mirror of
https://github.com/CHN-beta/nixpkgs.git
synced 2026-01-12 02:40:31 +08:00
8353c8c10e
This moves the no-channel-base check into the prepare script to exit
early and prevent all of CI to run against those branches. We also
provide better output by posting a "Changes Requested" review, using the
existing infrastructure from the old cherry-picks check.
The review will be dismissed automatically once the branch has been
corrected, because the commits check will run and do it.
(cherry picked from commit 0601cf6fd0)
157 lines
5.0 KiB
YAML
157 lines
5.0 KiB
YAML
name: PR
|
|
|
|
on:
|
|
pull_request_target:
|
|
workflow_call:
|
|
secrets:
|
|
CACHIX_AUTH_TOKEN:
|
|
required: true
|
|
NIXPKGS_CI_APP_PRIVATE_KEY:
|
|
required: true
|
|
OWNER_APP_PRIVATE_KEY:
|
|
# The Test workflow should not actually request reviews from owners.
|
|
required: false
|
|
OWNER_RO_APP_PRIVATE_KEY:
|
|
required: true
|
|
|
|
concurrency:
|
|
group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
|
|
cancel-in-progress: true
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
prepare:
|
|
runs-on: ubuntu-24.04-arm
|
|
permissions:
|
|
# wrong branch review comment
|
|
pull-requests: write
|
|
outputs:
|
|
baseBranch: ${{ steps.prepare.outputs.base }}
|
|
headBranch: ${{ steps.prepare.outputs.head }}
|
|
mergedSha: ${{ steps.prepare.outputs.mergedSha }}
|
|
targetSha: ${{ steps.prepare.outputs.targetSha }}
|
|
systems: ${{ steps.prepare.outputs.systems }}
|
|
touched: ${{ steps.prepare.outputs.touched }}
|
|
steps:
|
|
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
with:
|
|
sparse-checkout-cone-mode: true # default, for clarity
|
|
sparse-checkout: |
|
|
ci/github-script
|
|
- id: prepare
|
|
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
|
|
with:
|
|
script: |
|
|
require('./ci/github-script/prepare.js')({
|
|
github,
|
|
context,
|
|
core,
|
|
dry: context.eventName == 'pull_request',
|
|
})
|
|
|
|
check:
|
|
name: Check
|
|
needs: [prepare]
|
|
uses: ./.github/workflows/check.yml
|
|
permissions:
|
|
# cherry-picks
|
|
pull-requests: write
|
|
secrets:
|
|
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
|
|
OWNER_RO_APP_PRIVATE_KEY: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
|
|
with:
|
|
baseBranch: ${{ needs.prepare.outputs.baseBranch }}
|
|
headBranch: ${{ needs.prepare.outputs.headBranch }}
|
|
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
|
|
targetSha: ${{ needs.prepare.outputs.targetSha }}
|
|
ownersCanFail: ${{ !contains(fromJSON(needs.prepare.outputs.touched), 'owners') }}
|
|
|
|
lint:
|
|
name: Lint
|
|
needs: [prepare]
|
|
uses: ./.github/workflows/lint.yml
|
|
secrets:
|
|
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
|
|
with:
|
|
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
|
|
targetSha: ${{ needs.prepare.outputs.targetSha }}
|
|
|
|
eval:
|
|
name: Eval
|
|
needs: [prepare]
|
|
uses: ./.github/workflows/eval.yml
|
|
permissions:
|
|
# compare
|
|
statuses: write
|
|
secrets:
|
|
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
|
|
with:
|
|
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
|
|
targetSha: ${{ needs.prepare.outputs.targetSha }}
|
|
systems: ${{ needs.prepare.outputs.systems }}
|
|
testVersions: ${{ contains(fromJSON(needs.prepare.outputs.touched), 'pinned') && !contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development') }}
|
|
|
|
labels:
|
|
name: Labels
|
|
needs: [prepare, eval]
|
|
uses: ./.github/workflows/labels.yml
|
|
permissions:
|
|
issues: write
|
|
pull-requests: write
|
|
secrets:
|
|
NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
|
|
with:
|
|
headBranch: ${{ needs.prepare.outputs.headBranch }}
|
|
|
|
reviewers:
|
|
name: Reviewers
|
|
needs: [prepare, eval]
|
|
if: |
|
|
needs.prepare.outputs.targetSha &&
|
|
!contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development')
|
|
uses: ./.github/workflows/reviewers.yml
|
|
secrets:
|
|
OWNER_APP_PRIVATE_KEY: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
|
|
|
|
build:
|
|
name: Build
|
|
needs: [prepare]
|
|
uses: ./.github/workflows/build.yml
|
|
secrets:
|
|
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
|
|
with:
|
|
baseBranch: ${{ needs.prepare.outputs.baseBranch }}
|
|
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
|
|
|
|
# This job's only purpose is to create the target for the "Required Status Checks" branch ruleset.
|
|
# It "needs" all the jobs that should block merging a PR.
|
|
unlock:
|
|
if: github.event_name != 'pull_request'
|
|
# Modify this list to add or remove jobs from required status checks.
|
|
needs:
|
|
- check
|
|
- lint
|
|
- eval
|
|
- build
|
|
runs-on: ubuntu-24.04-arm
|
|
permissions:
|
|
statuses: write
|
|
steps:
|
|
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
|
|
with:
|
|
script: |
|
|
const { serverUrl, repo, runId, payload } = context
|
|
const target_url =
|
|
`${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}?pr=${payload.pull_request.number}`
|
|
await github.rest.repos.createCommitStatus({
|
|
...repo,
|
|
sha: payload.pull_request.head.sha,
|
|
// WARNING:
|
|
// Do NOT change the name of this, otherwise the rule will not catch it anymore.
|
|
// This would prevent all PRs from merging.
|
|
context: 'no PR failures',
|
|
state: 'success',
|
|
target_url,
|
|
})
|