workflows: move eval from push to queue (#451926)

.github/workflows/eval.yml

@@ -11,6 +11,9 @@ on:
       systems:
         required: true
         type: string
+      defaultVersion:
+        required: true
+        type: string
       testVersions:
         required: false
         default: false
@@ -105,7 +108,7 @@ jobs:
       - name: Evaluate the ${{ matrix.system }} output paths at the merge commit
         env:
           MATRIX_SYSTEM: ${{ matrix.system }}
-          MATRIX_VERSION: ${{ matrix.version || 'nixVersions.latest' }}
+          MATRIX_VERSION: ${{ matrix.version || inputs.defaultVersion }}
         run: |
           nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned  -A eval.singleSystem \
             --argstr evalSystem "$MATRIX_SYSTEM" \
@@ -115,36 +118,18 @@ jobs:
           # If it uses too much memory, slightly decrease chunkSize.
           # Note: Keep the same further down in sync!
 
-      # Running the attrpath generation step separately from the outpath step afterwards.
-      # The idea is that, *if* Eval on the target branch has not finished, yet, we will
-      # generate the attrpaths in the meantime - and the separate command command afterwards
-      # will check cachix again for whether Eval has finished. If no Eval result from the
-      # target branch can be found the second time, we proceed to run it in here. Attrpaths
-      # generation takes roughly 30 seconds, so for every normal use-case this should be more
-      # than enough of a head start for Eval on the target branch to finish.
-      # This edge-case, that Eval on the target branch is delayed is unlikely to happen anyway:
-      # For a commit to become the target commit of a PR, it must *already* be on the branch.
-      # Normally, CI should always start running on that push event *before* it starts running
-      # on the PR.
-      - name: Evaluate the ${{ matrix.system }} attribute paths at the target commit
-        if: inputs.targetSha
-        env:
-          MATRIX_SYSTEM: ${{ matrix.system }}
-        run: |
-          nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A eval.attrpathsSuperset \
-            --argstr evalSystem "$MATRIX_SYSTEM" \
-            --argstr nixPath "nixVersions.latest"
-
       - name: Evaluate the ${{ matrix.system }} output paths at the target commit
         if: inputs.targetSha
         env:
           MATRIX_SYSTEM: ${{ matrix.system }}
-        # This should be very quick, because it pulls the eval results from Cachix.
+          # This must match the default version set in the Merge Queue.
+          VERSION: lixPackageSets.latest.lix
+        # This is very quick, because it pulls the eval results from Cachix.
         run: |
           nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A eval.singleSystem \
             --argstr evalSystem "$MATRIX_SYSTEM" \
             --arg chunkSize 8000 \
-            --argstr nixPath "nixVersions.latest" \
+            --argstr nixPath "$VERSION" \
             --out-link target
 
       - name: Compare outpaths against the target branch

.github/workflows/merge-group.yml

@@ -17,6 +17,21 @@ on:
 permissions: {}
 
 jobs:
+  prepare:
+    runs-on: ubuntu-24.04-arm
+    outputs:
+      systems: ${{ steps.systems.outputs.systems }}
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          sparse-checkout: |
+            ci/supportedSystems.json
+
+      - name: Load supported systems
+        id: systems
+        run: |
+          echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"
+
   lint:
     name: Lint
     uses: ./.github/workflows/lint.yml
@@ -26,6 +41,23 @@ jobs:
       mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }}
       targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }}
 
+  eval:
+    name: Eval
+    needs: [prepare]
+    uses: ./.github/workflows/eval.yml
+    # The eval workflow requests these permissions so we must explicitly allow them,
+    # even though they are unused when working with the merge queue.
+    permissions:
+      # compare
+      statuses: write
+    secrets:
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
+    with:
+      mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }}
+      systems: ${{ needs.prepare.outputs.systems }}
+      # This must match the version in Eval's target step.
+      defaultVersion: lixPackageSets.latest.lix
+
   # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset.
   # It "needs" all the jobs that should block the Merge Queue.
   unlock:
@@ -33,6 +65,7 @@ jobs:
     # Modify this list to add or remove jobs from required status checks.
     needs:
       - lint
+      - eval
     runs-on: ubuntu-24.04-arm
     permissions:
       statuses: write

.github/workflows/pr.yml

@@ -86,6 +86,7 @@ jobs:
       mergedSha: ${{ needs.prepare.outputs.mergedSha }}
       targetSha: ${{ needs.prepare.outputs.targetSha }}
       systems: ${{ needs.prepare.outputs.systems }}
+      defaultVersion: nixVersions.latest
       testVersions: ${{ contains(fromJSON(needs.prepare.outputs.touched), 'pinned') && !contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development') }}
 
   labels:

.github/workflows/push.yml

@@ -1,50 +0,0 @@
-name: Push
-
-on:
-  push:
-    branches:
-      - master
-      - staging
-      - release-*
-      - staging-*
-      - haskell-updates
-  workflow_call:
-    inputs:
-      mergedSha:
-        required: true
-        type: string
-    secrets:
-      CACHIX_AUTH_TOKEN:
-        required: true
-
-permissions: {}
-
-jobs:
-  prepare:
-    runs-on: ubuntu-24.04-arm
-    outputs:
-      systems: ${{ steps.systems.outputs.systems }}
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          sparse-checkout: |
-            ci/supportedSystems.json
-
-      - name: Load supported systems
-        id: systems
-        run: |
-          echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"
-
-  eval:
-    name: Eval
-    needs: [prepare]
-    uses: ./.github/workflows/eval.yml
-    # Those are not actually used on push, but will throw an error if not set.
-    permissions:
-      # compare
-      statuses: write
-    secrets:
-      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-    with:
-      mergedSha: ${{ inputs.mergedSha || github.sha }}
-      systems: ${{ needs.prepare.outputs.systems }}

.github/workflows/test.yml

@@ -48,6 +48,7 @@ jobs:
             })).map(file => file.filename)
 
             if (files.some(file => [
+              '.github/workflows/eval.yml',
               '.github/workflows/lint.yml',
               '.github/workflows/merge-group.yml',
               '.github/workflows/test.yml',
@@ -65,12 +66,6 @@ jobs:
               '.github/workflows/test.yml',
             ].includes(file))) core.setOutput('pr', true)
 
-            if (files.some(file => [
-              '.github/workflows/eval.yml',
-              '.github/workflows/push.yml',
-              '.github/workflows/test.yml',
-            ].includes(file))) core.setOutput('push', true)
-
   merge-group:
     if: needs.prepare.outputs.merge-group
     name: Merge Group
@@ -98,16 +93,3 @@ jobs:
     secrets:
       CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
       NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
-
-  push:
-    if: needs.prepare.outputs.push
-    name: Push
-    needs: [prepare]
-    uses: ./.github/workflows/push.yml
-    # Those are not actually used on the push or pull_request events, but will throw an error if not set.
-    permissions:
-      statuses: write
-    secrets:
-      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-    with:
-      mergedSha: ${{ needs.prepare.outputs.mergedSha }}