Dawoox/nixpkgs
1
1
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

actions/checkout: use single tmpfs with subfolders

Browse Source 
This fixes problems on darwin, where the new tmpfs folder would not be
fully empty, but git only creates worktrees on fully empty directories.
This commit is contained in:
Wolfgang Walther
2025-08-22 09:43:03 +02:00
parent 3d315da358
commit fb32eb0f29
5 changed files with 34 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
.github/actions/checkout/action.yml vendored
View File

@@ -79,22 +79,20 @@ runs:
// This would fail without --refetch, because the we had a partial clone before, but changed it above. // This would fail without --refetch, because the we had a partial clone before, but changed it above.
await run('git', 'fetch', '--depth=1', '--refetch', 'origin', ...(commits.map(({ sha }) => sha))) await run('git', 'fetch', '--depth=1', '--refetch', 'origin', ...(commits.map(({ sha }) => sha)))
// Checking out onto tmpfs takes 1s and is faster by at least factor 10x.
await run('mkdir', 'nixpkgs')
switch (process.env.RUNNER_OS) {
case 'macOS':
await run('sudo', 'mount_tmpfs', 'nixpkgs')
break
case 'Linux':
await run('sudo', 'mount', '-t', 'tmpfs', 'tmpfs', 'nixpkgs')
break
}
// Create all worktrees in parallel. // Create all worktrees in parallel.
await Promise.all(commits.map(async ({ sha, path }) => { await Promise.all(commits.map(async ({ sha, path }) => {
// Checking out onto tmpfs takes 1s and is faster by at least factor 10x. await run('git', 'worktree', 'add', join('nixpkgs', path), sha, '--no-checkout')
await run('mkdir', path) await run('git', '-C', join('nixpkgs', path), 'sparse-checkout', 'disable')
switch (process.env.RUNNER_OS) { await run('git', '-C', join('nixpkgs', path), 'checkout', '--progress')
case 'macOS':
await run('sudo', 'mount_tmpfs', path)
// macOS creates this hidden folder to log file system activity.
// This trips up git when adding a worktree below, because the target folder is not empty.
await run('sudo', 'rm', '-rf', join(path, '.fseventsd'))
break
case 'Linux':
await run('sudo', 'mount', '-t', 'tmpfs', 'tmpfs', path)
break
}
await run('git', 'worktree', 'add', path, sha, '--no-checkout', '--force')
await run('git', '-C', path, 'sparse-checkout', 'disable')
await run('git', '-C', path, 'checkout', '--progress')
})) }))

14
.github/workflows/build.yml vendored
View File

@@ -66,33 +66,33 @@ jobs:
authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
pushFilter: '(-source$|-nixpkgs-tarball-)' pushFilter: '(-source$|-nixpkgs-tarball-)'
- run: nix-env --install -f pinned -A nix-build-uncached - run: nix-env --install -f nixpkgs/pinned -A nix-build-uncached
- name: Build shell - name: Build shell
if: contains(matrix.builds, 'shell') if: contains(matrix.builds, 'shell')
run: echo "${{ matrix.systems }}" | xargs -n1 nix-build-uncached untrusted/ci --arg nixpkgs ./pinned -A shell --argstr system run: echo "${{ matrix.systems }}" | xargs -n1 nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/pinned -A shell --argstr system
- name: Build NixOS manual - name: Build NixOS manual
if: | if: |
contains(matrix.builds, 'manual-nixos') && !cancelled() && contains(matrix.builds, 'manual-nixos') && !cancelled() &&
contains(fromJSON(inputs.baseBranch).type, 'primary') contains(fromJSON(inputs.baseBranch).type, 'primary')
run: nix-build-uncached untrusted/ci --arg nixpkgs ./pinned -A manual-nixos --out-link nixos-manual run: nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/pinned -A manual-nixos --out-link nixos-manual
- name: Build Nixpkgs manual - name: Build Nixpkgs manual
if: contains(matrix.builds, 'manual-nixpkgs') && !cancelled() if: contains(matrix.builds, 'manual-nixpkgs') && !cancelled()
run: nix-build-uncached untrusted/ci --arg nixpkgs ./pinned -A manual-nixpkgs -A manual-nixpkgs-tests run: nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/pinned -A manual-nixpkgs -A manual-nixpkgs-tests
- name: Build Nixpkgs manual tests - name: Build Nixpkgs manual tests
if: contains(matrix.builds, 'manual-nixpkgs-tests') && !cancelled() if: contains(matrix.builds, 'manual-nixpkgs-tests') && !cancelled()
run: nix-build-uncached untrusted/ci --arg nixpkgs ./pinned -A manual-nixpkgs-tests run: nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/pinned -A manual-nixpkgs-tests
- name: Build lib tests - name: Build lib tests
if: contains(matrix.builds, 'lib-tests') && !cancelled() if: contains(matrix.builds, 'lib-tests') && !cancelled()
run: nix-build-uncached untrusted/ci --arg nixpkgs ./pinned -A lib-tests run: nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/pinned -A lib-tests
- name: Build tarball - name: Build tarball
if: contains(matrix.builds, 'tarball') && !cancelled() if: contains(matrix.builds, 'tarball') && !cancelled()
run: nix-build-uncached untrusted/ci --arg nixpkgs ./pinned -A tarball run: nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/pinned -A tarball
- name: Upload NixOS manual - name: Upload NixOS manual
if: | if: |

6
.github/workflows/check.yml vendored
View File

@@ -117,7 +117,7 @@ jobs:
pushFilter: -source$ pushFilter: -source$
- name: Build codeowners validator - name: Build codeowners validator
run: nix-build trusted/ci --arg nixpkgs ./pinned -A codeownersValidator run: nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/pinned -A codeownersValidator
- uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0 - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0
if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID
@@ -137,9 +137,9 @@ jobs:
- name: Validate codeowners - name: Validate codeowners
if: steps.app-token.outputs.token if: steps.app-token.outputs.token
env: env:
OWNERS_FILE: untrusted/ci/OWNERS OWNERS_FILE: nixpkgs/untrusted/ci/OWNERS
GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
REPOSITORY_PATH: untrusted REPOSITORY_PATH: nixpkgs/untrusted
OWNER_CHECKER_REPOSITORY: ${{ github.repository }} OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
# Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
EXPERIMENTAL_CHECKS: "avoid-shadowing" EXPERIMENTAL_CHECKS: "avoid-shadowing"

14
.github/workflows/eval.yml vendored
View File

@@ -111,7 +111,7 @@ jobs:
MATRIX_SYSTEM: ${{ matrix.system }} MATRIX_SYSTEM: ${{ matrix.system }}
MATRIX_VERSION: ${{ matrix.version || 'nixVersions.latest' }} MATRIX_VERSION: ${{ matrix.version || 'nixVersions.latest' }}
run: | run: |
nix-build untrusted/ci --arg nixpkgs ./pinned -A eval.singleSystem \ nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/pinned -A eval.singleSystem \
--argstr evalSystem "$MATRIX_SYSTEM" \ --argstr evalSystem "$MATRIX_SYSTEM" \
--arg chunkSize 8000 \ --arg chunkSize 8000 \
--argstr nixPath "$MATRIX_VERSION" \ --argstr nixPath "$MATRIX_VERSION" \
@@ -190,7 +190,7 @@ jobs:
env: env:
MATRIX_SYSTEM: ${{ matrix.system }} MATRIX_SYSTEM: ${{ matrix.system }}
run: | run: |
nix-build untrusted/ci --arg nixpkgs ./pinned -A eval.diff \ nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/pinned -A eval.diff \
--arg beforeDir ./target \ --arg beforeDir ./target \
--arg afterDir "$(readlink ./merged)" \ --arg afterDir "$(readlink ./merged)" \
--argstr evalSystem "$MATRIX_SYSTEM" \ --argstr evalSystem "$MATRIX_SYSTEM" \
@@ -233,7 +233,7 @@ jobs:
- name: Combine all output paths and eval stats - name: Combine all output paths and eval stats
run: | run: |
nix-build trusted/ci --arg nixpkgs ./pinned -A eval.combine \ nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/pinned -A eval.combine \
--arg diffDir ./diff \ --arg diffDir ./diff \
--out-link combined --out-link combined
@@ -241,11 +241,11 @@ jobs:
env: env:
AUTHOR_ID: ${{ github.event.pull_request.user.id }} AUTHOR_ID: ${{ github.event.pull_request.user.id }}
run: | run: |
git -C trusted diff --name-only ${{ inputs.mergedSha }} \ git -C nixpkgs/trusted diff --name-only ${{ inputs.mergedSha }} \
| jq --raw-input --slurp 'split("\n")[:-1]' > touched-files.json | jq --raw-input --slurp 'split("\n")[:-1]' > touched-files.json
# Use the target branch to get accurate maintainer info # Use the target branch to get accurate maintainer info
nix-build trusted/ci --arg nixpkgs ./pinned -A eval.compare \ nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/pinned -A eval.compare \
--arg combinedDir "$(realpath ./combined)" \ --arg combinedDir "$(realpath ./combined)" \
--arg touchedFilesJson ./touched-files.json \ --arg touchedFilesJson ./touched-files.json \
--argstr githubAuthorId "$AUTHOR_ID" \ --argstr githubAuthorId "$AUTHOR_ID" \
@@ -392,8 +392,8 @@ jobs:
uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
- name: Ensure flake outputs on all systems still evaluate - name: Ensure flake outputs on all systems still evaluate
run: nix flake check --all-systems --no-build './untrusted?shallow=1' run: nix flake check --all-systems --no-build './nixpkgs/untrusted?shallow=1'
- name: Query nixpkgs with aliases enabled to check for basic syntax errors - name: Query nixpkgs with aliases enabled to check for basic syntax errors
run: | run: |
time nix-env -I ./untrusted -f ./untrusted -qa '*' --option restrict-eval true --option allow-import-from-derivation false >/dev/null time nix-env -I ./nixpkgs/untrusted -f ./nixpkgs/untrusted -qa '*' --option restrict-eval true --option allow-import-from-derivation false >/dev/null

6
.github/workflows/lint.yml vendored
View File

@@ -44,7 +44,7 @@ jobs:
# Note that it's fine to run this on untrusted code because: # Note that it's fine to run this on untrusted code because:
# - There's no secrets accessible here # - There's no secrets accessible here
# - The build is sandboxed # - The build is sandboxed
if ! nix-build untrusted/ci --arg nixpkgs ./pinned -A fmt.check; then if ! nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/pinned -A fmt.check; then
echo "Some files are not properly formatted" echo "Some files are not properly formatted"
echo "Please format them by going to the Nixpkgs root directory and running one of:" echo "Please format them by going to the Nixpkgs root directory and running one of:"
echo " nix-shell --run treefmt" echo " nix-shell --run treefmt"
@@ -81,7 +81,7 @@ jobs:
- name: Parse all nix files - name: Parse all nix files
run: | run: |
# Tests multiple versions at once, let's make sure all of them run, so keep-going. # Tests multiple versions at once, let's make sure all of them run, so keep-going.
nix-build untrusted/ci --arg nixpkgs ./pinned -A parse --keep-going nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/pinned -A parse --keep-going
nixpkgs-vet: nixpkgs-vet:
runs-on: ubuntu-24.04-arm runs-on: ubuntu-24.04-arm
@@ -112,7 +112,7 @@ jobs:
# Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/ # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
CLICOLOR_FORCE: 1 CLICOLOR_FORCE: 1
run: | run: |
if nix-build untrusted/ci --arg nixpkgs ./pinned -A nixpkgs-vet --arg base "./trusted" --arg head "./untrusted"; then if nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/pinned -A nixpkgs-vet --arg base "./nixpkgs/trusted" --arg head "./nixpkgs/untrusted"; then
exit 0 exit 0
else else
exitCode=$? exitCode=$?