forked from NixOS/nixpkgs
-
Notifications
You must be signed in to change notification settings - Fork 0
147 lines (134 loc) · 4.94 KB
/
merge-group.yml
File metadata and controls
147 lines (134 loc) · 4.94 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
name: Merge Group
on:
merge_group:
workflow_call:
inputs:
artifact-prefix:
required: true
type: string
mergedSha:
required: true
type: string
targetSha:
required: true
type: string
permissions: {}
jobs:
prepare:
runs-on: ubuntu-slim
outputs:
baseBranch: ${{ steps.prepare.outputs.base }}
mergedSha: ${{ steps.prepare.outputs.mergedSha }}
targetSha: ${{ steps.prepare.outputs.targetSha }}
systems: ${{ steps.prepare.outputs.systems }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
sparse-checkout: |
ci/github-script/supportedSystems.js
- id: prepare
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
MERGED_SHA: ${{ inputs.mergedSha }}
TARGET_SHA: ${{ inputs.targetSha }}
with:
script: |
const { classify } = require('./ci/supportedBranches.js')
const supportedSystems = require('./ci/github-script/supportedSystems.js')
const baseBranch = (
context.payload.merge_group?.base_ref ??
context.payload.pull_request.base.ref
).replace(/^refs\/heads\//, '')
const baseClassification = classify(baseBranch)
core.setOutput('base', baseClassification)
core.info('base classification:', baseClassification)
const mergedSha = context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA
core.setOutput('mergedSha', mergedSha)
core.info(`mergedSha: ${mergedSha}`)
const targetSha = context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA
core.setOutput('targetSha', targetSha)
core.info(`targetSha: ${targetSha}`)
const systems = await supportedSystems({ github, context, targetSha })
core.setOutput('systems', systems)
check:
name: Check
needs: [prepare]
uses: ./.github/workflows/check.yml
permissions:
# cherry-picks; formality right now, but unused
pull-requests: write
secrets:
CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
with:
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
targetSha: ${{ needs.prepare.outputs.targetSha }}
lint:
name: Lint
needs: [prepare]
uses: ./.github/workflows/lint.yml
secrets:
CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
with:
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
targetSha: ${{ needs.prepare.outputs.targetSha }}
eval:
name: Eval
needs: [prepare]
uses: ./.github/workflows/eval.yml
# The eval workflow requests these permissions so we must explicitly allow them,
# even though they are unused when working with the merge queue.
permissions:
# compare
pull-requests: write
statuses: write
secrets:
CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
with:
artifact-prefix: ${{ inputs.artifact-prefix }}
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
targetSha: ${{ needs.prepare.outputs.targetSha }}
systems: ${{ needs.prepare.outputs.systems }}
build:
name: Build
needs: [prepare]
uses: ./.github/workflows/build.yml
secrets:
CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
with:
artifact-prefix: ${{ inputs.artifact-prefix }}
baseBranch: ${{ needs.prepare.outputs.baseBranch }}
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
targetSha: ${{ needs.prepare.outputs.targetSha }}
# This job's only purpose is to create the target for the "Required Status Checks" branch ruleset.
# It "needs" all the jobs that should block the Merge Queue.
unlock:
if: github.event_name != 'pull_request' && always()
# Modify this list to add or remove jobs from required status checks.
needs:
- check
- lint
- eval
- build
runs-on: ubuntu-slim
permissions:
statuses: write
steps:
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
RESULTS: ${{ toJSON(needs.*.result) }}
with:
script: |
const { serverUrl, repo, runId, payload } = context
const target_url =
`${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}`
await github.rest.repos.createCommitStatus({
...repo,
sha: payload.merge_group.head_sha,
// WARNING:
// Do NOT change the name of this, otherwise the rule will not catch it anymore.
// This would prevent all PRs from merging.
context: 'no PR failures',
state: JSON.parse(process.env.RESULTS).every(result => result == 'success') ? 'success' : 'error',
target_url,
})