chn/nixpkgs
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixpkgs.git synced 2026-01-12 02:40:31 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
c18d1e4af8eb84649ad4db16d220cf816731b3c0
nixpkgs/.github/workflows/check.yml
Wolfgang Walther c18d1e4af8 actions/checkout: always checkout pinned commits 
With the latest performance improvements, this only adds up to 1s, but
reduces complexity in managing pinned checkouts explicitly, especially
when we need *both* pinned checkouts in the next commit.
2025-08-22 12:54:28 +02:00

152 lines
4.8 KiB
YAML
Raw Blame History

name: Check
on:
workflow_call:
inputs:
baseBranch:
required: true
type: string
headBranch:
required: true
type: string
mergedSha:
required: true
type: string
targetSha:
required: true
type: string
secrets:
CACHIX_AUTH_TOKEN:
required: true
OWNER_RO_APP_PRIVATE_KEY:
required: true
permissions: {}
defaults:
run:
shell: bash
jobs:
no-channel-base:
name: no channel base
if: contains(fromJSON(inputs.baseBranch).type, 'channel')
runs-on: ubuntu-24.04-arm
steps:
- run: |
cat <<EOF
The nixos-* and nixpkgs-* branches are pushed to by the channel
release script and should not be merged into directly.
Please target the equivalent release-* branch or master instead.
EOF
exit 1
cherry-pick:
if: |
github.event_name == 'pull_request' ||
(fromJSON(inputs.baseBranch).stable && !contains(fromJSON(inputs.headBranch).type, 'development'))
permissions:
pull-requests: write
runs-on: ubuntu-24.04-arm
timeout-minutes: 3
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
path: trusted
sparse-checkout: |
ci/github-script
- name: Install dependencies
run: npm install bottleneck
- name: Log current API rate limits
env:
GH_TOKEN: ${{ github.token }}
run: gh api /rate_limit | jq
- name: Check cherry-picks
id: check
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
require('./trusted/ci/github-script/commits.js')({
github,
context,
core,
dry: context.eventName == 'pull_request',
})
- name: Log current API rate limits
env:
GH_TOKEN: ${{ github.token }}
run: gh api /rate_limit | jq
# For checking code owners, this job depends on a GitHub App with the following permissions:
# - Permissions:
# - Repository > Administration: read-only
# - Organization > Members: read-only
# - Install App on this repository, setting these variables:
# - OWNER_RO_APP_ID (variable)
# - OWNER_RO_APP_PRIVATE_KEY (secret)
#
# This should not use the same app as the job to request reviewers, because this job requires
# handling untrusted PR input.
owners:
runs-on: ubuntu-24.04-arm
timeout-minutes: 5
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
sparse-checkout: .github/actions
- name: Checkout merge and target commits
uses: ./.github/actions/checkout
with:
merged-as-untrusted-at: ${{ inputs.mergedSha }}
target-as-trusted-at: ${{ inputs.targetSha }}
- uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
- uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
with:
# The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
extraPullNames: nixpkgs-ci
authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
pushFilter: -source$
- name: Build codeowners validator
run: nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A codeownersValidator
- uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0
if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID
id: app-token
with:
app-id: ${{ vars.OWNER_RO_APP_ID }}
private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
permission-administration: read
permission-members: read
- name: Log current API rate limits
if: steps.app-token.outputs.token
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: gh api /rate_limit | jq
- name: Validate codeowners
if: steps.app-token.outputs.token
env:
OWNERS_FILE: nixpkgs/untrusted/ci/OWNERS
GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
REPOSITORY_PATH: nixpkgs/untrusted
OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
# Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
EXPERIMENTAL_CHECKS: "avoid-shadowing"
run: result/bin/codeowners-validator
- name: Log current API rate limits
if: steps.app-token.outputs.token
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: gh api /rate_limit | jq
Reference in New Issue View Git Blame Copy Permalink