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A tarball - name: Upload NixOS manual if: | diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 287d4f80d557..ded8bad536c4 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -103,7 +103,6 @@ jobs: uses: ./.github/actions/checkout with: merged-as-untrusted-at: ${{ inputs.mergedSha }} - pinned-from: trusted target-as-trusted-at: ${{ inputs.targetSha }} - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 @@ -117,7 +116,7 @@ jobs: pushFilter: -source$ - name: Build codeowners validator - run: nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/pinned -A codeownersValidator + run: nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A codeownersValidator - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0 if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml index c3b1c70034be..a2b16638b910 100644 --- a/.github/workflows/eval.yml +++ b/.github/workflows/eval.yml @@ -93,7 +93,6 @@ jobs: uses: ./.github/actions/checkout with: merged-as-untrusted-at: ${{ inputs.mergedSha }} - pinned-from: untrusted - name: Install Nix uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 @@ -111,7 +110,7 @@ jobs: MATRIX_SYSTEM: ${{ matrix.system }} MATRIX_VERSION: ${{ matrix.version || 'nixVersions.latest' }} run: | - nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/pinned -A eval.singleSystem \ + nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A eval.singleSystem \ --argstr evalSystem "$MATRIX_SYSTEM" \ --arg chunkSize 8000 \ --argstr nixPath "$MATRIX_VERSION" \ @@ -190,7 +189,7 @@ jobs: env: MATRIX_SYSTEM: ${{ matrix.system }} run: | - nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/pinned -A eval.diff \ + nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A eval.diff \ --arg beforeDir ./target \ --arg afterDir "$(readlink ./merged)" \ --argstr evalSystem "$MATRIX_SYSTEM" \ @@ -219,7 +218,6 @@ jobs: with: merged-as-untrusted-at: ${{ inputs.mergedSha }} target-as-trusted-at: ${{ inputs.targetSha }} - pinned-from: trusted - name: Download output paths and eval stats for all systems uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 @@ -233,7 +231,7 @@ jobs: - name: Combine all output paths and eval stats run: | - nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/pinned -A eval.combine \ + nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A eval.combine \ --arg diffDir ./diff \ --out-link combined @@ -245,7 +243,7 @@ jobs: | jq --raw-input --slurp 'split("\n")[:-1]' > touched-files.json # Use the target branch to get accurate maintainer info - nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/pinned -A eval.compare \ + nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A eval.compare \ --arg combinedDir "$(realpath ./combined)" \ --arg touchedFilesJson ./touched-files.json \ --argstr githubAuthorId "$AUTHOR_ID" \ diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 771a64c4a5d6..4d94df1578fa 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -31,7 +31,6 @@ jobs: uses: ./.github/actions/checkout with: merged-as-untrusted-at: ${{ inputs.mergedSha }} - pinned-from: untrusted - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 @@ -44,7 +43,7 @@ jobs: # Note that it's fine to run this on untrusted code because: # - There's no secrets accessible here # - The build is sandboxed - if ! nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/pinned -A fmt.check; then + if ! nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A fmt.check; then echo "Some files are not properly formatted" echo "Please format them by going to the Nixpkgs root directory and running one of:" echo " nix-shell --run treefmt" @@ -66,7 +65,6 @@ jobs: uses: ./.github/actions/checkout with: merged-as-untrusted-at: ${{ inputs.mergedSha }} - pinned-from: untrusted - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 @@ -81,7 +79,7 @@ jobs: - name: Parse all nix files run: | # Tests multiple versions at once, let's make sure all of them run, so keep-going. - nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/pinned -A parse --keep-going + nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A parse --keep-going nixpkgs-vet: runs-on: ubuntu-24.04-arm @@ -94,7 +92,6 @@ jobs: uses: ./.github/actions/checkout with: merged-as-untrusted-at: ${{ inputs.mergedSha }} - pinned-from: untrusted target-as-trusted-at: ${{ inputs.targetSha }} - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 @@ -112,7 +109,7 @@ jobs: # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/ CLICOLOR_FORCE: 1 run: | - if nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/pinned -A nixpkgs-vet --arg base "./nixpkgs/trusted" --arg head "./nixpkgs/untrusted"; then + if nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A nixpkgs-vet --arg base "./nixpkgs/trusted" --arg head "./nixpkgs/untrusted"; then exit 0 else exitCode=$?