mirror of
https://github.com/CHN-beta/nixpkgs.git
synced 2026-01-11 18:32:23 +08:00
e3ff0fab42
Pushing the source path to cachix is pointless, because the only source
we're using is Nixpkgs - and that will always be available already via
checkout. No need to ever substitute it, so no need to push it either.
(cherry picked from commit 2400bdf0d4)
155 lines
4.8 KiB
YAML
155 lines
4.8 KiB
YAML
name: Check
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
baseBranch:
|
|
required: true
|
|
type: string
|
|
headBranch:
|
|
required: true
|
|
type: string
|
|
mergedSha:
|
|
required: true
|
|
type: string
|
|
targetSha:
|
|
required: true
|
|
type: string
|
|
secrets:
|
|
CACHIX_AUTH_TOKEN:
|
|
required: true
|
|
OWNER_RO_APP_PRIVATE_KEY:
|
|
required: true
|
|
|
|
permissions: {}
|
|
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
|
|
jobs:
|
|
no-channel-base:
|
|
name: no channel base
|
|
if: contains(fromJSON(inputs.baseBranch).type, 'channel')
|
|
runs-on: ubuntu-24.04-arm
|
|
steps:
|
|
- run: |
|
|
cat <<EOF
|
|
The nixos-* and nixpkgs-* branches are pushed to by the channel
|
|
release script and should not be merged into directly.
|
|
|
|
Please target the equivalent release-* branch or master instead.
|
|
EOF
|
|
exit 1
|
|
|
|
cherry-pick:
|
|
if: |
|
|
github.event_name == 'pull_request' ||
|
|
(fromJSON(inputs.baseBranch).stable && !contains(fromJSON(inputs.headBranch).type, 'development'))
|
|
permissions:
|
|
pull-requests: write
|
|
runs-on: ubuntu-24.04-arm
|
|
timeout-minutes: 3
|
|
steps:
|
|
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
with:
|
|
path: trusted
|
|
sparse-checkout: |
|
|
ci/github-script
|
|
|
|
- name: Install dependencies
|
|
run: npm install bottleneck
|
|
|
|
- name: Log current API rate limits
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
run: gh api /rate_limit | jq
|
|
|
|
- name: Check cherry-picks
|
|
id: check
|
|
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
|
|
with:
|
|
script: |
|
|
require('./trusted/ci/github-script/commits.js')({
|
|
github,
|
|
context,
|
|
core,
|
|
dry: context.eventName == 'pull_request',
|
|
})
|
|
|
|
- name: Log current API rate limits
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
run: gh api /rate_limit | jq
|
|
|
|
# For checking code owners, this job depends on a GitHub App with the following permissions:
|
|
# - Permissions:
|
|
# - Repository > Administration: read-only
|
|
# - Organization > Members: read-only
|
|
# - Install App on this repository, setting these variables:
|
|
# - OWNER_RO_APP_ID (variable)
|
|
# - OWNER_RO_APP_PRIVATE_KEY (secret)
|
|
#
|
|
# This should not use the same app as the job to request reviewers, because this job requires
|
|
# handling untrusted PR input.
|
|
owners:
|
|
runs-on: ubuntu-24.04-arm
|
|
timeout-minutes: 5
|
|
steps:
|
|
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
with:
|
|
sparse-checkout: .github/actions
|
|
- name: Check if the PR can be merged and checkout the merge and target commits
|
|
uses: ./.github/actions/get-merge-commit
|
|
with:
|
|
mergedSha: ${{ inputs.mergedSha }}
|
|
merged-as-untrusted: true
|
|
pinnedFrom: trusted
|
|
targetSha: ${{ inputs.targetSha }}
|
|
target-as-trusted: true
|
|
|
|
- uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
|
|
|
|
- uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
|
|
with:
|
|
# The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
|
|
name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
|
|
extraPullNames: nixpkgs-ci
|
|
authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
|
|
pushFilter: -source$
|
|
|
|
- name: Build codeowners validator
|
|
run: nix-build trusted/ci --arg nixpkgs ./pinned -A codeownersValidator
|
|
|
|
- uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0
|
|
if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID
|
|
id: app-token
|
|
with:
|
|
app-id: ${{ vars.OWNER_RO_APP_ID }}
|
|
private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
|
|
permission-administration: read
|
|
permission-members: read
|
|
|
|
- name: Log current API rate limits
|
|
if: steps.app-token.outputs.token
|
|
env:
|
|
GH_TOKEN: ${{ steps.app-token.outputs.token }}
|
|
run: gh api /rate_limit | jq
|
|
|
|
- name: Validate codeowners
|
|
if: steps.app-token.outputs.token
|
|
env:
|
|
OWNERS_FILE: untrusted/ci/OWNERS
|
|
GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
|
|
REPOSITORY_PATH: untrusted
|
|
OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
|
|
# Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
|
|
EXPERIMENTAL_CHECKS: "avoid-shadowing"
|
|
run: result/bin/codeowners-validator
|
|
|
|
- name: Log current API rate limits
|
|
if: steps.app-token.outputs.token
|
|
env:
|
|
GH_TOKEN: ${{ steps.app-token.outputs.token }}
|
|
run: gh api /rate_limit | jq
|