nixpkgs/.github/workflows/pull-request-target.yml at 41ed897dd18b5f4426b1cc0b503af154ce258a43 · NixOS/nixpkgs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
name: PR

on:
  pull_request_target:
  workflow_call:
    inputs:
      artifact-prefix:
        required: true
        type: string
    secrets:
      NIXPKGS_CI_APP_PRIVATE_KEY:
        required: true

concurrency:
  group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
  cancel-in-progress: true

permissions: {}

jobs:
  prepare:
    runs-on: ubuntu-slim
    permissions:
      pull-requests: write # submitting 'wrong branch' reviews
    outputs:
      baseBranch: ${{ steps.prepare.outputs.base }}
      headBranch: ${{ steps.prepare.outputs.head }}
      mergedSha: ${{ steps.prepare.outputs.mergedSha }}
      targetSha: ${{ steps.prepare.outputs.targetSha }}
      systems: ${{ steps.prepare.outputs.systems }}
      touched: ${{ steps.prepare.outputs.touched }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          sparse-checkout-cone-mode: true # default, for clarity
          sparse-checkout: |
            ci/github-script
      - id: prepare
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          retries: 10
          # The default for this includes code 422, which happens regularly for us when comparing commits:
          #   422 - Server Error: Sorry, this diff is taking too long to generate.
          # Listing all other values from here to effectively remove 422:
          #   https://github.com/octokit/plugin-retry.js/blob/9a2443746c350b3beedec35cf26e197ea318a261/src/index.ts#L14
          retry-exempt-status-codes: 400,401,403,404
          script: |
            require('./ci/github-script/prepare.js')({
              github,
              context,
              core,
              dry: context.eventName == 'pull_request',
            })

  check:
    name: Check
    needs: [prepare]
    uses: ./.github/workflows/check.yml
    permissions:
      # cherry-picks
      pull-requests: write
    with:
      baseBranch: ${{ needs.prepare.outputs.baseBranch }}
      headBranch: ${{ needs.prepare.outputs.headBranch }}
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
      targetSha: ${{ needs.prepare.outputs.targetSha }}

  lint:
    name: Lint
    needs: [prepare]
    uses: ./.github/workflows/lint.yml
    with:
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
      targetSha: ${{ needs.prepare.outputs.targetSha }}

  eval:
    name: Eval
    needs: [prepare]
    uses: ./.github/workflows/eval.yml
    permissions:
      # compare
      pull-requests: write
      statuses: write
    with:
      artifact-prefix: ${{ inputs.artifact-prefix }}
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
      headSha: ${{ github.event.pull_request.head.sha }}
      targetSha: ${{ needs.prepare.outputs.targetSha }}
      systems: ${{ needs.prepare.outputs.systems }}
      testVersions: ${{ contains(fromJSON(needs.prepare.outputs.touched), 'pinned') && !contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development') }}

  bot:
    name: Bot
    needs: [prepare, eval]
    uses: ./.github/workflows/bot.yml
    permissions:
      issues: write
      pull-requests: write
    secrets:
      NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
    with:
      headBranch: ${{ needs.prepare.outputs.headBranch }}

  build:
    name: Build
    needs: [prepare]
    uses: ./.github/workflows/build.yml
    with:
      artifact-prefix: ${{ inputs.artifact-prefix }}
      baseBranch: ${{ needs.prepare.outputs.baseBranch }}
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
      targetSha: ${{ needs.prepare.outputs.targetSha }}

  # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset.
  # It "needs" all the jobs that should block merging a PR.
  unlock:
    if: github.event_name != 'pull_request' && always()
    # Modify this list to add or remove jobs from required status checks.
    needs:
      - check
      - lint
      - eval
      - build
    runs-on: ubuntu-slim
    permissions:
      statuses: write
    steps:
      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          RESULTS: ${{ toJSON(needs.*.result) }}
        with:
          script: |
            const { serverUrl, repo, runId, payload } = context
            const target_url =
              `${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}?pr=${payload.pull_request.number}`
            await github.rest.repos.createCommitStatus({
              ...repo,
              sha: payload.pull_request.head.sha,
              // WARNING:
              // Do NOT change the name of this, otherwise the rule will not catch it anymore.
              // This would prevent all PRs from merging.
              context: 'no PR failures',
              state: JSON.parse(process.env.RESULTS).every(status => status == 'success') ? 'success' : 'error',
              target_url,
            })