chn/nixpkgs
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixpkgs.git synced 2026-01-11 18:32:23 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
1ca85055787cbf5fff7ecf2ed5e98208157ba2e6
nixpkgs/.github/workflows/check.yml
Wolfgang Walther 1ca8505578 actions/checkout: use single tmpfs with subfolders 
This fixes problems on darwin, where the new tmpfs folder would not be
fully empty, but git only creates worktrees on fully empty directories.

(cherry picked from commit fb32eb0f29)
2025-08-22 10:13:11 +00:00

153 lines
4.8 KiB
YAML
Raw Blame History

name: Check
on:
workflow_call:
inputs:
baseBranch:
required: true
type: string
headBranch:
required: true
type: string
mergedSha:
required: true
type: string
targetSha:
required: true
type: string
secrets:
CACHIX_AUTH_TOKEN:
required: true
OWNER_RO_APP_PRIVATE_KEY:
required: true
permissions: {}
defaults:
run:
shell: bash
jobs:
no-channel-base:
name: no channel base
if: contains(fromJSON(inputs.baseBranch).type, 'channel')
runs-on: ubuntu-24.04-arm
steps:
- run: |
cat <<EOF
The nixos-* and nixpkgs-* branches are pushed to by the channel
release script and should not be merged into directly.
Please target the equivalent release-* branch or master instead.
EOF
exit 1
cherry-pick:
if: |
github.event_name == 'pull_request' ||
(fromJSON(inputs.baseBranch).stable && !contains(fromJSON(inputs.headBranch).type, 'development'))
permissions:
pull-requests: write
runs-on: ubuntu-24.04-arm
timeout-minutes: 3
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
path: trusted
sparse-checkout: |
ci/github-script
- name: Install dependencies
run: npm install bottleneck
- name: Log current API rate limits
env:
GH_TOKEN: ${{ github.token }}
run: gh api /rate_limit | jq
- name: Check cherry-picks
id: check
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
require('./trusted/ci/github-script/commits.js')({
github,
context,
core,
dry: context.eventName == 'pull_request',
})
- name: Log current API rate limits
env:
GH_TOKEN: ${{ github.token }}
run: gh api /rate_limit | jq
# For checking code owners, this job depends on a GitHub App with the following permissions:
# - Permissions:
# - Repository > Administration: read-only
# - Organization > Members: read-only
# - Install App on this repository, setting these variables:
# - OWNER_RO_APP_ID (variable)
# - OWNER_RO_APP_PRIVATE_KEY (secret)
#
# This should not use the same app as the job to request reviewers, because this job requires
# handling untrusted PR input.
owners:
runs-on: ubuntu-24.04-arm
timeout-minutes: 5
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
sparse-checkout: .github/actions
- name: Checkout merge and target commits
uses: ./.github/actions/checkout
with:
merged-as-untrusted-at: ${{ inputs.mergedSha }}
pinned-from: trusted
target-as-trusted-at: ${{ inputs.targetSha }}
- uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
- uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
with:
# The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
extraPullNames: nixpkgs-ci
authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
pushFilter: -source$
- name: Build codeowners validator
run: nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/pinned -A codeownersValidator
- uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0
if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID
id: app-token
with:
app-id: ${{ vars.OWNER_RO_APP_ID }}
private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
permission-administration: read
permission-members: read
- name: Log current API rate limits
if: steps.app-token.outputs.token
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: gh api /rate_limit | jq
- name: Validate codeowners
if: steps.app-token.outputs.token
env:
OWNERS_FILE: nixpkgs/untrusted/ci/OWNERS
GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
REPOSITORY_PATH: nixpkgs/untrusted
OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
# Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
EXPERIMENTAL_CHECKS: "avoid-shadowing"
run: result/bin/codeowners-validator
- name: Log current API rate limits
if: steps.app-token.outputs.token
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: gh api /rate_limit | jq
Reference in New Issue View Git Blame Copy Permalink