1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-09 17:46:29 +09:00

workflows: checkout nixpkgs in get-merge-commit action

This makes checking out the nixpkgs repo even more consistent and almost
forces us to use the trusted/untrusted path pattern.
This commit is contained in:
Wolfgang Walther 2025-05-24 16:13:22 +02:00
parent 942c377476
commit 0e1c284b13
No known key found for this signature in database
GPG key ID: B39893FA5F65CAE1
10 changed files with 48 additions and 74 deletions

View file

@ -1,19 +1,27 @@
name: Get merge commit
description: 'Checks whether the Pull Request is mergeable and returns two commit hashes: The result of a temporary merge of the head branch into the target branch ("merged"), and the parent of that commit on the target branch ("target"). Handles push events and merge conflicts gracefully.'
description: 'Checks whether the Pull Request is mergeable and checks out the repo at up to two commits: The result of a temporary merge of the head branch into the target branch ("merged"), and the parent of that commit on the target branch ("target"). Handles push events and merge conflicts gracefully.'
inputs:
merged-as-untrusted:
description: "Whether to checkout the merge commit in the ./untrusted folder."
type: boolean
target-as-trusted:
description: "Whether to checkout the target commit in the ./trusted folder."
type: boolean
outputs:
mergedSha:
description: "The merge commit SHA"
value: ${{ steps.merged.outputs.mergedSha }}
value: ${{ steps.commits.outputs.mergedSha }}
targetSha:
description: "The target commit SHA"
value: ${{ steps.merged.outputs.targetSha }}
value: ${{ steps.commits.outputs.targetSha }}
runs:
using: composite
steps:
- id: merged
- id: commits
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
@ -63,3 +71,18 @@ runs:
return
}
throw new Error("Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com.")
# Would be great to do the checkouts in git worktrees of the existing spare checkout instead,
# but Nix is broken with them:
# https://github.com/NixOS/nix/issues/6073
- if: inputs.merged-as-untrusted && steps.commits.outputs.mergedSha
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ steps.commits.outputs.mergedSha }}
path: untrusted
- if: inputs.target-as-trusted && steps.commits.outputs.targetSha
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ steps.commits.outputs.targetSha }}
path: trusted

View file

@ -16,14 +16,10 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: .github/actions
- name: Check if the PR can be merged and get the test merge commit
- name: Check if the PR can be merged and checkout the merge commit
uses: ./.github/actions/get-merge-commit
id: get-merge-commit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
path: untrusted
merged-as-untrusted: true
- uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
with:

View file

@ -33,14 +33,10 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: .github/actions
- name: Check if the PR can be merged and get the test merge commit
- name: Check if the PR can be merged and checkout the merge commit
uses: ./.github/actions/get-merge-commit
id: get-merge-commit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
path: untrusted
merged-as-untrusted: true
- uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31

View file

@ -46,9 +46,11 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: .github/actions
- name: Check if the PR can be merged and get the test merge commit
- name: Check if the PR can be merged and checkout the merge and target commits
uses: ./.github/actions/get-merge-commit
id: get-merge-commit
with:
merged-as-untrusted: true
target-as-trusted: true
- uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
@ -58,14 +60,6 @@ jobs:
name: nixpkgs-ci
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
# Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
# We later build and run code from the base branch with access to secrets,
# so it's important this is not the PRs code.
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ steps.get-merge-commit.outputs.targetSha }}
path: trusted
- name: Build codeowners validator
run: nix-build trusted/ci -A codeownersValidator
@ -78,11 +72,6 @@ jobs:
permission-administration: read
permission-members: read
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
path: untrusted
- name: Validate codeowners
if: steps.app-token.outputs.token
env:

View file

@ -16,15 +16,10 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: .github/actions
- name: Check if the PR can be merged and get the test merge commit
- name: Check if the PR can be merged and checkout the merge commit
uses: ./.github/actions/get-merge-commit
id: get-merge-commit
- name: Check out the PR at the test merge commit
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
path: untrusted
merged-as-untrusted: true
- name: Install Nix
uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31

View file

@ -19,14 +19,10 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: .github/actions
- name: Check if the PR can be merged and get the test merge commit
- name: Check if the PR can be merged and checkout the merge commit
uses: ./.github/actions/get-merge-commit
id: get-merge-commit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
path: untrusted
merged-as-untrusted: true
- uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
with:

View file

@ -35,14 +35,10 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: .github/actions
- name: Check if the PR can be merged and get the test merge commit
- name: Check if the PR can be merged and checkout the merge commit
uses: ./.github/actions/get-merge-commit
id: get-merge-commit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
path: untrusted
merged-as-untrusted: true
- uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
with:

View file

@ -22,14 +22,10 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: .github/actions
- name: Check if the PR can be merged and get the test merge commit
- name: Check if the PR can be merged and checkout the merge commit
uses: ./.github/actions/get-merge-commit
id: get-merge-commit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
path: untrusted
merged-as-untrusted: true
- uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
with:

View file

@ -17,14 +17,10 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: .github/actions
- name: Check if the PR can be merged and get the test merge commit
- name: Check if the PR can be merged and checkout the merge commit
uses: ./.github/actions/get-merge-commit
id: get-merge-commit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
path: untrusted
merged-as-untrusted: true
- uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
with:

View file

@ -26,20 +26,11 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: .github/actions
- name: Check if the PR can be merged and get the test merge commit
- name: Check if the PR can be merged and checkout merged and target commits
uses: ./.github/actions/get-merge-commit
id: get-merge-commit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
# Fetches the merge commit and its parents
fetch-depth: 2
path: untrusted
- name: Checking out target branch
run: |
git -C untrusted worktree add ../trusted ${{ steps.get-merge-commit.outputs.targetSha }}
merged-as-untrusted: true
target-as-trusted: true
- uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31