mirror of
https://github.com/CHN-beta/nixpkgs.git
synced 2026-01-12 02:40:31 +08:00
8824c563a7
Posting the status manually allows us to avoid the strange "skipped ==
success" logic and properly skip the `unlock` job for pull_request
events in the next commit.
This should be much easier to understand than the previous logic.
(cherry picked from commit 2c25cb0891)
151 lines
4.7 KiB
YAML
151 lines
4.7 KiB
YAML
name: PR
|
|
|
|
on:
|
|
pull_request_target:
|
|
workflow_call:
|
|
secrets:
|
|
CACHIX_AUTH_TOKEN:
|
|
required: true
|
|
NIXPKGS_CI_APP_PRIVATE_KEY:
|
|
required: true
|
|
OWNER_APP_PRIVATE_KEY:
|
|
# The Test workflow should not actually request reviews from owners.
|
|
required: false
|
|
OWNER_RO_APP_PRIVATE_KEY:
|
|
required: true
|
|
|
|
concurrency:
|
|
group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
|
|
cancel-in-progress: true
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
prepare:
|
|
runs-on: ubuntu-24.04-arm
|
|
outputs:
|
|
baseBranch: ${{ steps.prepare.outputs.base }}
|
|
headBranch: ${{ steps.prepare.outputs.head }}
|
|
mergedSha: ${{ steps.prepare.outputs.mergedSha }}
|
|
targetSha: ${{ steps.prepare.outputs.targetSha }}
|
|
systems: ${{ steps.prepare.outputs.systems }}
|
|
touched: ${{ steps.prepare.outputs.touched }}
|
|
steps:
|
|
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
with:
|
|
sparse-checkout-cone-mode: true # default, for clarity
|
|
sparse-checkout: |
|
|
ci/github-script
|
|
- id: prepare
|
|
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
|
|
with:
|
|
script: |
|
|
require('./ci/github-script/prepare.js')({
|
|
github,
|
|
context,
|
|
core,
|
|
})
|
|
|
|
check:
|
|
name: Check
|
|
needs: [prepare]
|
|
uses: ./.github/workflows/check.yml
|
|
permissions:
|
|
# cherry-picks
|
|
pull-requests: write
|
|
secrets:
|
|
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
|
|
OWNER_RO_APP_PRIVATE_KEY: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
|
|
with:
|
|
baseBranch: ${{ needs.prepare.outputs.baseBranch }}
|
|
headBranch: ${{ needs.prepare.outputs.headBranch }}
|
|
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
|
|
targetSha: ${{ needs.prepare.outputs.targetSha }}
|
|
|
|
lint:
|
|
name: Lint
|
|
needs: [prepare]
|
|
uses: ./.github/workflows/lint.yml
|
|
secrets:
|
|
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
|
|
with:
|
|
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
|
|
targetSha: ${{ needs.prepare.outputs.targetSha }}
|
|
|
|
eval:
|
|
name: Eval
|
|
needs: [prepare]
|
|
uses: ./.github/workflows/eval.yml
|
|
permissions:
|
|
# compare
|
|
statuses: write
|
|
secrets:
|
|
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
|
|
with:
|
|
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
|
|
targetSha: ${{ needs.prepare.outputs.targetSha }}
|
|
systems: ${{ needs.prepare.outputs.systems }}
|
|
testVersions: ${{ contains(fromJSON(needs.prepare.outputs.touched), 'pinned') && !contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development') }}
|
|
|
|
labels:
|
|
name: Labels
|
|
needs: [prepare, eval]
|
|
uses: ./.github/workflows/labels.yml
|
|
permissions:
|
|
issues: write
|
|
pull-requests: write
|
|
secrets:
|
|
NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
|
|
with:
|
|
headBranch: ${{ needs.prepare.outputs.headBranch }}
|
|
|
|
reviewers:
|
|
name: Reviewers
|
|
needs: [prepare, eval]
|
|
if: |
|
|
needs.prepare.outputs.targetSha &&
|
|
!contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development')
|
|
uses: ./.github/workflows/reviewers.yml
|
|
secrets:
|
|
OWNER_APP_PRIVATE_KEY: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
|
|
|
|
build:
|
|
name: Build
|
|
needs: [prepare]
|
|
uses: ./.github/workflows/build.yml
|
|
secrets:
|
|
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
|
|
with:
|
|
baseBranch: ${{ needs.prepare.outputs.baseBranch }}
|
|
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
|
|
|
|
# This job's only purpose is to create the target for the "Required Status Checks" branch ruleset.
|
|
# It "needs" all the jobs that should block merging a PR.
|
|
unlock:
|
|
# Modify this list to add or remove jobs from required status checks.
|
|
needs:
|
|
- check
|
|
- lint
|
|
- eval
|
|
- build
|
|
runs-on: ubuntu-24.04-arm
|
|
permissions:
|
|
statuses: write
|
|
steps:
|
|
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
|
|
with:
|
|
script: |
|
|
const { serverUrl, repo, runId, payload } = context
|
|
const target_url =
|
|
`${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}?pr=${payload.pull_request.number}`
|
|
await github.rest.repos.createCommitStatus({
|
|
...repo,
|
|
sha: payload.pull_request.head.sha,
|
|
// WARNING:
|
|
// Do NOT change the name of this, otherwise the rule will not catch it anymore.
|
|
// This would prevent all PRs from merging.
|
|
context: 'no PR failures',
|
|
state: 'success',
|
|
target_url,
|
|
})
|