7ed2c7e297
This change runs Lix on the target commit and Nix on the merged commit. This does two things for us at once: - We test both Lix and Nix. - We ensure that both Lix and Nix produce the same output hashes. If Lix and Nix were to produce different output hashes at some point, this would show up as rebuilds in every PR.
156 lines
5.0 KiB
YAML
156 lines
5.0 KiB
YAML
name: PR
|
|
|
|
on:
|
|
pull_request_target:
|
|
workflow_call:
|
|
secrets:
|
|
CACHIX_AUTH_TOKEN:
|
|
required: true
|
|
NIXPKGS_CI_APP_PRIVATE_KEY:
|
|
required: true
|
|
OWNER_APP_PRIVATE_KEY:
|
|
# The Test workflow should not actually request reviews from owners.
|
|
required: false
|
|
|
|
concurrency:
|
|
group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
|
|
cancel-in-progress: true
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
prepare:
|
|
runs-on: ubuntu-24.04-arm
|
|
permissions:
|
|
# wrong branch review comment
|
|
pull-requests: write
|
|
outputs:
|
|
baseBranch: ${{ steps.prepare.outputs.base }}
|
|
headBranch: ${{ steps.prepare.outputs.head }}
|
|
mergedSha: ${{ steps.prepare.outputs.mergedSha }}
|
|
targetSha: ${{ steps.prepare.outputs.targetSha }}
|
|
systems: ${{ steps.prepare.outputs.systems }}
|
|
touched: ${{ steps.prepare.outputs.touched }}
|
|
steps:
|
|
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
with:
|
|
sparse-checkout-cone-mode: true # default, for clarity
|
|
sparse-checkout: |
|
|
ci/github-script
|
|
- id: prepare
|
|
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
|
|
with:
|
|
script: |
|
|
require('./ci/github-script/prepare.js')({
|
|
github,
|
|
context,
|
|
core,
|
|
dry: context.eventName == 'pull_request',
|
|
})
|
|
|
|
check:
|
|
name: Check
|
|
needs: [prepare]
|
|
uses: ./.github/workflows/check.yml
|
|
permissions:
|
|
# cherry-picks
|
|
pull-requests: write
|
|
secrets:
|
|
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
|
|
with:
|
|
baseBranch: ${{ needs.prepare.outputs.baseBranch }}
|
|
headBranch: ${{ needs.prepare.outputs.headBranch }}
|
|
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
|
|
targetSha: ${{ needs.prepare.outputs.targetSha }}
|
|
|
|
lint:
|
|
name: Lint
|
|
needs: [prepare]
|
|
uses: ./.github/workflows/lint.yml
|
|
secrets:
|
|
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
|
|
with:
|
|
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
|
|
targetSha: ${{ needs.prepare.outputs.targetSha }}
|
|
|
|
eval:
|
|
name: Eval
|
|
needs: [prepare]
|
|
uses: ./.github/workflows/eval.yml
|
|
permissions:
|
|
# compare
|
|
statuses: write
|
|
secrets:
|
|
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
|
|
with:
|
|
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
|
|
targetSha: ${{ needs.prepare.outputs.targetSha }}
|
|
systems: ${{ needs.prepare.outputs.systems }}
|
|
defaultVersion: nixVersions.latest
|
|
testVersions: ${{ contains(fromJSON(needs.prepare.outputs.touched), 'pinned') && !contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development') }}
|
|
|
|
labels:
|
|
name: Labels
|
|
needs: [prepare, eval]
|
|
uses: ./.github/workflows/labels.yml
|
|
permissions:
|
|
issues: write
|
|
pull-requests: write
|
|
secrets:
|
|
NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
|
|
with:
|
|
headBranch: ${{ needs.prepare.outputs.headBranch }}
|
|
|
|
reviewers:
|
|
name: Reviewers
|
|
needs: [prepare, eval]
|
|
if: |
|
|
needs.prepare.outputs.targetSha &&
|
|
!contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development')
|
|
uses: ./.github/workflows/reviewers.yml
|
|
secrets:
|
|
OWNER_APP_PRIVATE_KEY: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
|
|
|
|
build:
|
|
name: Build
|
|
needs: [prepare]
|
|
uses: ./.github/workflows/build.yml
|
|
secrets:
|
|
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
|
|
with:
|
|
baseBranch: ${{ needs.prepare.outputs.baseBranch }}
|
|
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
|
|
|
|
# This job's only purpose is to create the target for the "Required Status Checks" branch ruleset.
|
|
# It "needs" all the jobs that should block merging a PR.
|
|
unlock:
|
|
if: github.event_name != 'pull_request' && always()
|
|
# Modify this list to add or remove jobs from required status checks.
|
|
needs:
|
|
- check
|
|
- lint
|
|
- eval
|
|
- build
|
|
runs-on: ubuntu-24.04-arm
|
|
permissions:
|
|
statuses: write
|
|
steps:
|
|
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
|
|
env:
|
|
RESULTS: ${{ toJSON(needs.*.result) }}
|
|
with:
|
|
script: |
|
|
const { serverUrl, repo, runId, payload } = context
|
|
const target_url =
|
|
`${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}?pr=${payload.pull_request.number}`
|
|
await github.rest.repos.createCommitStatus({
|
|
...repo,
|
|
sha: payload.pull_request.head.sha,
|
|
// WARNING:
|
|
// Do NOT change the name of this, otherwise the rule will not catch it anymore.
|
|
// This would prevent all PRs from merging.
|
|
context: 'no PR failures',
|
|
state: JSON.parse(process.env.RESULTS).every(status => status == 'success') ? 'success' : 'error',
|
|
target_url,
|
|
})
|