workflows/eval: drop process job

Since process doesn't need to run on push events anymore, we can just as well remove it entirely. The little bit of combine and comparison can be done in the tag job, even with elevated privileges. That's because those parts can be done entirely from the target commit, which is trusted. This saves startup, installing nix, downloading tools and artifacts for one job. It saves about 1 minute per run, start to finish. (cherry picked from commit b942fb47dc)
2026-01-11 18:32:23 +08:00 · 2025-05-19 20:14:13 +02:00
parent edd12277b0
commit e571df5faa
1 changed files with 17 additions and 42 deletions
--- a/.github/workflows/eval.yml
+++ b/.github/workflows/eval.yml
@@ -153,11 +153,14 @@ jobs:
          name: diff-${{ matrix.system }}
          path: diff/*

-  process:
-    name: Process
+  tag:
+    name: Tag
    runs-on: ubuntu-24.04-arm
    needs: [ prepare, outpaths ]
    if: needs.prepare.outputs.targetSha
+    permissions:
+      pull-requests: write
+      statuses: write
    steps:
      - name: Download output paths and eval stats for all systems
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
@@ -206,46 +209,6 @@ jobs:
          name: comparison
          path: comparison/*

-  # Separate job to have a very tightly scoped PR write token
-  tag:
-    name: Tag
-    runs-on: ubuntu-24.04-arm
-    needs: [ prepare, process ]
-    if: needs.prepare.outputs.targetSha
-    permissions:
-      pull-requests: write
-      statuses: write
-    steps:
-      # See ./codeowners-v2.yml, reuse the same App because we need the same permissions
-      # Can't use the token received from permissions above, because it can't get enough permissions
-      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        if: vars.OWNER_APP_ID
-        id: app-token
-        with:
-          app-id: ${{ vars.OWNER_APP_ID }}
-          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
-          permission-administration: read
-          permission-members: read
-          permission-pull-requests: write
-
-      - name: Download comparison result
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          name: comparison
-          path: comparison
-
-      - name: Install Nix
-        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-
-      # Important: This workflow job runs with extra permissions,
-      # so we need to make sure to not run untrusted code from PRs
-      - name: Check out Nixpkgs at the target commit
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ needs.prepare.outputs.targetSha }}
-          path: trusted
-          sparse-checkout: ci
-
      - name: Build the requestReviews derivation
        run: nix-build trusted/ci -A requestReviews

@@ -303,6 +266,18 @@ jobs:
            "/repos/$GITHUB_REPOSITORY/statuses/$PR_HEAD_SHA" \
            -f "context=Eval / Summary" -f "state=success" -f "description=$description" -f "target_url=$target_url"

+      # See ./codeowners-v2.yml, reuse the same App because we need the same permissions
+      # Can't use the token received from permissions above, because it can't get enough permissions
+      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        if: vars.OWNER_APP_ID
+        id: app-token
+        with:
+          app-id: ${{ vars.OWNER_APP_ID }}
+          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
+          permission-administration: read
+          permission-members: read
+          permission-pull-requests: write
+
      - name: Requesting maintainer reviews
        if: ${{ steps.app-token.outputs.token && github.repository_owner == 'NixOS' }}
        env: