7ed2c7e297
This change runs Lix on the target commit and Nix on the merged commit. This does two things for us at once: - We test both Lix and Nix. - We ensure that both Lix and Nix produce the same output hashes. If Lix and Nix were to produce different output hashes at some point, this would show up as rebuilds in every PR.
91 lines
2.8 KiB
YAML
91 lines
2.8 KiB
YAML
name: Merge Group
|
|
|
|
on:
|
|
merge_group:
|
|
workflow_call:
|
|
inputs:
|
|
mergedSha:
|
|
required: true
|
|
type: string
|
|
targetSha:
|
|
required: true
|
|
type: string
|
|
secrets:
|
|
CACHIX_AUTH_TOKEN:
|
|
required: true
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
prepare:
|
|
runs-on: ubuntu-24.04-arm
|
|
outputs:
|
|
systems: ${{ steps.systems.outputs.systems }}
|
|
steps:
|
|
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
with:
|
|
sparse-checkout: |
|
|
ci/supportedSystems.json
|
|
|
|
- name: Load supported systems
|
|
id: systems
|
|
run: |
|
|
echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"
|
|
|
|
lint:
|
|
name: Lint
|
|
uses: ./.github/workflows/lint.yml
|
|
secrets:
|
|
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
|
|
with:
|
|
mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }}
|
|
targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }}
|
|
|
|
eval:
|
|
name: Eval
|
|
needs: [prepare]
|
|
uses: ./.github/workflows/eval.yml
|
|
# The eval workflow requests these permissions so we must explicitly allow them,
|
|
# even though they are unused when working with the merge queue.
|
|
permissions:
|
|
# compare
|
|
statuses: write
|
|
secrets:
|
|
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
|
|
with:
|
|
mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }}
|
|
systems: ${{ needs.prepare.outputs.systems }}
|
|
# This must match the version in Eval's target step.
|
|
defaultVersion: lixPackageSets.latest.lix
|
|
|
|
# This job's only purpose is to create the target for the "Required Status Checks" branch ruleset.
|
|
# It "needs" all the jobs that should block the Merge Queue.
|
|
unlock:
|
|
if: github.event_name != 'pull_request' && always()
|
|
# Modify this list to add or remove jobs from required status checks.
|
|
needs:
|
|
- lint
|
|
- eval
|
|
runs-on: ubuntu-24.04-arm
|
|
permissions:
|
|
statuses: write
|
|
steps:
|
|
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
|
|
env:
|
|
RESULTS: ${{ toJSON(needs.*.result) }}
|
|
with:
|
|
script: |
|
|
const { serverUrl, repo, runId, payload } = context
|
|
const target_url =
|
|
`${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}`
|
|
await github.rest.repos.createCommitStatus({
|
|
...repo,
|
|
sha: payload.merge_group.head_sha,
|
|
// WARNING:
|
|
// Do NOT change the name of this, otherwise the rule will not catch it anymore.
|
|
// This would prevent all PRs from merging.
|
|
context: 'no PR failures',
|
|
state: JSON.parse(process.env.RESULTS).every(result => result == 'success') ? 'success' : 'error',
|
|
target_url,
|
|
})
|