From aa7335ca5f80f7d249bd7870d3d4cfd8ed79bb88 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Sat, 4 Jan 2025 22:01:41 +0100 Subject: [PATCH 01/12] workflows/basic-eval: remove This seems to be unused. It can be triggered manually, but is this really done? Is this superseded by the new eval checks or should we instead run this regularly? --- .github/workflows/basic-eval.yml | 31 ------------------------------- 1 file changed, 31 deletions(-) delete mode 100644 .github/workflows/basic-eval.yml diff --git a/.github/workflows/basic-eval.yml b/.github/workflows/basic-eval.yml deleted file mode 100644 index 8698d5fff392e..0000000000000 --- a/.github/workflows/basic-eval.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: Basic evaluation checks - -on: - workflow_dispatch - # pull_request: - # branches: - # - master - # - release-** - # push: - # branches: - # - master - # - release-** -permissions: - contents: read - -jobs: - tests: - name: basic-eval-checks - runs-on: ubuntu-24.04 - # we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 - - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 - with: - # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. - name: nixpkgs-ci - signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' - - run: nix --experimental-features 'nix-command flakes' flake check --all-systems --no-build - # explicit list of supportedSystems is needed until aarch64-darwin becomes part of the trunk jobset - - run: nix-build pkgs/top-level/release.nix -A release-checks --arg supportedSystems '[ "aarch64-darwin" "aarch64-linux" "x86_64-linux" "x86_64-darwin" ]' From 4d00c68aa42ef56c4be7a9692fdd5b035d134dfe Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Sun, 5 Jan 2025 12:05:58 +0100 Subject: [PATCH 02/12] workflows/check-shell: use job matrix --- .github/workflows/check-shell.yml | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/.github/workflows/check-shell.yml b/.github/workflows/check-shell.yml index fda7db309e750..0f1595597733c 100644 --- a/.github/workflows/check-shell.yml +++ b/.github/workflows/check-shell.yml @@ -9,21 +9,19 @@ on: permissions: {} jobs: - x86_64-linux: - name: shell-check-x86_64-linux - runs-on: ubuntu-24.04 - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - # pull_request_target checks out the base branch by default - ref: refs/pull/${{ github.event.pull_request.number }}/merge - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 - - name: Build shell - run: nix-build shell.nix + shell-check: + strategy: + fail-fast: false + matrix: + include: + - runner: ubuntu-24.04 + system: x86_64-linux + - runner: macos-14 + system: aarch64-darwin + + name: shell-check-${{ matrix.system }} + runs-on: ${{ matrix.runner }} - aarch64-darwin: - name: shell-check-aarch64-darwin - runs-on: macos-14 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: From fcb24b90d0704cd4511c9bb1b6be87f1e616bc17 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Sun, 5 Jan 2025 14:11:58 +0100 Subject: [PATCH 03/12] workflows/check-maintainers-sorted: Use .yml extension for consistency All other workflows do - and most importantly actionlint only runs on .yml files! --- ...check-maintainers-sorted.yaml => check-maintainers-sorted.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{check-maintainers-sorted.yaml => check-maintainers-sorted.yml} (100%) diff --git a/.github/workflows/check-maintainers-sorted.yaml b/.github/workflows/check-maintainers-sorted.yml similarity index 100% rename from .github/workflows/check-maintainers-sorted.yaml rename to .github/workflows/check-maintainers-sorted.yml From 72fd375d1c6685cf1e6cbaf1142f86fafc33103c Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Sun, 5 Jan 2025 14:13:33 +0100 Subject: [PATCH 04/12] workflows/eval: fix actionlint mergedSha is available from needs.get-merge-commit, not needs.attrs. Actionlint rightfully complains about that. The code still works as expected because nixpkgs/ is checked out at mergedSha, so the diff will be between mergedSha and baseSha. --- .github/workflows/eval.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml index 64969dc2b4264..152a1b5d34687 100644 --- a/.github/workflows/eval.yml +++ b/.github/workflows/eval.yml @@ -203,7 +203,7 @@ jobs: if: steps.baseRunId.outputs.baseRunId run: | git -C nixpkgs worktree add ../base ${{ needs.attrs.outputs.baseSha }} - git -C nixpkgs diff --name-only ${{ needs.attrs.outputs.baseSha }} ${{ needs.attrs.outputs.mergedSha }} \ + git -C nixpkgs diff --name-only ${{ needs.attrs.outputs.baseSha }} \ | jq --raw-input --slurp 'split("\n")[:-1]' > touched-files.json # Use the base branch to get accurate maintainer info From 88afad8833aba51d5d24d2f667ab8eea2f9508cd Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Sun, 5 Jan 2025 14:19:45 +0100 Subject: [PATCH 05/12] workflows: basic consistency in formatting workflows Same top-level ordering of keys / empty lines and same indentation for yaml lists. One blank line between each step. Makes it easier to read and compare the workflows. --- .github/workflows/backport.yml | 13 +- .github/workflows/check-cherry-picks.yml | 28 +++-- .../workflows/check-maintainers-sorted.yml | 3 + .github/workflows/check-nix-format.yml | 7 ++ .github/workflows/check-nixf-tidy.yml | 6 + .github/workflows/check-shell.yml | 2 + .github/workflows/codeowners-v2.yml | 112 +++++++++--------- .github/workflows/editorconfig-v2.yml | 65 +++++----- .github/workflows/eval-lib-tests.yml | 9 +- .github/workflows/get-merge-commit.yml | 51 ++++---- .github/workflows/labels.yml | 18 +-- .github/workflows/manual-nixos-v2.yml | 9 +- .github/workflows/manual-nixpkgs-v2.yml | 9 +- .github/workflows/nix-parse-v2.yml | 65 +++++----- .github/workflows/nixpkgs-vet.yml | 5 + .github/workflows/no-channel.yml | 14 +-- .github/workflows/periodic-merge-24h.yml | 1 - .github/workflows/periodic-merge-6h.yml | 1 - .../periodic-merge-haskell-updates.yml | 1 - 19 files changed, 231 insertions(+), 188 deletions(-) diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 42283f3ab40ce..bae29bc9428bc 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -1,13 +1,14 @@ -name: Backport -on: - pull_request_target: - types: [closed, labeled] - # WARNING: # When extending this action, be aware that $GITHUB_TOKEN allows write access to # the GitHub repository. This means that it should not evaluate user input in a # way that allows code injection. +name: Backport + +on: + pull_request_target: + types: [closed, labeled] + permissions: {} jobs: @@ -23,10 +24,12 @@ jobs: with: app-id: ${{ vars.BACKPORT_APP_ID }} private-key: ${{ secrets.BACKPORT_PRIVATE_KEY }} + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} token: ${{ steps.app-token.outputs.token }} + - name: Create backport PRs uses: korthout/backport-action@be567af183754f6a5d831ae90f648954763f17f5 # v3.1.0 with: diff --git a/.github/workflows/check-cherry-picks.yml b/.github/workflows/check-cherry-picks.yml index 71b3bff044c79..1759aa5833b24 100644 --- a/.github/workflows/check-cherry-picks.yml +++ b/.github/workflows/check-cherry-picks.yml @@ -1,10 +1,11 @@ name: "Check cherry-picks" + on: pull_request_target: branches: - - 'release-**' - - 'staging-**' - - '!staging-next' + - 'release-**' + - 'staging-**' + - '!staging-next' permissions: {} @@ -14,13 +15,14 @@ jobs: runs-on: ubuntu-24.04 if: github.repository_owner == 'NixOS' steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - fetch-depth: 0 - filter: blob:none - - name: Check cherry-picks - env: - BASE_SHA: ${{ github.event.pull_request.base.sha }} - HEAD_SHA: ${{ github.event.pull_request.head.sha }} - run: | - ./maintainers/scripts/check-cherry-picks.sh "$BASE_SHA" "$HEAD_SHA" + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + filter: blob:none + + - name: Check cherry-picks + env: + BASE_SHA: ${{ github.event.pull_request.base.sha }} + HEAD_SHA: ${{ github.event.pull_request.head.sha }} + run: | + ./maintainers/scripts/check-cherry-picks.sh "$BASE_SHA" "$HEAD_SHA" diff --git a/.github/workflows/check-maintainers-sorted.yml b/.github/workflows/check-maintainers-sorted.yml index 21247e20cb9b3..e2673059a7af0 100644 --- a/.github/workflows/check-maintainers-sorted.yml +++ b/.github/workflows/check-maintainers-sorted.yml @@ -4,6 +4,7 @@ on: pull_request_target: paths: - 'maintainers/maintainer-list.nix' + permissions: contents: read @@ -21,9 +22,11 @@ jobs: sparse-checkout: | lib maintainers + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 with: # explicitly enable sandbox extra_nix_config: sandbox = true + - name: Check that maintainer-list.nix is sorted run: nix-instantiate --eval maintainers/scripts/check-maintainers-sorted.nix diff --git a/.github/workflows/check-nix-format.yml b/.github/workflows/check-nix-format.yml index d0b8c84c031dd..57eb03a911c41 100644 --- a/.github/workflows/check-nix-format.yml +++ b/.github/workflows/check-nix-format.yml @@ -3,12 +3,14 @@ # https://github.com/NixOS/rfcs/pull/166. # Because of this, this action is not yet enabled for all files -- only for # those who have opted in. + name: Check that Nix files are formatted on: pull_request_target: # See the comment at the same location in ./nixpkgs-vet.yml types: [opened, synchronize, reopened, edited] + permissions: contents: read @@ -28,6 +30,7 @@ jobs: ref: ${{ needs.get-merge-commit.outputs.mergedSha }} # Fetches the merge commit and its parents fetch-depth: 2 + - name: Checking out base branch run: | base=$(mktemp -d) @@ -35,6 +38,7 @@ jobs: git worktree add "$base" "$baseRev" echo "baseRev=$baseRev" >> "$GITHUB_ENV" echo "base=$base" >> "$GITHUB_ENV" + - name: Get Nixpkgs revision for nixfmt run: | # pin to a commit from nixpkgs-unstable to avoid e.g. building nixfmt @@ -42,13 +46,16 @@ jobs: # This should not be a URL, because it would allow PRs to run arbitrary code in CI! rev=$(jq -r .rev ci/pinned-nixpkgs.json) echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV" + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 with: # explicitly enable sandbox extra_nix_config: sandbox = true nix_path: nixpkgs=${{ env.url }} + - name: Install nixfmt run: "nix-env -f '' -iAP nixfmt-rfc-style" + - name: Check that Nix files are formatted according to the RFC style run: | unformattedFiles=() diff --git a/.github/workflows/check-nixf-tidy.yml b/.github/workflows/check-nixf-tidy.yml index e18964acb7f3b..c2082c2fae8fd 100644 --- a/.github/workflows/check-nixf-tidy.yml +++ b/.github/workflows/check-nixf-tidy.yml @@ -3,6 +3,7 @@ name: Check changed Nix files with nixf-tidy (experimental) on: pull_request_target: types: [opened, synchronize, reopened, edited] + permissions: contents: read @@ -18,6 +19,7 @@ jobs: ref: refs/pull/${{ github.event.pull_request.number }}/merge # Fetches the merge commit and its parents fetch-depth: 2 + - name: Checking out base branch run: | base=$(mktemp -d) @@ -25,6 +27,7 @@ jobs: git worktree add "$base" "$baseRev" echo "baseRev=$baseRev" >> "$GITHUB_ENV" echo "base=$base" >> "$GITHUB_ENV" + - name: Get Nixpkgs revision for nixf run: | # pin to a commit from nixpkgs-unstable to avoid e.g. building nixf @@ -32,14 +35,17 @@ jobs: # This should not be a URL, because it would allow PRs to run arbitrary code in CI! rev=$(jq -r .rev ci/pinned-nixpkgs.json) echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV" + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 with: # explicitly enable sandbox extra_nix_config: sandbox = true nix_path: nixpkgs=${{ env.url }} + - name: Install nixf and jq # provided jq is incompatible with our expression run: "nix-env -f '' -iAP nixf jq" + - name: Check that Nix files pass nixf-tidy run: | # Filtering error messages we don't like diff --git a/.github/workflows/check-shell.yml b/.github/workflows/check-shell.yml index 0f1595597733c..3a153860a09ce 100644 --- a/.github/workflows/check-shell.yml +++ b/.github/workflows/check-shell.yml @@ -27,6 +27,8 @@ jobs: with: # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + - name: Build shell run: nix-build shell.nix diff --git a/.github/workflows/codeowners-v2.yml b/.github/workflows/codeowners-v2.yml index b5f1f88d0c887..ca68edeaab21b 100644 --- a/.github/workflows/codeowners-v2.yml +++ b/.github/workflows/codeowners-v2.yml @@ -1,5 +1,3 @@ -name: Codeowners v2 - # This workflow depends on two GitHub Apps with the following permissions: # - For checking code owners: # - Permissions: @@ -22,6 +20,8 @@ name: Codeowners v2 # # Note that the latter is also used for ./eval.yml requesting reviewers. +name: Codeowners v2 + on: pull_request_target: types: [opened, ready_for_review, synchronize, reopened, edited] @@ -45,67 +45,67 @@ jobs: needs: get-merge-commit if: needs.get-merge-commit.outputs.mergedSha steps: - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 - - - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 - if: github.repository_owner == 'NixOS' - with: - # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. - name: nixpkgs-ci - authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - - # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself. - # We later build and run code from the base branch with access to secrets, - # so it's important this is not the PRs code. - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - path: base - - - name: Build codeowners validator - run: nix-build base/ci -A codeownersValidator - - - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1 - id: app-token - with: - app-id: ${{ vars.OWNER_RO_APP_ID }} - private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - ref: ${{ needs.get-merge-commit.outputs.mergedSha }} - path: pr - - - name: Validate codeowners - run: result/bin/codeowners-validator - env: - OWNERS_FILE: pr/${{ env.OWNERS_FILE }} - GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} - REPOSITORY_PATH: pr - OWNER_CHECKER_REPOSITORY: ${{ github.repository }} - # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody - EXPERIMENTAL_CHECKS: "avoid-shadowing" + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + + - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 + if: github.repository_owner == 'NixOS' + with: + # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. + name: nixpkgs-ci + authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + + # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself. + # We later build and run code from the base branch with access to secrets, + # so it's important this is not the PRs code. + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + path: base + + - name: Build codeowners validator + run: nix-build base/ci -A codeownersValidator + + - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1 + id: app-token + with: + app-id: ${{ vars.OWNER_RO_APP_ID }} + private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + ref: ${{ needs.get-merge-commit.outputs.mergedSha }} + path: pr + + - name: Validate codeowners + run: result/bin/codeowners-validator + env: + OWNERS_FILE: pr/${{ env.OWNERS_FILE }} + GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} + REPOSITORY_PATH: pr + OWNER_CHECKER_REPOSITORY: ${{ github.repository }} + # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody + EXPERIMENTAL_CHECKS: "avoid-shadowing" # Request reviews from code owners request: name: Request runs-on: ubuntu-24.04 steps: - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 - # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head. - # This is intentional, because we need to request the review of owners as declared in the base branch. - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head. + # This is intentional, because we need to request the review of owners as declared in the base branch. + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1 - id: app-token - with: - app-id: ${{ vars.OWNER_APP_ID }} - private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} + - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1 + id: app-token + with: + app-id: ${{ vars.OWNER_APP_ID }} + private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} - - name: Build review request package - run: nix-build ci -A requestReviews + - name: Build review request package + run: nix-build ci -A requestReviews - - name: Request reviews - run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE" - env: - GH_TOKEN: ${{ steps.app-token.outputs.token }} + - name: Request reviews + run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE" + env: + GH_TOKEN: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/editorconfig-v2.yml b/.github/workflows/editorconfig-v2.yml index 7c79cef1aae4c..90301d84b3757 100644 --- a/.github/workflows/editorconfig-v2.yml +++ b/.github/workflows/editorconfig-v2.yml @@ -1,15 +1,15 @@ name: "Checking EditorConfig v2" -permissions: - pull-requests: read - contents: read - on: # avoids approving first time contributors pull_request_target: branches-ignore: - 'release-**' +permissions: + pull-requests: read + contents: read + jobs: get-merge-commit: uses: ./.github/workflows/get-merge-commit.yml @@ -20,29 +20,34 @@ jobs: needs: get-merge-commit if: "needs.get-merge-commit.outputs.mergedSha && github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')" steps: - - name: Get list of changed files from PR - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - gh api \ - repos/NixOS/nixpkgs/pulls/${{github.event.number}}/files --paginate \ - | jq '.[] | select(.status != "removed") | .filename' \ - > "$HOME/changed_files" - - name: print list of changed files - run: | - cat "$HOME/changed_files" - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - # pull_request_target checks out the base branch by default - ref: ${{ needs.get-merge-commit.outputs.mergedSha }} - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 - with: - # nixpkgs commit is pinned so that it doesn't break - # editorconfig-checker 2.4.0 - nix_path: nixpkgs=https://github.com/NixOS/nixpkgs/archive/c473cc8714710179df205b153f4e9fa007107ff9.tar.gz - - name: Checking EditorConfig - run: | - < "$HOME/changed_files" nix-shell -p editorconfig-checker --run 'xargs -r editorconfig-checker -disable-indent-size' - - if: ${{ failure() }} - run: | - echo "::error :: Hey! It looks like your changes don't follow our editorconfig settings. Read https://editorconfig.org/#download to configure your editor so you never see this error again." + - name: Get list of changed files from PR + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh api \ + repos/NixOS/nixpkgs/pulls/${{github.event.number}}/files --paginate \ + | jq '.[] | select(.status != "removed") | .filename' \ + > "$HOME/changed_files" + + - name: print list of changed files + run: | + cat "$HOME/changed_files" + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + # pull_request_target checks out the base branch by default + ref: ${{ needs.get-merge-commit.outputs.mergedSha }} + + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + with: + # nixpkgs commit is pinned so that it doesn't break + # editorconfig-checker 2.4.0 + nix_path: nixpkgs=https://github.com/NixOS/nixpkgs/archive/c473cc8714710179df205b153f4e9fa007107ff9.tar.gz + + - name: Checking EditorConfig + run: | + < "$HOME/changed_files" nix-shell -p editorconfig-checker --run 'xargs -r editorconfig-checker -disable-indent-size' + + - if: ${{ failure() }} + run: | + echo "::error :: Hey! It looks like your changes don't follow our editorconfig settings. Read https://editorconfig.org/#download to configure your editor so you never see this error again." diff --git a/.github/workflows/eval-lib-tests.yml b/.github/workflows/eval-lib-tests.yml index 39fb99ae0ff9e..03efa973ef8c8 100644 --- a/.github/workflows/eval-lib-tests.yml +++ b/.github/workflows/eval-lib-tests.yml @@ -1,12 +1,13 @@ name: "Building Nixpkgs lib-tests" -permissions: - contents: read - on: pull_request_target: paths: - 'lib/**' + +permissions: + contents: read + jobs: get-merge-commit: uses: ./.github/workflows/get-merge-commit.yml @@ -21,10 +22,12 @@ jobs: with: # pull_request_target checks out the base branch by default ref: ${{ needs.get-merge-commit.outputs.mergedSha }} + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 with: # explicitly enable sandbox extra_nix_config: sandbox = true + - name: Building Nixpkgs lib-tests run: | nix-build --arg pkgs "(import ./ci/. {}).pkgs" ./lib/tests/release.nix diff --git a/.github/workflows/get-merge-commit.yml b/.github/workflows/get-merge-commit.yml index c76215aff60cc..827c86316b8b5 100644 --- a/.github/workflows/get-merge-commit.yml +++ b/.github/workflows/get-merge-commit.yml @@ -16,28 +16,29 @@ jobs: outputs: mergedSha: ${{ steps.merged.outputs.mergedSha }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - path: base - sparse-checkout: ci - - name: Check if the PR can be merged and get the test merge commit - id: merged - env: - GH_TOKEN: ${{ github.token }} - GH_EVENT: ${{ github.event_name }} - run: | - case "$GH_EVENT" in - push) - echo "mergedSha=${{ github.sha }}" >> "$GITHUB_OUTPUT" - ;; - pull_request_target) - if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then - echo "Checking the merge commit $mergedSha" - echo "mergedSha=$mergedSha" >> "$GITHUB_OUTPUT" - else - # Skipping so that no notifications are sent - echo "Skipping the rest..." - fi - ;; - esac - rm -rf base + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + path: base + sparse-checkout: ci + + - name: Check if the PR can be merged and get the test merge commit + id: merged + env: + GH_TOKEN: ${{ github.token }} + GH_EVENT: ${{ github.event_name }} + run: | + case "$GH_EVENT" in + push) + echo "mergedSha=${{ github.sha }}" >> "$GITHUB_OUTPUT" + ;; + pull_request_target) + if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then + echo "Checking the merge commit $mergedSha" + echo "mergedSha=$mergedSha" >> "$GITHUB_OUTPUT" + else + # Skipping so that no notifications are sent + echo "Skipping the rest..." + fi + ;; + esac + rm -rf base diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml index 5e2e3aeb3751f..80a186bbfa62b 100644 --- a/.github/workflows/labels.yml +++ b/.github/workflows/labels.yml @@ -1,14 +1,14 @@ +# WARNING: +# When extending this action, be aware that $GITHUB_TOKEN allows some write +# access to the GitHub API. This means that it should not evaluate user input in +# a way that allows code injection. + name: "Label PR" on: pull_request_target: types: [edited, opened, synchronize, reopened] -# WARNING: -# When extending this action, be aware that $GITHUB_TOKEN allows some write -# access to the GitHub API. This means that it should not evaluate user input in -# a way that allows code injection. - permissions: contents: read pull-requests: write @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-24.04 if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')" steps: - - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - sync-labels: true + - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + sync-labels: true diff --git a/.github/workflows/manual-nixos-v2.yml b/.github/workflows/manual-nixos-v2.yml index 014fef1f5924b..8e6e43af54ca0 100644 --- a/.github/workflows/manual-nixos-v2.yml +++ b/.github/workflows/manual-nixos-v2.yml @@ -1,8 +1,5 @@ name: "Build NixOS manual v2" -permissions: - contents: read - on: pull_request_target: branches: @@ -10,6 +7,9 @@ on: paths: - 'nixos/**' +permissions: + contents: read + jobs: nixos: name: nixos-manual-build @@ -20,14 +20,17 @@ jobs: with: # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 with: # explicitly enable sandbox extra_nix_config: sandbox = true + - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 with: # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. name: nixpkgs-ci authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + - name: Building NixOS manual run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true nixos/release.nix -A manual.x86_64-linux diff --git a/.github/workflows/manual-nixpkgs-v2.yml b/.github/workflows/manual-nixpkgs-v2.yml index ec8a3f6d98767..43f883454afe7 100644 --- a/.github/workflows/manual-nixpkgs-v2.yml +++ b/.github/workflows/manual-nixpkgs-v2.yml @@ -1,8 +1,5 @@ name: "Build Nixpkgs manual v2" -permissions: - contents: read - on: pull_request_target: branches: @@ -12,6 +9,9 @@ on: - 'lib/**' - 'pkgs/tools/nix/nixdoc/**' +permissions: + contents: read + jobs: nixpkgs: name: nixpkgs-manual-build @@ -22,14 +22,17 @@ jobs: with: # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 with: # explicitly enable sandbox extra_nix_config: sandbox = true + - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 with: # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. name: nixpkgs-ci authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + - name: Building Nixpkgs manual run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true pkgs/top-level/release.nix -A manual -A manual.tests diff --git a/.github/workflows/nix-parse-v2.yml b/.github/workflows/nix-parse-v2.yml index 61418079e62f3..be4113741d782 100644 --- a/.github/workflows/nix-parse-v2.yml +++ b/.github/workflows/nix-parse-v2.yml @@ -1,15 +1,15 @@ name: "Check whether nix files are parseable v2" -permissions: - pull-requests: read - contents: read - on: # avoids approving first time contributors pull_request_target: branches-ignore: - 'release-**' +permissions: + pull-requests: read + contents: read + jobs: get-merge-commit: uses: ./.github/workflows/get-merge-commit.yml @@ -20,30 +20,33 @@ jobs: needs: get-merge-commit if: "needs.get-merge-commit.outputs.mergedSha && github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')" steps: - - name: Get list of changed files from PR - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - gh api \ - repos/NixOS/nixpkgs/pulls/${{github.event.number}}/files --paginate \ - | jq --raw-output '.[] | select(.status != "removed" and (.filename | endswith(".nix"))) | .filename' \ - > "$HOME/changed_files" - if [[ -s "$HOME/changed_files" ]]; then - echo "CHANGED_FILES=$HOME/changed_files" > "$GITHUB_ENV" - fi - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - # pull_request_target checks out the base branch by default - ref: ${{ needs.get-merge-commit.outputs.mergedSha }} - if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }} - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 - with: - nix_path: nixpkgs=channel:nixpkgs-unstable - - name: Parse all changed or added nix files - run: | - ret=0 - while IFS= read -r file; do - out="$(nix-instantiate --parse "$file")" || { echo "$out" && ret=1; } - done < "$HOME/changed_files" - exit "$ret" - if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }} + - name: Get list of changed files from PR + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh api \ + repos/NixOS/nixpkgs/pulls/${{github.event.number}}/files --paginate \ + | jq --raw-output '.[] | select(.status != "removed" and (.filename | endswith(".nix"))) | .filename' \ + > "$HOME/changed_files" + if [[ -s "$HOME/changed_files" ]]; then + echo "CHANGED_FILES=$HOME/changed_files" > "$GITHUB_ENV" + fi + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + # pull_request_target checks out the base branch by default + ref: ${{ needs.get-merge-commit.outputs.mergedSha }} + if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }} + + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + with: + nix_path: nixpkgs=channel:nixpkgs-unstable + + - name: Parse all changed or added nix files + run: | + ret=0 + while IFS= read -r file; do + out="$(nix-instantiate --parse "$file")" || { echo "$out" && ret=1; } + done < "$HOME/changed_files" + exit "$ret" + if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }} diff --git a/.github/workflows/nixpkgs-vet.yml b/.github/workflows/nixpkgs-vet.yml index 5e39f3873b911..7638f7da9a5f1 100644 --- a/.github/workflows/nixpkgs-vet.yml +++ b/.github/workflows/nixpkgs-vet.yml @@ -2,6 +2,7 @@ # Among other checks, it makes sure that `pkgs/by-name` (see `../../pkgs/by-name/README.md`) follows the validity rules outlined in [RFC 140](https://github.com/NixOS/rfcs/pull/140). # When you make changes to this workflow, please also update `ci/nixpkgs-vet.sh` to reflect the impact of your work to the CI. # See https://github.com/NixOS/nixpkgs-vet for details on the tool and its checks. + name: Vet nixpkgs on: @@ -37,12 +38,15 @@ jobs: ref: ${{ needs.get-merge-commit.outputs.mergedSha }} # Fetches the merge commit and its parents fetch-depth: 2 + - name: Checking out base branch run: | base=$(mktemp -d) git worktree add "$base" "$(git rev-parse HEAD^1)" echo "base=$base" >> "$GITHUB_ENV" + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + - name: Fetching the pinned tool # Update the pinned version using ci/nixpkgs-vet/update-pinned-tool.sh run: | @@ -55,6 +59,7 @@ jobs: # Adds a result symlink as a GC root. nix-store --realise "$toolPath" --add-root result + - name: Running nixpkgs-vet env: # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/ diff --git a/.github/workflows/no-channel.yml b/.github/workflows/no-channel.yml index b7b61f9d64921..acaa937ad9360 100644 --- a/.github/workflows/no-channel.yml +++ b/.github/workflows/no-channel.yml @@ -15,11 +15,11 @@ jobs: name: "This PR is is targeting a channel branch" runs-on: ubuntu-24.04 steps: - - run: | - cat < Date: Sun, 5 Jan 2025 15:49:40 +0100 Subject: [PATCH 06/12] workflows/eval: remove non-required "needs: attrs" The eval-aliases job is independent of attrs already. --- .github/workflows/eval.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml index 152a1b5d34687..38024c448712d 100644 --- a/.github/workflows/eval.yml +++ b/.github/workflows/eval.yml @@ -61,7 +61,7 @@ jobs: eval-aliases: name: Eval nixpkgs with aliases enabled runs-on: ubuntu-24.04 - needs: [ attrs, get-merge-commit ] + needs: [ get-merge-commit ] steps: - name: Check out the PR at the test merge commit uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 From b64d5e1c0c6e2af9ddfc323866b7195d47a01256 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Sun, 5 Jan 2025 16:19:08 +0100 Subject: [PATCH 07/12] workflows: make checks work with non-NixOS repos No need for that limitation, which only artifically limits test-ability of CI in forks. Some other workflows like backports, cherry-pick checks and periodic merges are very specific to the release branches and don't need to be run in forks. --- .github/workflows/check-maintainers-sorted.yml | 1 - .github/workflows/editorconfig-v2.yml | 4 ++-- .github/workflows/manual-nixos-v2.yml | 2 +- .github/workflows/manual-nixpkgs-v2.yml | 2 +- .github/workflows/nix-parse-v2.yml | 4 ++-- 5 files changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/check-maintainers-sorted.yml b/.github/workflows/check-maintainers-sorted.yml index e2673059a7af0..266e56fe989ed 100644 --- a/.github/workflows/check-maintainers-sorted.yml +++ b/.github/workflows/check-maintainers-sorted.yml @@ -12,7 +12,6 @@ jobs: nixos: name: maintainer-list-check runs-on: ubuntu-24.04 - if: github.repository_owner == 'NixOS' steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: diff --git a/.github/workflows/editorconfig-v2.yml b/.github/workflows/editorconfig-v2.yml index 90301d84b3757..180fd9fbb2c50 100644 --- a/.github/workflows/editorconfig-v2.yml +++ b/.github/workflows/editorconfig-v2.yml @@ -18,14 +18,14 @@ jobs: name: editorconfig-check runs-on: ubuntu-24.04 needs: get-merge-commit - if: "needs.get-merge-commit.outputs.mergedSha && github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')" + if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')" steps: - name: Get list of changed files from PR env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | gh api \ - repos/NixOS/nixpkgs/pulls/${{github.event.number}}/files --paginate \ + repos/${{ github.repository }}/pulls/${{ github.event.number }}/files --paginate \ | jq '.[] | select(.status != "removed") | .filename' \ > "$HOME/changed_files" diff --git a/.github/workflows/manual-nixos-v2.yml b/.github/workflows/manual-nixos-v2.yml index 8e6e43af54ca0..e022f27ac693e 100644 --- a/.github/workflows/manual-nixos-v2.yml +++ b/.github/workflows/manual-nixos-v2.yml @@ -14,7 +14,6 @@ jobs: nixos: name: nixos-manual-build runs-on: ubuntu-24.04 - if: github.repository_owner == 'NixOS' steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -27,6 +26,7 @@ jobs: extra_nix_config: sandbox = true - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 + if: github.repository_owner == 'NixOS' with: # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. name: nixpkgs-ci diff --git a/.github/workflows/manual-nixpkgs-v2.yml b/.github/workflows/manual-nixpkgs-v2.yml index 43f883454afe7..cdbafd63054b2 100644 --- a/.github/workflows/manual-nixpkgs-v2.yml +++ b/.github/workflows/manual-nixpkgs-v2.yml @@ -16,7 +16,6 @@ jobs: nixpkgs: name: nixpkgs-manual-build runs-on: ubuntu-24.04 - if: github.repository_owner == 'NixOS' steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -29,6 +28,7 @@ jobs: extra_nix_config: sandbox = true - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 + if: github.repository_owner == 'NixOS' with: # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. name: nixpkgs-ci diff --git a/.github/workflows/nix-parse-v2.yml b/.github/workflows/nix-parse-v2.yml index be4113741d782..f3e5590a9efa4 100644 --- a/.github/workflows/nix-parse-v2.yml +++ b/.github/workflows/nix-parse-v2.yml @@ -18,14 +18,14 @@ jobs: name: nix-files-parseable-check runs-on: ubuntu-24.04 needs: get-merge-commit - if: "needs.get-merge-commit.outputs.mergedSha && github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')" + if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')" steps: - name: Get list of changed files from PR env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | gh api \ - repos/NixOS/nixpkgs/pulls/${{github.event.number}}/files --paginate \ + repos/${{ github.repository }}/pulls/${{github.event.number}}/files --paginate \ | jq --raw-output '.[] | select(.status != "removed" and (.filename | endswith(".nix"))) | .filename' \ > "$HOME/changed_files" if [[ -s "$HOME/changed_files" ]]; then From 58f8c536c66e6e6d62978885caf61d276df872d6 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Sun, 5 Jan 2025 16:34:49 +0100 Subject: [PATCH 08/12] workflows/{editorconfig,nix-parse}: run against release branches It seems odd to exclude PRs against release branches for those checks - especially when not excluding PRs against staging-** variants at the same time. --- .github/workflows/editorconfig-v2.yml | 2 -- .github/workflows/nix-parse-v2.yml | 2 -- 2 files changed, 4 deletions(-) diff --git a/.github/workflows/editorconfig-v2.yml b/.github/workflows/editorconfig-v2.yml index 180fd9fbb2c50..ecf0a075430e2 100644 --- a/.github/workflows/editorconfig-v2.yml +++ b/.github/workflows/editorconfig-v2.yml @@ -3,8 +3,6 @@ name: "Checking EditorConfig v2" on: # avoids approving first time contributors pull_request_target: - branches-ignore: - - 'release-**' permissions: pull-requests: read diff --git a/.github/workflows/nix-parse-v2.yml b/.github/workflows/nix-parse-v2.yml index f3e5590a9efa4..71d5a29af7769 100644 --- a/.github/workflows/nix-parse-v2.yml +++ b/.github/workflows/nix-parse-v2.yml @@ -3,8 +3,6 @@ name: "Check whether nix files are parseable v2" on: # avoids approving first time contributors pull_request_target: - branches-ignore: - - 'release-**' permissions: pull-requests: read From 51b8ad219198913429c793511dff71c99e7979a0 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Sun, 5 Jan 2025 17:41:40 +0100 Subject: [PATCH 09/12] workflows/periodic-merge: create re-usable workflow Less repetition, more consistency. --- .github/workflows/periodic-merge-24h.yml | 31 ++++---------------- .github/workflows/periodic-merge-6h.yml | 31 ++++---------------- .github/workflows/periodic-merge.yml | 37 ++++++++++++++++++++++++ 3 files changed, 49 insertions(+), 50 deletions(-) create mode 100644 .github/workflows/periodic-merge.yml diff --git a/.github/workflows/periodic-merge-24h.yml b/.github/workflows/periodic-merge-24h.yml index d4b9f889f3f16..dc45642c14783 100644 --- a/.github/workflows/periodic-merge-24h.yml +++ b/.github/workflows/periodic-merge-24h.yml @@ -15,15 +15,11 @@ on: workflow_dispatch: permissions: - contents: read + contents: write # for devmasx/merge-branch to merge branches + pull-requests: write # for peter-evans/create-or-update-comment to create or update comment jobs: periodic-merge: - permissions: - contents: write # for devmasx/merge-branch to merge branches - pull-requests: write # for peter-evans/create-or-update-comment to create or update comment - if: github.repository_owner == 'NixOS' - runs-on: ubuntu-24.04 strategy: # don't fail fast, so that all pairs are tried fail-fast: false @@ -36,22 +32,7 @@ jobs: into: staging-next-24.11 - from: staging-next-24.11 into: staging-24.11 - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }} - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }} - uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0 - with: - type: now - from_branch: ${{ matrix.pairs.from }} - target_branch: ${{ matrix.pairs.into }} - github_token: ${{ secrets.GITHUB_TOKEN }} - - - name: Comment on failure - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 - if: ${{ failure() }} - with: - issue-number: 105153 - body: | - Periodic merge from `${{ matrix.pairs.from }}` into `${{ matrix.pairs.into }}` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}). + uses: ./.github/workflows/periodic-merge.yml + with: + from: ${{ matrix.pairs.from }} + into: ${{ matrix.pairs.into }} diff --git a/.github/workflows/periodic-merge-6h.yml b/.github/workflows/periodic-merge-6h.yml index ba70a274adfb2..c540840c0a13f 100644 --- a/.github/workflows/periodic-merge-6h.yml +++ b/.github/workflows/periodic-merge-6h.yml @@ -15,15 +15,11 @@ on: workflow_dispatch: permissions: - contents: read + contents: write # for devmasx/merge-branch to merge branches + pull-requests: write # for peter-evans/create-or-update-comment to create or update comment jobs: periodic-merge: - permissions: - contents: write # for devmasx/merge-branch to merge branches - pull-requests: write # for peter-evans/create-or-update-comment to create or update comment - if: github.repository_owner == 'NixOS' - runs-on: ubuntu-24.04 strategy: # don't fail fast, so that all pairs are tried fail-fast: false @@ -36,22 +32,7 @@ jobs: into: staging-next - from: staging-next into: staging - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }} - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }} - uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0 - with: - type: now - from_branch: ${{ matrix.pairs.from }} - target_branch: ${{ matrix.pairs.into }} - github_token: ${{ secrets.GITHUB_TOKEN }} - - - name: Comment on failure - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 - if: ${{ failure() }} - with: - issue-number: 105153 - body: | - Periodic merge from `${{ matrix.pairs.from }}` into `${{ matrix.pairs.into }}` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}). + uses: ./.github/workflows/periodic-merge.yml + with: + from: ${{ matrix.pairs.from }} + into: ${{ matrix.pairs.into }} diff --git a/.github/workflows/periodic-merge.yml b/.github/workflows/periodic-merge.yml new file mode 100644 index 0000000000000..fd65547002ac7 --- /dev/null +++ b/.github/workflows/periodic-merge.yml @@ -0,0 +1,37 @@ +name: "Merge" + +on: + workflow_call: + inputs: + from: + description: Branch to merge into target branch. + required: true + type: string + into: + description: Target branch to merge into. + required: true + type: string + +jobs: + merge: + if: github.repository_owner == 'NixOS' + runs-on: ubuntu-24.04 + name: ${{ inputs.from }} → ${{ inputs.into }} + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: ${{ inputs.from }} → ${{ inputs.into }} + uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0 + with: + type: now + from_branch: ${{ inputs.from }} + target_branch: ${{ inputs.into }} + github_token: ${{ secrets.GITHUB_TOKEN }} + + - name: Comment on failure + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 + if: ${{ failure() }} + with: + issue-number: 105153 + body: | + Periodic merge from `${{ inputs.from }}` into `${{ inputs.into }}` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}). From ba09688dc88ac88a46a75412a1b72affcca16471 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Sun, 5 Jan 2025 17:52:21 +0100 Subject: [PATCH 10/12] workflows/periodic-merge: support merge bases in re-usable workflow --- .github/workflows/periodic-merge-24h.yml | 2 + .../periodic-merge-haskell-updates.yml | 58 ------------------- .github/workflows/periodic-merge.yml | 17 +++++- 3 files changed, 17 insertions(+), 60 deletions(-) delete mode 100644 .github/workflows/periodic-merge-haskell-updates.yml diff --git a/.github/workflows/periodic-merge-24h.yml b/.github/workflows/periodic-merge-24h.yml index dc45642c14783..83d95e0b8bff2 100644 --- a/.github/workflows/periodic-merge-24h.yml +++ b/.github/workflows/periodic-merge-24h.yml @@ -32,6 +32,8 @@ jobs: into: staging-next-24.11 - from: staging-next-24.11 into: staging-24.11 + - from: master staging + into: haskell-updates uses: ./.github/workflows/periodic-merge.yml with: from: ${{ matrix.pairs.from }} diff --git a/.github/workflows/periodic-merge-haskell-updates.yml b/.github/workflows/periodic-merge-haskell-updates.yml deleted file mode 100644 index cae2c12f2ae38..0000000000000 --- a/.github/workflows/periodic-merge-haskell-updates.yml +++ /dev/null @@ -1,58 +0,0 @@ -# This action periodically merges a merge base of master and staging into haskell-updates. -# -# haskell-updates is based on master (so there are little unrelated failures and the cache -# is already prepopulated), but needs to target staging due to the high amount of rebuilds -# it typically causes. To prevent unrelated commits clattering the GitHub UI, we need to -# take care to only merge the merge-base of master and staging into haskell-updates. -# -# See also https://github.com/NixOS/nixpkgs/issues/361143. - -name: "Periodic Merges (haskell-updates)" - -on: - schedule: - # * is a special character in YAML so you have to quote this string - # Merge every 24 hours - - cron: '0 0 * * *' - workflow_dispatch: - -permissions: - contents: read - -jobs: - periodic-merge: - permissions: - contents: write # for devmasx/merge-branch to merge branches - pull-requests: write # for peter-evans/create-or-update-comment to create or update comment - if: github.repository_owner == 'NixOS' - runs-on: ubuntu-24.04 - name: git merge-base master staging → haskell-updates - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - fetch-depth: 0 - - # Note: If we want to do something similar for more branches, we can move this into a - # separate job, so we can use the matrix strategy again. - - name: Find merge base of master and staging - id: find_merge_base_step - run: | - merge_base="$(git merge-base refs/remotes/origin/master refs/remotes/origin/staging)" - echo "Found merge base: $merge_base" >&2 - echo "merge_base=$merge_base" >> "$GITHUB_OUTPUT" - - - name: git merge-base master staging → haskell-updates - uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0 - with: - type: now - head_to_merge: ${{ steps.find_merge_base_step.outputs.merge_base }} - target_branch: haskell-updates - github_token: ${{ secrets.GITHUB_TOKEN }} - - - name: Comment on failure - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 - if: ${{ failure() }} - with: - issue-number: 367709 - body: | - Periodic merge from `${{ steps.find_merge_base_step.outputs.merge_base }}` into `haskell-updates` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}). diff --git a/.github/workflows/periodic-merge.yml b/.github/workflows/periodic-merge.yml index fd65547002ac7..cd674fd582d67 100644 --- a/.github/workflows/periodic-merge.yml +++ b/.github/workflows/periodic-merge.yml @@ -4,7 +4,7 @@ on: workflow_call: inputs: from: - description: Branch to merge into target branch. + description: Branch to merge into target branch. Can also be two branches separated by space to find the merge base between them. required: true type: string into: @@ -20,11 +20,24 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Find merge base between two branches + if: contains(inputs.from, ' ') + id: merge_base + env: + branches: ${{ inputs.from }} + run: | + # turn into bash array, split on space + read -ra branches <<< "$branches" + git fetch --shallow-since="1 month ago" origin "${branches[@]}" + merge_base="$(git merge-base "refs/remotes/origin/${branches[0]}" "refs/remotes/origin/${branches[1]}")" + echo "Found merge base: $merge_base" >&2 + echo "merge_base=$merge_base" >> "$GITHUB_OUTPUT" + - name: ${{ inputs.from }} → ${{ inputs.into }} uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0 with: type: now - from_branch: ${{ inputs.from }} + from_branch: ${{ steps.merge_base.outputs.merge_base || inputs.from }} target_branch: ${{ inputs.into }} github_token: ${{ secrets.GITHUB_TOKEN }} From 3e9f5c05eacaa83dab454c97b55c852f5337225e Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Wed, 8 Jan 2025 21:16:34 +0100 Subject: [PATCH 11/12] workflows: rename baseSha to targetSha We currently use two different "base" commits, but the same name. One of them is the commit in which context the pull_request_target runs. The other is the parent of the merge commit. Those are **not** necessarily the same - see README introduced in the next commit for details. Renaming one of them for clarity. Since the pull_request_target related base commit is also called like that in GitHub Actions terminology, we rename the other. The best I could come up with is "target". --- .github/workflows/check-nix-format.yml | 18 +++++----- .github/workflows/check-nixf-tidy.yml | 18 +++++----- .github/workflows/eval.yml | 50 +++++++++++++------------- .github/workflows/nixpkgs-vet.yml | 10 +++--- 4 files changed, 48 insertions(+), 48 deletions(-) diff --git a/.github/workflows/check-nix-format.yml b/.github/workflows/check-nix-format.yml index 57eb03a911c41..b276b3575eed5 100644 --- a/.github/workflows/check-nix-format.yml +++ b/.github/workflows/check-nix-format.yml @@ -31,13 +31,13 @@ jobs: # Fetches the merge commit and its parents fetch-depth: 2 - - name: Checking out base branch + - name: Checking out target branch run: | - base=$(mktemp -d) - baseRev=$(git rev-parse HEAD^1) - git worktree add "$base" "$baseRev" - echo "baseRev=$baseRev" >> "$GITHUB_ENV" - echo "base=$base" >> "$GITHUB_ENV" + target=$(mktemp -d) + targetRev=$(git rev-parse HEAD^1) + git worktree add "$target" "$targetRev" + echo "targetRev=$targetRev" >> "$GITHUB_ENV" + echo "target=$target" >> "$GITHUB_ENV" - name: Get Nixpkgs revision for nixfmt run: | @@ -85,12 +85,12 @@ jobs: esac # Ignore files that weren't already formatted - if [[ -n "$source" ]] && ! nixfmt --check ${{ env.base }}/"$source" 2>/dev/null; then - echo "Ignoring file $file because it's not formatted in the base commit" + if [[ -n "$source" ]] && ! nixfmt --check ${{ env.target }}/"$source" 2>/dev/null; then + echo "Ignoring file $file because it's not formatted in the target commit" elif ! nixfmt --check "$dest"; then unformattedFiles+=("$dest") fi - done < <(git diff -z --name-status ${{ env.baseRev }} -- '*.nix') + done < <(git diff -z --name-status ${{ env.targetRev }} -- '*.nix') if (( "${#unformattedFiles[@]}" > 0 )); then echo "Some new/changed Nix files are not properly formatted" diff --git a/.github/workflows/check-nixf-tidy.yml b/.github/workflows/check-nixf-tidy.yml index c2082c2fae8fd..8907e003852f8 100644 --- a/.github/workflows/check-nixf-tidy.yml +++ b/.github/workflows/check-nixf-tidy.yml @@ -20,13 +20,13 @@ jobs: # Fetches the merge commit and its parents fetch-depth: 2 - - name: Checking out base branch + - name: Checking out target branch run: | - base=$(mktemp -d) - baseRev=$(git rev-parse HEAD^1) - git worktree add "$base" "$baseRev" - echo "baseRev=$baseRev" >> "$GITHUB_ENV" - echo "base=$base" >> "$GITHUB_ENV" + target=$(mktemp -d) + targetRev=$(git rev-parse HEAD^1) + git worktree add "$target" "$targetRev" + echo "targetRev=$targetRev" >> "$GITHUB_ENV" + echo "target=$target" >> "$GITHUB_ENV" - name: Get Nixpkgs revision for nixf run: | @@ -91,8 +91,8 @@ jobs: continue esac - if [[ -n "$source" ]] && [[ "$(nixf_wrapper ${{ env.base }}/"$source")" != '[]' ]] 2>/dev/null; then - echo "Ignoring file $file because it doesn't pass nixf-tidy in the base commit" + if [[ -n "$source" ]] && [[ "$(nixf_wrapper ${{ env.target }}/"$source")" != '[]' ]] 2>/dev/null; then + echo "Ignoring file $file because it doesn't pass nixf-tidy in the target commit" echo # insert blank line else nixf_report="$(nixf_wrapper "$dest")" @@ -119,7 +119,7 @@ jobs: failedFiles+=("$dest") fi fi - done < <(git diff -z --name-status ${{ env.baseRev }} -- '*.nix') + done < <(git diff -z --name-status ${{ env.targetRev }} -- '*.nix') if [[ -n "$DONT_REPORT_ERROR" ]]; then echo "Edited the PR but didn't change the base branch, only the description/title." diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml index 38024c448712d..2fe51f449d683 100644 --- a/.github/workflows/eval.yml +++ b/.github/workflows/eval.yml @@ -26,7 +26,7 @@ jobs: # Skip this and dependent steps if the PR can't be merged if: needs.get-merge-commit.outputs.mergedSha outputs: - baseSha: ${{ steps.baseSha.outputs.baseSha }} + targetSha: ${{ steps.targetSha.outputs.targetSha }} systems: ${{ steps.systems.outputs.systems }} steps: - name: Check out the PR at the test merge commit @@ -36,12 +36,12 @@ jobs: fetch-depth: 2 path: nixpkgs - - name: Determine base commit + - name: Determine target commit if: github.event_name == 'pull_request_target' - id: baseSha + id: targetSha run: | - baseSha=$(git -C nixpkgs rev-parse HEAD^1) - echo "baseSha=$baseSha" >> "$GITHUB_OUTPUT" + targetSha=$(git -C nixpkgs rev-parse HEAD^1) + echo "targetSha=$targetSha" >> "$GITHUB_OUTPUT" - name: Install Nix uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 @@ -128,7 +128,7 @@ jobs: runs-on: ubuntu-24.04 needs: [ outpaths, attrs, get-merge-commit ] outputs: - baseRunId: ${{ steps.baseRunId.outputs.baseRunId }} + targetRunId: ${{ steps.targetRunId.outputs.targetRunId }} steps: - name: Download output paths and eval stats for all systems uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 @@ -158,11 +158,11 @@ jobs: name: result path: prResult/* - - name: Get base run id - if: needs.attrs.outputs.baseSha - id: baseRunId + - name: Get target run id + if: needs.attrs.outputs.targetSha + id: targetRunId run: | - # Get the latest eval.yml workflow run for the PR's base commit + # Get the latest eval.yml workflow run for the PR's target commit if ! run=$(gh api --method GET /repos/"$REPOSITORY"/actions/workflows/eval.yml/runs \ -f head_sha="$BASE_SHA" -f event=push \ --jq '.workflow_runs | sort_by(.run_started_at) | .[-1]') \ @@ -185,30 +185,30 @@ jobs: exit 0 fi - echo "baseRunId=$runId" >> "$GITHUB_OUTPUT" + echo "targetRunId=$runId" >> "$GITHUB_OUTPUT" env: REPOSITORY: ${{ github.repository }} - BASE_SHA: ${{ needs.attrs.outputs.baseSha }} + BASE_SHA: ${{ needs.attrs.outputs.targetSha }} GH_TOKEN: ${{ github.token }} - uses: actions/download-artifact@v4 - if: steps.baseRunId.outputs.baseRunId + if: steps.targetRunId.outputs.targetRunId with: name: result - path: baseResult + path: targetResult github-token: ${{ github.token }} - run-id: ${{ steps.baseRunId.outputs.baseRunId }} + run-id: ${{ steps.targetRunId.outputs.targetRunId }} - - name: Compare against the base branch - if: steps.baseRunId.outputs.baseRunId + - name: Compare against the target branch + if: steps.targetRunId.outputs.targetRunId run: | - git -C nixpkgs worktree add ../base ${{ needs.attrs.outputs.baseSha }} - git -C nixpkgs diff --name-only ${{ needs.attrs.outputs.baseSha }} \ + git -C nixpkgs worktree add ../target ${{ needs.attrs.outputs.targetSha }} + git -C nixpkgs diff --name-only ${{ needs.attrs.outputs.targetSha }} \ | jq --raw-input --slurp 'split("\n")[:-1]' > touched-files.json - # Use the base branch to get accurate maintainer info - nix-build base/ci -A eval.compare \ - --arg beforeResultDir ./baseResult \ + # Use the target branch to get accurate maintainer info + nix-build target/ci -A eval.compare \ + --arg beforeResultDir ./targetResult \ --arg afterResultDir ./prResult \ --arg touchedFilesJson ./touched-files.json \ -o comparison @@ -216,7 +216,7 @@ jobs: cat comparison/step-summary.md >> "$GITHUB_STEP_SUMMARY" - name: Upload the combined results - if: steps.baseRunId.outputs.baseRunId + if: steps.targetRunId.outputs.targetRunId uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: comparison @@ -227,7 +227,7 @@ jobs: name: Tag runs-on: ubuntu-24.04 needs: [ attrs, process ] - if: needs.process.outputs.baseRunId + if: needs.process.outputs.targetRunId permissions: pull-requests: write statuses: write @@ -254,7 +254,7 @@ jobs: - name: Check out Nixpkgs at the base commit uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - ref: ${{ needs.attrs.outputs.baseSha }} + ref: ${{ needs.attrs.outputs.targetSha }} path: base sparse-checkout: ci diff --git a/.github/workflows/nixpkgs-vet.yml b/.github/workflows/nixpkgs-vet.yml index 7638f7da9a5f1..70ab6da49a489 100644 --- a/.github/workflows/nixpkgs-vet.yml +++ b/.github/workflows/nixpkgs-vet.yml @@ -39,11 +39,11 @@ jobs: # Fetches the merge commit and its parents fetch-depth: 2 - - name: Checking out base branch + - name: Checking out target branch run: | - base=$(mktemp -d) - git worktree add "$base" "$(git rev-parse HEAD^1)" - echo "base=$base" >> "$GITHUB_ENV" + target=$(mktemp -d) + git worktree add "$target" "$(git rev-parse HEAD^1)" + echo "target=$target" >> "$GITHUB_ENV" - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 @@ -65,7 +65,7 @@ jobs: # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/ CLICOLOR_FORCE: 1 run: | - if result/bin/nixpkgs-vet --base "$base" .; then + if result/bin/nixpkgs-vet --base "$target" .; then exit 0 else exitCode=$? From 9ea74225cc448f708c514ee03206323d732f122d Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Wed, 8 Jan 2025 21:09:05 +0100 Subject: [PATCH 12/12] workflows: add README This introduces some basic concepts used in these workflows and a common terminology. At the same time we remove some of the comments from various workflow files, because they are assumed to be "general knowledge" through the README. --- .github/workflows/README.md | 20 +++++++++++++++++++ .../workflows/check-maintainers-sorted.yml | 5 +---- .github/workflows/check-nix-format.yml | 6 +----- .github/workflows/check-nixf-tidy.yml | 5 +---- .github/workflows/check-shell.yml | 1 - .github/workflows/codeowners-v2.yml | 1 - .github/workflows/editorconfig-v2.yml | 6 +----- .github/workflows/eval-lib-tests.yml | 5 +---- .github/workflows/eval.yml | 12 ++++++++--- .github/workflows/get-merge-commit.yml | 1 - .github/workflows/manual-nixos-v2.yml | 5 +---- .github/workflows/manual-nixpkgs-v2.yml | 5 +---- .github/workflows/nix-parse-v2.yml | 7 ++----- .github/workflows/nixpkgs-vet.yml | 2 -- 14 files changed, 38 insertions(+), 43 deletions(-) create mode 100644 .github/workflows/README.md diff --git a/.github/workflows/README.md b/.github/workflows/README.md new file mode 100644 index 0000000000000..7089501d5e405 --- /dev/null +++ b/.github/workflows/README.md @@ -0,0 +1,20 @@ +# GitHub Actions Workflows + +Some architectural notes about key decisions and concepts in our workflows: + +- Instead of `pull_request` we use [`pull_request_target`](https://docs.github.com/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) for all PR-related workflows. This has the advantage that those workflows will run without prior approval for external contributors. + +- Running on `pull_request_target` also optionally provides us with a GH_TOKEN with elevated privileges (write access), which we need to do things like adding labels, requesting reviewers or pushing branches. **Note about security:** We need to be careful to limit the scope of elevated privileges as much as possible. Thus they should be lowered to the minimum with `permissions: {}` in every workflow by default. + +- By definition `pull_request_target` runs in the context of the **base** of the pull request. This means, that the workflow files to run will be taken from the base branch, not the PR, and actions/checkout will not checkout the PR, but the base branch, by default. To protect our secrets, we need to make sure to **never execute code** from the pull request and always evaluate or build nix code from the pull request with the **sandbox enabled**. + +- To test the pull request's contents, we checkout the "test merge commit". This is a temporary commit that GitHub creates automatically as "what would happen, if this PR was merged into the base branch now?". The checkout could be done via the virtual branch `refs/pull//merge`, but doing so would cause failures when this virtual branch doesn't exist (anymore). This can happen when the PR has conflicts, in which case the virtual branch is not created, or when the PR is getting merged while workflows are still running, in which case the branch won't exist anymore at the time of checkout. Thus, we use the `get-merge-commit.yml` workflow to check whether the PR is mergeable and the test merge commit exists and only then run the relevant jobs. + +- Various workflows need to make comparisons against the base branch. In this case, we checkout the parent of the "test merge commit" for best results. Note, that this is not necessarily the same as the default commit that actions/checkout would use, which is also a commit from the base branch (see above), but might be older. + +## Terminology + +- **base commit**: The pull_request_target event's context commit, i.e. the base commit given by GitHub Actions. Same as `github.event.pull_request.base.sha`. +- **head commit**: The HEAD commit in the pull request's branch. Same as `github.event.pull_request.head.sha`. +- **merge commit**: The temporary "test merge commit" that GitHub Actions creates and updates for the pull request. Same as `refs/pull/${{ github.event.pull_request.number }}/merge`. +- **target commit**: The base branch's parent of the "test merge commit" to compare against. diff --git a/.github/workflows/check-maintainers-sorted.yml b/.github/workflows/check-maintainers-sorted.yml index 266e56fe989ed..07cd525e85428 100644 --- a/.github/workflows/check-maintainers-sorted.yml +++ b/.github/workflows/check-maintainers-sorted.yml @@ -5,8 +5,7 @@ on: paths: - 'maintainers/maintainer-list.nix' -permissions: - contents: read +permissions: {} jobs: nixos: @@ -15,7 +14,6 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge # Only these directories to perform the check sparse-checkout: | @@ -24,7 +22,6 @@ jobs: - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 with: - # explicitly enable sandbox extra_nix_config: sandbox = true - name: Check that maintainer-list.nix is sorted diff --git a/.github/workflows/check-nix-format.yml b/.github/workflows/check-nix-format.yml index b276b3575eed5..a70e132dc459a 100644 --- a/.github/workflows/check-nix-format.yml +++ b/.github/workflows/check-nix-format.yml @@ -8,11 +8,9 @@ name: Check that Nix files are formatted on: pull_request_target: - # See the comment at the same location in ./nixpkgs-vet.yml types: [opened, synchronize, reopened, edited] -permissions: - contents: read +permissions: {} jobs: get-merge-commit: @@ -26,7 +24,6 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - # pull_request_target checks out the base branch by default ref: ${{ needs.get-merge-commit.outputs.mergedSha }} # Fetches the merge commit and its parents fetch-depth: 2 @@ -49,7 +46,6 @@ jobs: - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 with: - # explicitly enable sandbox extra_nix_config: sandbox = true nix_path: nixpkgs=${{ env.url }} diff --git a/.github/workflows/check-nixf-tidy.yml b/.github/workflows/check-nixf-tidy.yml index 8907e003852f8..8b148ba33bc44 100644 --- a/.github/workflows/check-nixf-tidy.yml +++ b/.github/workflows/check-nixf-tidy.yml @@ -4,8 +4,7 @@ on: pull_request_target: types: [opened, synchronize, reopened, edited] -permissions: - contents: read +permissions: {} jobs: nixos: @@ -15,7 +14,6 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge # Fetches the merge commit and its parents fetch-depth: 2 @@ -38,7 +36,6 @@ jobs: - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 with: - # explicitly enable sandbox extra_nix_config: sandbox = true nix_path: nixpkgs=${{ env.url }} diff --git a/.github/workflows/check-shell.yml b/.github/workflows/check-shell.yml index 3a153860a09ce..e1f079619dc37 100644 --- a/.github/workflows/check-shell.yml +++ b/.github/workflows/check-shell.yml @@ -25,7 +25,6 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 diff --git a/.github/workflows/codeowners-v2.yml b/.github/workflows/codeowners-v2.yml index ca68edeaab21b..8b5267b25c630 100644 --- a/.github/workflows/codeowners-v2.yml +++ b/.github/workflows/codeowners-v2.yml @@ -26,7 +26,6 @@ on: pull_request_target: types: [opened, ready_for_review, synchronize, reopened, edited] -# We don't need any default GitHub token permissions: {} env: diff --git a/.github/workflows/editorconfig-v2.yml b/.github/workflows/editorconfig-v2.yml index ecf0a075430e2..bd48be1650f1a 100644 --- a/.github/workflows/editorconfig-v2.yml +++ b/.github/workflows/editorconfig-v2.yml @@ -1,12 +1,9 @@ name: "Checking EditorConfig v2" on: - # avoids approving first time contributors pull_request_target: -permissions: - pull-requests: read - contents: read +permissions: {} jobs: get-merge-commit: @@ -33,7 +30,6 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - # pull_request_target checks out the base branch by default ref: ${{ needs.get-merge-commit.outputs.mergedSha }} - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 diff --git a/.github/workflows/eval-lib-tests.yml b/.github/workflows/eval-lib-tests.yml index 03efa973ef8c8..065fe8fdb282c 100644 --- a/.github/workflows/eval-lib-tests.yml +++ b/.github/workflows/eval-lib-tests.yml @@ -5,8 +5,7 @@ on: paths: - 'lib/**' -permissions: - contents: read +permissions: {} jobs: get-merge-commit: @@ -20,12 +19,10 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - # pull_request_target checks out the base branch by default ref: ${{ needs.get-merge-commit.outputs.mergedSha }} - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 with: - # explicitly enable sandbox extra_nix_config: sandbox = true - name: Building Nixpkgs lib-tests diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml index 2fe51f449d683..273b2e2a05215 100644 --- a/.github/workflows/eval.yml +++ b/.github/workflows/eval.yml @@ -12,8 +12,7 @@ on: - haskell-updates - python-updates -permissions: - contents: read +permissions: {} jobs: get-merge-commit: @@ -23,7 +22,6 @@ jobs: name: Attributes runs-on: ubuntu-24.04 needs: get-merge-commit - # Skip this and dependent steps if the PR can't be merged if: needs.get-merge-commit.outputs.mergedSha outputs: targetSha: ${{ steps.targetSha.outputs.targetSha }} @@ -45,6 +43,8 @@ jobs: - name: Install Nix uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + with: + extra_nix_config: sandbox = true - name: Evaluate the list of all attributes and get the systems matrix id: systems @@ -71,6 +71,8 @@ jobs: - name: Install Nix uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + with: + extra_nix_config: sandbox = true - name: Query nixpkgs with aliases enabled to check for basic syntax errors run: | @@ -106,6 +108,8 @@ jobs: - name: Install Nix uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + with: + extra_nix_config: sandbox = true - name: Evaluate the ${{ matrix.system }} output paths for all derivation attributes env: @@ -145,6 +149,8 @@ jobs: - name: Install Nix uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + with: + extra_nix_config: sandbox = true - name: Combine all output paths and eval stats run: | diff --git a/.github/workflows/get-merge-commit.yml b/.github/workflows/get-merge-commit.yml index 827c86316b8b5..a32595ae1ad44 100644 --- a/.github/workflows/get-merge-commit.yml +++ b/.github/workflows/get-merge-commit.yml @@ -7,7 +7,6 @@ on: description: "The merge commit SHA" value: ${{ jobs.resolve-merge-commit.outputs.mergedSha }} -# We need a token to query the API, but it doesn't need any special permissions permissions: {} jobs: diff --git a/.github/workflows/manual-nixos-v2.yml b/.github/workflows/manual-nixos-v2.yml index e022f27ac693e..c83d53e8a51aa 100644 --- a/.github/workflows/manual-nixos-v2.yml +++ b/.github/workflows/manual-nixos-v2.yml @@ -7,8 +7,7 @@ on: paths: - 'nixos/**' -permissions: - contents: read +permissions: {} jobs: nixos: @@ -17,12 +16,10 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 with: - # explicitly enable sandbox extra_nix_config: sandbox = true - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 diff --git a/.github/workflows/manual-nixpkgs-v2.yml b/.github/workflows/manual-nixpkgs-v2.yml index cdbafd63054b2..2eb84dfd327e1 100644 --- a/.github/workflows/manual-nixpkgs-v2.yml +++ b/.github/workflows/manual-nixpkgs-v2.yml @@ -9,8 +9,7 @@ on: - 'lib/**' - 'pkgs/tools/nix/nixdoc/**' -permissions: - contents: read +permissions: {} jobs: nixpkgs: @@ -19,12 +18,10 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 with: - # explicitly enable sandbox extra_nix_config: sandbox = true - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 diff --git a/.github/workflows/nix-parse-v2.yml b/.github/workflows/nix-parse-v2.yml index 71d5a29af7769..2f8e97d3a8a0e 100644 --- a/.github/workflows/nix-parse-v2.yml +++ b/.github/workflows/nix-parse-v2.yml @@ -1,12 +1,9 @@ name: "Check whether nix files are parseable v2" on: - # avoids approving first time contributors pull_request_target: -permissions: - pull-requests: read - contents: read +permissions: {} jobs: get-merge-commit: @@ -32,12 +29,12 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - # pull_request_target checks out the base branch by default ref: ${{ needs.get-merge-commit.outputs.mergedSha }} if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }} - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 with: + extra_nix_config: sandbox = true nix_path: nixpkgs=channel:nixpkgs-unstable - name: Parse all changed or added nix files diff --git a/.github/workflows/nixpkgs-vet.yml b/.github/workflows/nixpkgs-vet.yml index 70ab6da49a489..0b2f4e1c96d36 100644 --- a/.github/workflows/nixpkgs-vet.yml +++ b/.github/workflows/nixpkgs-vet.yml @@ -6,7 +6,6 @@ name: Vet nixpkgs on: - # Using pull_request_target instead of pull_request avoids having to approve first time contributors. pull_request_target: # This workflow depends on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`. # Instead it causes an `edited` event, so we need to add it explicitly here. @@ -34,7 +33,6 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - # pull_request_target checks out the base branch by default ref: ${{ needs.get-merge-commit.outputs.mergedSha }} # Fetches the merge commit and its parents fetch-depth: 2