From 17eb6dcb27d2d6ed3e65609e8a32253ed64b1e3e Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Tue, 14 Oct 2025 12:15:05 +0200 Subject: [PATCH] workflows: move eval from push to queue Running eval in the merge queue prevents eval failures after merging multiple PRs with semantic merge conflicts. It's also the base for allowing more sophisticated checks about rebuild counts in the merge queue later. When branches are directly pushed to, such as for periodic merges, this will not run Eval immediately. However, the next PR will run it as part of its Eval step and will cache the results. Any further PR will then benefit from the same caching again. This also avoids running Eval twice when pushing to staging-next or haskell-updates, where a PR is open at the same time. Here, the PR's Eval still runs on the push, of course. --- .github/workflows/eval.yml | 2 +- .github/workflows/merge-group.yml | 31 +++++++++++++++++++ .github/workflows/push.yml | 50 ------------------------------- .github/workflows/test.yml | 20 +------------ 4 files changed, 33 insertions(+), 70 deletions(-) delete mode 100644 .github/workflows/push.yml diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml index 9d99c888bec7..60634e8e571c 100644 --- a/.github/workflows/eval.yml +++ b/.github/workflows/eval.yml @@ -139,7 +139,7 @@ jobs: if: inputs.targetSha env: MATRIX_SYSTEM: ${{ matrix.system }} - # This should be very quick, because it pulls the eval results from Cachix. + # This is very quick, because it pulls the eval results from Cachix. run: | nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A eval.singleSystem \ --argstr evalSystem "$MATRIX_SYSTEM" \ diff --git a/.github/workflows/merge-group.yml b/.github/workflows/merge-group.yml index 0d21b768f6e0..6ae96f0900f7 100644 --- a/.github/workflows/merge-group.yml +++ b/.github/workflows/merge-group.yml @@ -17,6 +17,21 @@ on: permissions: {} jobs: + prepare: + runs-on: ubuntu-24.04-arm + outputs: + systems: ${{ steps.systems.outputs.systems }} + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + sparse-checkout: | + ci/supportedSystems.json + + - name: Load supported systems + id: systems + run: | + echo "systems=$(jq -c > "$GITHUB_OUTPUT" + lint: name: Lint uses: ./.github/workflows/lint.yml @@ -26,6 +41,21 @@ jobs: mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }} + eval: + name: Eval + needs: [prepare] + uses: ./.github/workflows/eval.yml + # The eval workflow requests these permissions so we must explicitly allow them, + # even though they are unused when working with the merge queue. + permissions: + # compare + statuses: write + secrets: + CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} + with: + mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} + systems: ${{ needs.prepare.outputs.systems }} + # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. # It "needs" all the jobs that should block the Merge Queue. unlock: @@ -33,6 +63,7 @@ jobs: # Modify this list to add or remove jobs from required status checks. needs: - lint + - eval runs-on: ubuntu-24.04-arm permissions: statuses: write diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml deleted file mode 100644 index d76b7f3867bd..000000000000 --- a/.github/workflows/push.yml +++ /dev/null @@ -1,50 +0,0 @@ -name: Push - -on: - push: - branches: - - master - - staging - - release-* - - staging-* - - haskell-updates - workflow_call: - inputs: - mergedSha: - required: true - type: string - secrets: - CACHIX_AUTH_TOKEN: - required: true - -permissions: {} - -jobs: - prepare: - runs-on: ubuntu-24.04-arm - outputs: - systems: ${{ steps.systems.outputs.systems }} - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - sparse-checkout: | - ci/supportedSystems.json - - - name: Load supported systems - id: systems - run: | - echo "systems=$(jq -c > "$GITHUB_OUTPUT" - - eval: - name: Eval - needs: [prepare] - uses: ./.github/workflows/eval.yml - # Those are not actually used on push, but will throw an error if not set. - permissions: - # compare - statuses: write - secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} - with: - mergedSha: ${{ inputs.mergedSha || github.sha }} - systems: ${{ needs.prepare.outputs.systems }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 0806b61c34c9..0d5f20e3b57b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -48,6 +48,7 @@ jobs: })).map(file => file.filename) if (files.some(file => [ + '.github/workflows/eval.yml', '.github/workflows/lint.yml', '.github/workflows/merge-group.yml', '.github/workflows/test.yml', @@ -65,12 +66,6 @@ jobs: '.github/workflows/test.yml', ].includes(file))) core.setOutput('pr', true) - if (files.some(file => [ - '.github/workflows/eval.yml', - '.github/workflows/push.yml', - '.github/workflows/test.yml', - ].includes(file))) core.setOutput('push', true) - merge-group: if: needs.prepare.outputs.merge-group name: Merge Group @@ -98,16 +93,3 @@ jobs: secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }} - - push: - if: needs.prepare.outputs.push - name: Push - needs: [prepare] - uses: ./.github/workflows/push.yml - # Those are not actually used on the push or pull_request events, but will throw an error if not set. - permissions: - statuses: write - secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} - with: - mergedSha: ${{ needs.prepare.outputs.mergedSha }}