Add refStatuses CEL variable

.github/workflows/ref-statuses.yaml

@@ -0,0 +1,36 @@
+name: Check that ref statuses are up to date
+
+on:
+  schedule:
+    - cron: "0 0 * * *" # Daily
+
+jobs:
+  check-ref-statuses:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: DeterminateSystems/nix-installer-action@main
+
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Check ref statuses
+        run: |
+          nix develop --command cargo run --features ref-statuses -- --check-ref-statuses
+
+      - name: Update ref-statuses.json
+        if: failure()
+        run: |
+          ref_statuses_json=$(nix develop --command cargo run --features ref-statuses -- --get-ref-statuses | jq --sort-keys .)
+          echo "${ref_statuses_json}" > ref-statuses.json
+
+      - name: Create pull request
+        if: failure()
+        uses: peter-evans/create-pull-request@v6
+        with:
+          commit-message: Update ref-statuses.json to new valid Git refs list
+          title: Update ref-statuses.json
+          body: |
+            Nixpkgs has changed its list of maintained references. This PR updates `ref-statuses.json` to reflect that change.
+          branch: updated-ref-statuses
+          base: main

Cargo.toml

@@ -38,4 +38,4 @@ thiserror = { workspace = true }
 
 [features]
 default = []
-allowed-refs = []
+ref-statuses = []

README.md

@@ -72,6 +72,7 @@ Variable | Description
 `numDaysOld` | The number of days old the input is.
 `owner` | The input's owner (if a GitHub input).
 `supportedRefs` | A list of [supported Git refs](#supported-branches) (all are branch names).
+`refStatuses` | A map. Each key is a branch name. Each value is a branch status (`"rolling"`, `"beta"`, `"stable"`, `"deprecated"` or `"unmaintained"`).
 
 We recommend a condition *at least* this stringent:
 

flake.nix

@@ -91,10 +91,10 @@
               runtimeInputs = with pkgs; [ rustToolchain ];
               text = "cargo fmt --check";
             };
-            get-allowed-refs = pkgs.writeShellApplication {
-              name = "get-allowed-refs";
+            get-ref-statuses = pkgs.writeShellApplication {
+              name = "get-ref-statuses";
               runtimeInputs = with pkgs; [ rustToolchain ];
-              text = "cargo run --features allowed-refs -- --get-allowed-refs";
+              text = "cargo run --features ref-statuses -- --get-ref-statuses";
             };
           in
           pkgs.mkShell {
@@ -117,7 +117,7 @@
               check-rustfmt
 
               # Scripts
-              get-allowed-refs
+              get-ref-statuses
             ]) ++ pkgs.lib.optionals pkgs.stdenv.isDarwin (with pkgs.darwin.apple_sdk.frameworks; [ Security SystemConfiguration ]);
 
             env = {

ref-statuses.json

@@ -0,0 +1,11 @@
+{
+  "nixos-24.05": "unmaintained",
+  "nixos-24.05-small": "unmaintained",
+  "nixos-24.11": "stable",
+  "nixos-24.11-small": "stable",
+  "nixos-unstable": "rolling",
+  "nixos-unstable-small": "rolling",
+  "nixpkgs-24.05-darwin": "unmaintained",
+  "nixpkgs-24.11-darwin": "stable",
+  "nixpkgs-unstable": "rolling"
+}

src/condition.rs

@@ -1,6 +1,8 @@
 use cel_interpreter::{Context, Program, Value};
 use parse_flake_lock::{FlakeLock, Node};
 
+use std::collections::HashMap;
+
 use crate::{
     error::FlakeCheckerError,
     flake::{nixpkgs_deps, num_days_old},
@@ -10,16 +12,19 @@ use crate::{
 const KEY_GIT_REF: &str = "gitRef";
 const KEY_NUM_DAYS_OLD: &str = "numDaysOld";
 const KEY_OWNER: &str = "owner";
+const KEY_REF_STATUSES: &str = "refStatuses";
 const KEY_SUPPORTED_REFS: &str = "supportedRefs";
 
 pub(super) fn evaluate_condition(
     flake_lock: &FlakeLock,
     nixpkgs_keys: &[String],
     condition: &str,
+    ref_statuses: HashMap<String, String>,
     supported_refs: Vec<String>,
 ) -> Result<Vec<Issue>, FlakeCheckerError> {
     let mut issues: Vec<Issue> = vec![];
     let mut ctx = Context::default();
+    ctx.add_variable_from_value(KEY_REF_STATUSES, ref_statuses);
     ctx.add_variable_from_value(KEY_SUPPORTED_REFS, supported_refs);
 
     let deps = nixpkgs_deps(flake_lock, nixpkgs_keys)?;

src/flake.rs

@@ -144,13 +144,14 @@ pub(super) fn num_days_old(timestamp: i64) -> i64 {
 
 #[cfg(test)]
 mod test {
+    use std::collections::HashMap;
     use std::path::PathBuf;
 
     use crate::{
         check_flake_lock,
         condition::evaluate_condition,
         issue::{Disallowed, Issue, IssueKind, NonUpstream},
-        FlakeCheckConfig, FlakeLock,
+        supported_refs, FlakeCheckConfig, FlakeLock,
     };
 
     #[test]
@@ -170,8 +171,9 @@ mod test {
             ),
         ];
 
-        let supported_refs: Vec<String> =
-            serde_json::from_str(include_str!("../allowed-refs.json")).unwrap();
+        let ref_statuses: HashMap<String, String> =
+            serde_json::from_str(include_str!("../ref-statuses.json")).unwrap();
+        let supported_refs = supported_refs(ref_statuses.clone());
         let path = PathBuf::from("tests/flake.cel.0.lock");
 
         for (condition, expected) in cases {
@@ -185,6 +187,7 @@ mod test {
                 &flake_lock,
                 &config.nixpkgs_keys,
                 condition,
+                ref_statuses.clone(),
                 supported_refs.clone(),
             );
 
@@ -201,8 +204,9 @@ mod test {
 
     #[test]
     fn clean_flake_locks() {
-        let allowed_refs: Vec<String> =
-            serde_json::from_str(include_str!("../allowed-refs.json")).unwrap();
+        let ref_statuses: HashMap<String, String> =
+            serde_json::from_str(include_str!("../ref-statuses.json")).unwrap();
+        let allowed_refs = supported_refs(ref_statuses);
         for n in 0..=7 {
             let path = PathBuf::from(format!("tests/flake.clean.{n}.lock"));
             let flake_lock = FlakeLock::new(&path).unwrap();
@@ -221,8 +225,9 @@ mod test {
 
     #[test]
     fn dirty_flake_locks() {
-        let allowed_refs: Vec<String> =
-            serde_json::from_str(include_str!("../allowed-refs.json")).unwrap();
+        let ref_statuses: HashMap<String, String> =
+            serde_json::from_str(include_str!("../ref-statuses.json")).unwrap();
+        let allowed_refs = supported_refs(ref_statuses);
         let cases: Vec<(&str, Vec<Issue>)> = vec![
             (
                 "flake.dirty.0.lock",
@@ -275,8 +280,9 @@ mod test {
 
     #[test]
     fn explicit_nixpkgs_keys() {
-        let allowed_refs: Vec<String> =
-            serde_json::from_str(include_str!("../allowed-refs.json")).unwrap();
+        let ref_statuses: HashMap<String, String> =
+            serde_json::from_str(include_str!("../ref-statuses.json")).unwrap();
+        let allowed_refs = supported_refs(ref_statuses);
         let cases: Vec<(&str, Vec<String>, Vec<Issue>)> = vec![(
             "flake.explicit-keys.0.lock",
             vec![String::from("nixpkgs"), String::from("nixpkgs-alt")],
@@ -303,8 +309,9 @@ mod test {
 
     #[test]
     fn missing_nixpkgs_keys() {
-        let allowed_refs: Vec<String> =
-            serde_json::from_str(include_str!("../allowed-refs.json")).unwrap();
+        let ref_statuses: HashMap<String, String> =
+            serde_json::from_str(include_str!("../ref-statuses.json")).unwrap();
+        let allowed_refs = supported_refs(ref_statuses);
         let cases: Vec<(&str, Vec<String>, String)> = vec![(
             "flake.clean.0.lock",
             vec![String::from("nixpkgs"), String::from("foo"), String::from("bar")],