[Backport release-24.11] workflows/{pr,push}: init (#417826)

Author: wolfgangwalther

.github/workflows/README.md

@@ -29,7 +29,7 @@ Thus, it is important how to construct the group keys:
 
 - We don't want workflows of different Pull Requests to cancel each other, so we include `github.event.pull_request.number`. The [GitHub docs](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/control-the-concurrency-of-workflows-and-jobs#example-using-a-fallback-value) show using `github.head_ref` for this purpose, but this doesn't work well with forks: Different users could have the same head branch name in their forks and run CI for their PRs at the same time.
 
-- Sometimes, there is no `pull_request.number`. That's the case for `push` or `workflow_run` events. To ensure non-PR runs are never cancelled, we add a fallback of `github.run_id`. This is a unique value for each workflow run.
+- Sometimes, there is no `pull_request.number`. To ensure non-PR runs are never cancelled, we add a fallback of `github.run_id`. This is a unique value for each workflow run.
 
 - Of course, we run multiple workflows at the same time, so we add `github.workflow` to the key. Otherwise workflows would cancel each other.
 

.github/workflows/build.yml

@@ -1,14 +1,10 @@
 name: Build
 
 on:
-  pull_request:
-    paths:
-      - .github/workflows/build.yml
-  pull_request_target:
-
-concurrency:
-  group: build-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
-  cancel-in-progress: true
+  workflow_call:
+    secrets:
+      CACHIX_AUTH_TOKEN:
+        required: true
 
 permissions: {}
 

.github/workflows/check.yml

@@ -1,14 +1,7 @@
 name: Check
 
 on:
-  pull_request:
-    paths:
-      - .github/workflows/check.yml
-  pull_request_target:
-
-concurrency:
-  group: check-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
-  cancel-in-progress: true
+  workflow_call:
 
 permissions: {}
 

.github/workflows/eval-aliases.yml

@@ -1,24 +1,10 @@
 name: Eval
 
 on:
-  pull_request:
-    paths:
-      - .github/workflows/eval.yml
-      - .github/workflows/reviewers.yml # needs eval results from the same event type
-  pull_request_target:
-  push:
-    # Keep this synced with ci/request-reviews/dev-branches.txt
-    branches:
-      - master
-      - staging
-      - release-*
-      - staging-*
-      - haskell-updates
-      - python-updates
-
-concurrency:
-  group: eval-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
-  cancel-in-progress: true
+  workflow_call:
+    secrets:
+      OWNER_APP_PRIVATE_KEY:
+        required: false
 
 permissions: {}
 
@@ -28,7 +14,6 @@ defaults:
 
 jobs:
   prepare:
-    name: Prepare
     runs-on: ubuntu-24.04-arm
     outputs:
       mergedSha: ${{ steps.get-merge-commit.outputs.mergedSha }}
@@ -49,14 +34,14 @@ jobs:
         run: |
           echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"
 
-  outpaths:
-    name: Outpaths
+  eval:
     runs-on: ubuntu-24.04-arm
     needs: [prepare]
     strategy:
       fail-fast: false
       matrix:
         system: ${{ fromJSON(needs.prepare.outputs.systems) }}
+    name: ${{ matrix.system }}
     steps:
       - name: Enable swap
         run: |
@@ -109,12 +94,12 @@ jobs:
               run_id = (await github.rest.actions.listWorkflowRuns({
                 owner: context.repo.owner,
                 repo: context.repo.repo,
-                workflow_id: 'eval.yml',
+                workflow_id: 'push.yml',
                 event: 'push',
                 head_sha: targetSha
               })).data.workflow_runs[0].id
             } catch {
-              throw new Error(`Could not find an eval.yml workflow run for ${targetSha}.`)
+              throw new Error(`Could not find an push.yml workflow run for ${targetSha}.`)
             }
 
             core.setOutput('targetRunId', run_id)
@@ -161,9 +146,8 @@ jobs:
           path: diff/*
 
   compare:
-    name: Comparison
     runs-on: ubuntu-24.04-arm
-    needs: [prepare, outpaths]
+    needs: [prepare, eval]
     if: needs.prepare.outputs.targetSha
     permissions:
       issues: write # needed to create *new* labels
@@ -262,7 +246,32 @@ jobs:
     # No dependency on "compare", so that it can start at the same time.
     # We only wait for the "comparison" artifact to be available, which makes the start-to-finish time
     # for the eval workflow considerably faster.
-    needs: [prepare, outpaths]
+    needs: [prepare, eval]
     if: needs.prepare.outputs.targetSha
     uses: ./.github/workflows/reviewers.yml
-    secrets: inherit
+    secrets:
+      OWNER_APP_PRIVATE_KEY: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
+
+  misc:
+    if: ${{ github.event_name != 'push' }}
+    runs-on: ubuntu-24.04-arm
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          sparse-checkout: .github/actions
+      - name: Check if the PR can be merged and checkout the merge commit
+        uses: ./.github/actions/get-merge-commit
+        with:
+          merged-as-untrusted: true
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@17fe5fb4a23ad6cbbe47d6b3f359611ad276644c # v31
+        with:
+          extra_nix_config: sandbox = true
+
+      - name: Ensure flake outputs on all systems still evaluate
+        run: nix flake check --all-systems --no-build ./untrusted
+
+      - name: Query nixpkgs with aliases enabled to check for basic syntax errors
+        run: |
+          time nix-env -I ./untrusted -f ./untrusted -qa '*' --option restrict-eval true --option allow-import-from-derivation false >/dev/null

.github/workflows/eval.yml

@@ -3,7 +3,7 @@
 # access to the GitHub API. This means that it should not evaluate user input in
 # a way that allows code injection.
 
-name: "Label PR"
+name: Labels
 
 on:
   schedule:
@@ -33,8 +33,7 @@ defaults:
     shell: bash
 
 jobs:
-  labels:
-    name: label-pr
+  update:
     runs-on: ubuntu-24.04-arm
     if: github.event_name != 'schedule' || github.repository_owner == 'NixOS'
     steps:
@@ -147,7 +146,7 @@ jobs:
 
                   const run_id = (await github.rest.actions.listWorkflowRuns({
                     ...context.repo,
-                    workflow_id: 'eval.yml',
+                    workflow_id: 'pr.yml',
                     event: 'pull_request_target',
                     // For PR events, the workflow run is still in progress with this job itself.
                     status: prEventCondition ? 'in_progress' : 'success',

.github/workflows/labels.yml

@@ -1,14 +1,7 @@
 name: Lint
 
 on:
-  pull_request:
-    paths:
-      - .github/workflows/lint.yml
-  pull_request_target:
-
-concurrency:
-  group: lint-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
-  cancel-in-progress: true
+  workflow_call:
 
 permissions: {}
 

.github/workflows/lint.yml

@@ -0,0 +1,47 @@
+name: PR
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/build.yml
+      - .github/workflows/check.yml
+      - .github/workflows/eval.yml
+      - .github/workflows/lint.yml
+      - .github/workflows/pr.yml
+      - .github/workflows/reviewers.yml # needs eval results from the same event type
+  pull_request_target:
+
+concurrency:
+  group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  check:
+    name: Check
+    uses: ./.github/workflows/check.yml
+    permissions:
+      # cherry-picks
+      pull-requests: write
+
+  lint:
+    name: Lint
+    uses: ./.github/workflows/lint.yml
+
+  eval:
+    name: Eval
+    uses: ./.github/workflows/eval.yml
+    permissions:
+      # compare
+      issues: write
+      pull-requests: write
+      statuses: write
+    secrets:
+      OWNER_APP_PRIVATE_KEY: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
+
+  build:
+    name: Build
+    uses: ./.github/workflows/build.yml
+    secrets:
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

.github/workflows/pr.yml

@@ -0,0 +1,29 @@
+name: Push
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/push.yml
+      # eval is tested via pr.yml
+  push:
+    # Keep this synced with ci/request-reviews/dev-branches.txt
+    branches:
+      - master
+      - staging
+      - release-*
+      - staging-*
+      - haskell-updates
+      - python-updates
+
+permissions: {}
+
+jobs:
+  eval:
+    name: Eval
+    uses: ./.github/workflows/eval.yml
+    # Those are not actually used on push, but will throw an error if not set.
+    permissions:
+      # compare
+      issues: write
+      pull-requests: write
+      statuses: write

.github/workflows/push.yml

@@ -10,6 +10,9 @@ on:
   pull_request_target:
     types: [ready_for_review]
   workflow_call:
+    secrets:
+      OWNER_APP_PRIVATE_KEY:
+        required: true
 
 concurrency:
   group: reviewers-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
@@ -23,7 +26,6 @@ defaults:
 
 jobs:
   request:
-    name: Request
     runs-on: ubuntu-24.04-arm
     steps:
       - name: Check out the PR at the base commit
@@ -63,7 +65,7 @@ jobs:
             const run_id = (await github.rest.actions.listWorkflowRuns({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              workflow_id: 'eval.yml',
+              workflow_id: 'pr.yml',
               event: context.eventName,
               head_sha: context.payload.pull_request.head.sha
             })).data.workflow_runs[0].id