nixpkgs/.github/workflows/pr.yml at master · betalars/nixpkgs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: PR

on:
  pull_request_target:
  workflow_call:
    secrets:
      CACHIX_AUTH_TOKEN:
        required: true
      NIXPKGS_CI_APP_PRIVATE_KEY:
        required: true
      OWNER_APP_PRIVATE_KEY:
        # The Test workflow should not actually request reviews from owners.
        required: false
      OWNER_RO_APP_PRIVATE_KEY:
        required: true

concurrency:
  group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
  cancel-in-progress: true

permissions: {}

jobs:
  prepare:
    runs-on: ubuntu-24.04-arm
    permissions:
      # wrong branch review comment
      pull-requests: write
    outputs:
      baseBranch: ${{ steps.prepare.outputs.base }}
      headBranch: ${{ steps.prepare.outputs.head }}
      mergedSha: ${{ steps.prepare.outputs.mergedSha }}
      targetSha: ${{ steps.prepare.outputs.targetSha }}
      systems: ${{ steps.prepare.outputs.systems }}
      touched: ${{ steps.prepare.outputs.touched }}
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          sparse-checkout-cone-mode: true # default, for clarity
          sparse-checkout: |
            ci/github-script
      - id: prepare
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            require('./ci/github-script/prepare.js')({
              github,
              context,
              core,
              dry: context.eventName == 'pull_request',
            })

  check:
    name: Check
    needs: [prepare]
    uses: ./.github/workflows/check.yml
    permissions:
      # cherry-picks
      pull-requests: write
    secrets:
      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
      OWNER_RO_APP_PRIVATE_KEY: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
    with:
      baseBranch: ${{ needs.prepare.outputs.baseBranch }}
      headBranch: ${{ needs.prepare.outputs.headBranch }}
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
      targetSha: ${{ needs.prepare.outputs.targetSha }}
      ownersCanFail: ${{ !contains(fromJSON(needs.prepare.outputs.touched), 'owners') }}

  lint:
    name: Lint
    needs: [prepare]
    uses: ./.github/workflows/lint.yml
    secrets:
      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
    with:
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
      targetSha: ${{ needs.prepare.outputs.targetSha }}

  eval:
    name: Eval
    needs: [prepare]
    uses: ./.github/workflows/eval.yml
    permissions:
      # compare
      statuses: write
    secrets:
      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
    with:
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
      targetSha: ${{ needs.prepare.outputs.targetSha }}
      systems: ${{ needs.prepare.outputs.systems }}
      testVersions: ${{ contains(fromJSON(needs.prepare.outputs.touched), 'pinned') && !contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development') }}

  labels:
    name: Labels
    needs: [prepare, eval]
    uses: ./.github/workflows/labels.yml
    permissions:
      issues: write
      pull-requests: write
    secrets:
      NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
    with:
      headBranch: ${{ needs.prepare.outputs.headBranch }}

  reviewers:
    name: Reviewers
    needs: [prepare, eval]
    if: |
      needs.prepare.outputs.targetSha &&
      !contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development')
    uses: ./.github/workflows/reviewers.yml
    secrets:
      OWNER_APP_PRIVATE_KEY: ${{ secrets.OWNER_APP_PRIVATE_KEY }}

  build:
    name: Build
    needs: [prepare]
    uses: ./.github/workflows/build.yml
    secrets:
      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
    with:
      baseBranch: ${{ needs.prepare.outputs.baseBranch }}
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}

  # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset.
  # It "needs" all the jobs that should block merging a PR.
  unlock:
    if: github.event_name != 'pull_request' && always()
    # Modify this list to add or remove jobs from required status checks.
    needs:
      - check
      - lint
      - eval
      - build
    runs-on: ubuntu-24.04-arm
    permissions:
      statuses: write
    steps:
      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          RESULTS: ${{ toJSON(needs.*.result) }}
        with:
          script: |
            const { serverUrl, repo, runId, payload } = context
            const target_url =
              `${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}?pr=${payload.pull_request.number}`
            await github.rest.repos.createCommitStatus({
              ...repo,
              sha: payload.pull_request.head.sha,
              // WARNING:
              // Do NOT change the name of this, otherwise the rule will not catch it anymore.
              // This would prevent all PRs from merging.
              context: 'no PR failures',
              state: JSON.parse(process.env.RESULTS).every(status => status == 'success') ? 'success' : 'error',
              target_url,
            })