diff --git a/.github/workflows/README.md b/.github/workflows/README.md new file mode 100644 index 0000000000000..7089501d5e405 --- /dev/null +++ b/.github/workflows/README.md @@ -0,0 +1,20 @@ +# GitHub Actions Workflows + +Some architectural notes about key decisions and concepts in our workflows: + +- Instead of `pull_request` we use [`pull_request_target`](https://docs.github.com/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) for all PR-related workflows. This has the advantage that those workflows will run without prior approval for external contributors. + +- Running on `pull_request_target` also optionally provides us with a GH_TOKEN with elevated privileges (write access), which we need to do things like adding labels, requesting reviewers or pushing branches. **Note about security:** We need to be careful to limit the scope of elevated privileges as much as possible. Thus they should be lowered to the minimum with `permissions: {}` in every workflow by default. + +- By definition `pull_request_target` runs in the context of the **base** of the pull request. This means, that the workflow files to run will be taken from the base branch, not the PR, and actions/checkout will not checkout the PR, but the base branch, by default. To protect our secrets, we need to make sure to **never execute code** from the pull request and always evaluate or build nix code from the pull request with the **sandbox enabled**. + +- To test the pull request's contents, we checkout the "test merge commit". This is a temporary commit that GitHub creates automatically as "what would happen, if this PR was merged into the base branch now?". The checkout could be done via the virtual branch `refs/pull//merge`, but doing so would cause failures when this virtual branch doesn't exist (anymore). This can happen when the PR has conflicts, in which case the virtual branch is not created, or when the PR is getting merged while workflows are still running, in which case the branch won't exist anymore at the time of checkout. Thus, we use the `get-merge-commit.yml` workflow to check whether the PR is mergeable and the test merge commit exists and only then run the relevant jobs. + +- Various workflows need to make comparisons against the base branch. In this case, we checkout the parent of the "test merge commit" for best results. Note, that this is not necessarily the same as the default commit that actions/checkout would use, which is also a commit from the base branch (see above), but might be older. + +## Terminology + +- **base commit**: The pull_request_target event's context commit, i.e. the base commit given by GitHub Actions. Same as `github.event.pull_request.base.sha`. +- **head commit**: The HEAD commit in the pull request's branch. Same as `github.event.pull_request.head.sha`. +- **merge commit**: The temporary "test merge commit" that GitHub Actions creates and updates for the pull request. Same as `refs/pull/${{ github.event.pull_request.number }}/merge`. +- **target commit**: The base branch's parent of the "test merge commit" to compare against. diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 42283f3ab40ce..bae29bc9428bc 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -1,13 +1,14 @@ -name: Backport -on: - pull_request_target: - types: [closed, labeled] - # WARNING: # When extending this action, be aware that $GITHUB_TOKEN allows write access to # the GitHub repository. This means that it should not evaluate user input in a # way that allows code injection. +name: Backport + +on: + pull_request_target: + types: [closed, labeled] + permissions: {} jobs: @@ -23,10 +24,12 @@ jobs: with: app-id: ${{ vars.BACKPORT_APP_ID }} private-key: ${{ secrets.BACKPORT_PRIVATE_KEY }} + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} token: ${{ steps.app-token.outputs.token }} + - name: Create backport PRs uses: korthout/backport-action@be567af183754f6a5d831ae90f648954763f17f5 # v3.1.0 with: diff --git a/.github/workflows/base-branch-changed.yaml b/.github/workflows/base-branch-changed.yaml new file mode 100644 index 0000000000000..f1fed9426836a --- /dev/null +++ b/.github/workflows/base-branch-changed.yaml @@ -0,0 +1,16 @@ +name: "Base Branch Changed" + +on: + pull_request_target: + # Some workflows depend on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`. + # Instead it causes an `edited` event. + # Since `edited` is also triggered when PR title/body is changed, we use this wrapper workflow, to run the other workflows conditionally only. + # There is a feature request for adding a `base_changed` event: https://github.com/orgs/community/discussions/35058 + types: [edited] + +permissions: {} + +jobs: + nixpkgs-vet: + if: github.event.changes.base.ref.from && github.event.changes.base.ref.from != github.event.pull_request.base.ref + uses: ./.github/workflows/nixpkgs-vet.yml diff --git a/.github/workflows/basic-eval.yml b/.github/workflows/basic-eval.yml deleted file mode 100644 index 8698d5fff392e..0000000000000 --- a/.github/workflows/basic-eval.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: Basic evaluation checks - -on: - workflow_dispatch - # pull_request: - # branches: - # - master - # - release-** - # push: - # branches: - # - master - # - release-** -permissions: - contents: read - -jobs: - tests: - name: basic-eval-checks - runs-on: ubuntu-24.04 - # we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 - - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 - with: - # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. - name: nixpkgs-ci - signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' - - run: nix --experimental-features 'nix-command flakes' flake check --all-systems --no-build - # explicit list of supportedSystems is needed until aarch64-darwin becomes part of the trunk jobset - - run: nix-build pkgs/top-level/release.nix -A release-checks --arg supportedSystems '[ "aarch64-darwin" "aarch64-linux" "x86_64-linux" "x86_64-darwin" ]' diff --git a/.github/workflows/check-cherry-picks.yml b/.github/workflows/check-cherry-picks.yml index 71b3bff044c79..1759aa5833b24 100644 --- a/.github/workflows/check-cherry-picks.yml +++ b/.github/workflows/check-cherry-picks.yml @@ -1,10 +1,11 @@ name: "Check cherry-picks" + on: pull_request_target: branches: - - 'release-**' - - 'staging-**' - - '!staging-next' + - 'release-**' + - 'staging-**' + - '!staging-next' permissions: {} @@ -14,13 +15,14 @@ jobs: runs-on: ubuntu-24.04 if: github.repository_owner == 'NixOS' steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - fetch-depth: 0 - filter: blob:none - - name: Check cherry-picks - env: - BASE_SHA: ${{ github.event.pull_request.base.sha }} - HEAD_SHA: ${{ github.event.pull_request.head.sha }} - run: | - ./maintainers/scripts/check-cherry-picks.sh "$BASE_SHA" "$HEAD_SHA" + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + filter: blob:none + + - name: Check cherry-picks + env: + BASE_SHA: ${{ github.event.pull_request.base.sha }} + HEAD_SHA: ${{ github.event.pull_request.head.sha }} + run: | + ./maintainers/scripts/check-cherry-picks.sh "$BASE_SHA" "$HEAD_SHA" diff --git a/.github/workflows/check-maintainers-sorted.yaml b/.github/workflows/check-maintainers-sorted.yml similarity index 81% rename from .github/workflows/check-maintainers-sorted.yaml rename to .github/workflows/check-maintainers-sorted.yml index 21247e20cb9b3..07cd525e85428 100644 --- a/.github/workflows/check-maintainers-sorted.yaml +++ b/.github/workflows/check-maintainers-sorted.yml @@ -4,26 +4,25 @@ on: pull_request_target: paths: - 'maintainers/maintainer-list.nix' -permissions: - contents: read + +permissions: {} jobs: nixos: name: maintainer-list-check runs-on: ubuntu-24.04 - if: github.repository_owner == 'NixOS' steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge # Only these directories to perform the check sparse-checkout: | lib maintainers + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 with: - # explicitly enable sandbox extra_nix_config: sandbox = true + - name: Check that maintainer-list.nix is sorted run: nix-instantiate --eval maintainers/scripts/check-maintainers-sorted.nix diff --git a/.github/workflows/check-nix-format.yml b/.github/workflows/check-nix-format.yml index d0b8c84c031dd..a70e132dc459a 100644 --- a/.github/workflows/check-nix-format.yml +++ b/.github/workflows/check-nix-format.yml @@ -3,14 +3,14 @@ # https://github.com/NixOS/rfcs/pull/166. # Because of this, this action is not yet enabled for all files -- only for # those who have opted in. + name: Check that Nix files are formatted on: pull_request_target: - # See the comment at the same location in ./nixpkgs-vet.yml types: [opened, synchronize, reopened, edited] -permissions: - contents: read + +permissions: {} jobs: get-merge-commit: @@ -24,17 +24,18 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - # pull_request_target checks out the base branch by default ref: ${{ needs.get-merge-commit.outputs.mergedSha }} # Fetches the merge commit and its parents fetch-depth: 2 - - name: Checking out base branch + + - name: Checking out target branch run: | - base=$(mktemp -d) - baseRev=$(git rev-parse HEAD^1) - git worktree add "$base" "$baseRev" - echo "baseRev=$baseRev" >> "$GITHUB_ENV" - echo "base=$base" >> "$GITHUB_ENV" + target=$(mktemp -d) + targetRev=$(git rev-parse HEAD^1) + git worktree add "$target" "$targetRev" + echo "targetRev=$targetRev" >> "$GITHUB_ENV" + echo "target=$target" >> "$GITHUB_ENV" + - name: Get Nixpkgs revision for nixfmt run: | # pin to a commit from nixpkgs-unstable to avoid e.g. building nixfmt @@ -42,13 +43,15 @@ jobs: # This should not be a URL, because it would allow PRs to run arbitrary code in CI! rev=$(jq -r .rev ci/pinned-nixpkgs.json) echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV" + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 with: - # explicitly enable sandbox extra_nix_config: sandbox = true nix_path: nixpkgs=${{ env.url }} + - name: Install nixfmt run: "nix-env -f '' -iAP nixfmt-rfc-style" + - name: Check that Nix files are formatted according to the RFC style run: | unformattedFiles=() @@ -78,12 +81,12 @@ jobs: esac # Ignore files that weren't already formatted - if [[ -n "$source" ]] && ! nixfmt --check ${{ env.base }}/"$source" 2>/dev/null; then - echo "Ignoring file $file because it's not formatted in the base commit" + if [[ -n "$source" ]] && ! nixfmt --check ${{ env.target }}/"$source" 2>/dev/null; then + echo "Ignoring file $file because it's not formatted in the target commit" elif ! nixfmt --check "$dest"; then unformattedFiles+=("$dest") fi - done < <(git diff -z --name-status ${{ env.baseRev }} -- '*.nix') + done < <(git diff -z --name-status ${{ env.targetRev }} -- '*.nix') if (( "${#unformattedFiles[@]}" > 0 )); then echo "Some new/changed Nix files are not properly formatted" diff --git a/.github/workflows/check-nixf-tidy.yml b/.github/workflows/check-nixf-tidy.yml index e18964acb7f3b..8b148ba33bc44 100644 --- a/.github/workflows/check-nixf-tidy.yml +++ b/.github/workflows/check-nixf-tidy.yml @@ -3,8 +3,8 @@ name: Check changed Nix files with nixf-tidy (experimental) on: pull_request_target: types: [opened, synchronize, reopened, edited] -permissions: - contents: read + +permissions: {} jobs: nixos: @@ -14,17 +14,18 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge # Fetches the merge commit and its parents fetch-depth: 2 - - name: Checking out base branch + + - name: Checking out target branch run: | - base=$(mktemp -d) - baseRev=$(git rev-parse HEAD^1) - git worktree add "$base" "$baseRev" - echo "baseRev=$baseRev" >> "$GITHUB_ENV" - echo "base=$base" >> "$GITHUB_ENV" + target=$(mktemp -d) + targetRev=$(git rev-parse HEAD^1) + git worktree add "$target" "$targetRev" + echo "targetRev=$targetRev" >> "$GITHUB_ENV" + echo "target=$target" >> "$GITHUB_ENV" + - name: Get Nixpkgs revision for nixf run: | # pin to a commit from nixpkgs-unstable to avoid e.g. building nixf @@ -32,14 +33,16 @@ jobs: # This should not be a URL, because it would allow PRs to run arbitrary code in CI! rev=$(jq -r .rev ci/pinned-nixpkgs.json) echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV" + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 with: - # explicitly enable sandbox extra_nix_config: sandbox = true nix_path: nixpkgs=${{ env.url }} + - name: Install nixf and jq # provided jq is incompatible with our expression run: "nix-env -f '' -iAP nixf jq" + - name: Check that Nix files pass nixf-tidy run: | # Filtering error messages we don't like @@ -85,8 +88,8 @@ jobs: continue esac - if [[ -n "$source" ]] && [[ "$(nixf_wrapper ${{ env.base }}/"$source")" != '[]' ]] 2>/dev/null; then - echo "Ignoring file $file because it doesn't pass nixf-tidy in the base commit" + if [[ -n "$source" ]] && [[ "$(nixf_wrapper ${{ env.target }}/"$source")" != '[]' ]] 2>/dev/null; then + echo "Ignoring file $file because it doesn't pass nixf-tidy in the target commit" echo # insert blank line else nixf_report="$(nixf_wrapper "$dest")" @@ -113,7 +116,7 @@ jobs: failedFiles+=("$dest") fi fi - done < <(git diff -z --name-status ${{ env.baseRev }} -- '*.nix') + done < <(git diff -z --name-status ${{ env.targetRev }} -- '*.nix') if [[ -n "$DONT_REPORT_ERROR" ]]; then echo "Edited the PR but didn't change the base branch, only the description/title." diff --git a/.github/workflows/check-shell.yml b/.github/workflows/check-shell.yml index fda7db309e750..e1f079619dc37 100644 --- a/.github/workflows/check-shell.yml +++ b/.github/workflows/check-shell.yml @@ -9,26 +9,25 @@ on: permissions: {} jobs: - x86_64-linux: - name: shell-check-x86_64-linux - runs-on: ubuntu-24.04 - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - # pull_request_target checks out the base branch by default - ref: refs/pull/${{ github.event.pull_request.number }}/merge - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 - - name: Build shell - run: nix-build shell.nix + shell-check: + strategy: + fail-fast: false + matrix: + include: + - runner: ubuntu-24.04 + system: x86_64-linux + - runner: macos-14 + system: aarch64-darwin + + name: shell-check-${{ matrix.system }} + runs-on: ${{ matrix.runner }} - aarch64-darwin: - name: shell-check-aarch64-darwin - runs-on: macos-14 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + - name: Build shell run: nix-build shell.nix diff --git a/.github/workflows/codeowners-v2.yml b/.github/workflows/codeowners-v2.yml index b5f1f88d0c887..8b5267b25c630 100644 --- a/.github/workflows/codeowners-v2.yml +++ b/.github/workflows/codeowners-v2.yml @@ -1,5 +1,3 @@ -name: Codeowners v2 - # This workflow depends on two GitHub Apps with the following permissions: # - For checking code owners: # - Permissions: @@ -22,11 +20,12 @@ name: Codeowners v2 # # Note that the latter is also used for ./eval.yml requesting reviewers. +name: Codeowners v2 + on: pull_request_target: types: [opened, ready_for_review, synchronize, reopened, edited] -# We don't need any default GitHub token permissions: {} env: @@ -45,67 +44,67 @@ jobs: needs: get-merge-commit if: needs.get-merge-commit.outputs.mergedSha steps: - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 - - - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 - if: github.repository_owner == 'NixOS' - with: - # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. - name: nixpkgs-ci - authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - - # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself. - # We later build and run code from the base branch with access to secrets, - # so it's important this is not the PRs code. - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - path: base - - - name: Build codeowners validator - run: nix-build base/ci -A codeownersValidator - - - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1 - id: app-token - with: - app-id: ${{ vars.OWNER_RO_APP_ID }} - private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - ref: ${{ needs.get-merge-commit.outputs.mergedSha }} - path: pr - - - name: Validate codeowners - run: result/bin/codeowners-validator - env: - OWNERS_FILE: pr/${{ env.OWNERS_FILE }} - GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} - REPOSITORY_PATH: pr - OWNER_CHECKER_REPOSITORY: ${{ github.repository }} - # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody - EXPERIMENTAL_CHECKS: "avoid-shadowing" + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + + - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 + if: github.repository_owner == 'NixOS' + with: + # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. + name: nixpkgs-ci + authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + + # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself. + # We later build and run code from the base branch with access to secrets, + # so it's important this is not the PRs code. + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + path: base + + - name: Build codeowners validator + run: nix-build base/ci -A codeownersValidator + + - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1 + id: app-token + with: + app-id: ${{ vars.OWNER_RO_APP_ID }} + private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + ref: ${{ needs.get-merge-commit.outputs.mergedSha }} + path: pr + + - name: Validate codeowners + run: result/bin/codeowners-validator + env: + OWNERS_FILE: pr/${{ env.OWNERS_FILE }} + GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} + REPOSITORY_PATH: pr + OWNER_CHECKER_REPOSITORY: ${{ github.repository }} + # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody + EXPERIMENTAL_CHECKS: "avoid-shadowing" # Request reviews from code owners request: name: Request runs-on: ubuntu-24.04 steps: - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 - # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head. - # This is intentional, because we need to request the review of owners as declared in the base branch. - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head. + # This is intentional, because we need to request the review of owners as declared in the base branch. + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1 - id: app-token - with: - app-id: ${{ vars.OWNER_APP_ID }} - private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} + - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1 + id: app-token + with: + app-id: ${{ vars.OWNER_APP_ID }} + private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} - - name: Build review request package - run: nix-build ci -A requestReviews + - name: Build review request package + run: nix-build ci -A requestReviews - - name: Request reviews - run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE" - env: - GH_TOKEN: ${{ steps.app-token.outputs.token }} + - name: Request reviews + run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE" + env: + GH_TOKEN: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/editorconfig-v2.yml b/.github/workflows/editorconfig-v2.yml index 7c79cef1aae4c..bd48be1650f1a 100644 --- a/.github/workflows/editorconfig-v2.yml +++ b/.github/workflows/editorconfig-v2.yml @@ -1,14 +1,9 @@ name: "Checking EditorConfig v2" -permissions: - pull-requests: read - contents: read - on: - # avoids approving first time contributors pull_request_target: - branches-ignore: - - 'release-**' + +permissions: {} jobs: get-merge-commit: @@ -18,31 +13,35 @@ jobs: name: editorconfig-check runs-on: ubuntu-24.04 needs: get-merge-commit - if: "needs.get-merge-commit.outputs.mergedSha && github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')" + if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')" steps: - - name: Get list of changed files from PR - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - gh api \ - repos/NixOS/nixpkgs/pulls/${{github.event.number}}/files --paginate \ - | jq '.[] | select(.status != "removed") | .filename' \ - > "$HOME/changed_files" - - name: print list of changed files - run: | - cat "$HOME/changed_files" - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - # pull_request_target checks out the base branch by default - ref: ${{ needs.get-merge-commit.outputs.mergedSha }} - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 - with: - # nixpkgs commit is pinned so that it doesn't break - # editorconfig-checker 2.4.0 - nix_path: nixpkgs=https://github.com/NixOS/nixpkgs/archive/c473cc8714710179df205b153f4e9fa007107ff9.tar.gz - - name: Checking EditorConfig - run: | - < "$HOME/changed_files" nix-shell -p editorconfig-checker --run 'xargs -r editorconfig-checker -disable-indent-size' - - if: ${{ failure() }} - run: | - echo "::error :: Hey! It looks like your changes don't follow our editorconfig settings. Read https://editorconfig.org/#download to configure your editor so you never see this error again." + - name: Get list of changed files from PR + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh api \ + repos/${{ github.repository }}/pulls/${{ github.event.number }}/files --paginate \ + | jq '.[] | select(.status != "removed") | .filename' \ + > "$HOME/changed_files" + + - name: print list of changed files + run: | + cat "$HOME/changed_files" + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + ref: ${{ needs.get-merge-commit.outputs.mergedSha }} + + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + with: + # nixpkgs commit is pinned so that it doesn't break + # editorconfig-checker 2.4.0 + nix_path: nixpkgs=https://github.com/NixOS/nixpkgs/archive/c473cc8714710179df205b153f4e9fa007107ff9.tar.gz + + - name: Checking EditorConfig + run: | + < "$HOME/changed_files" nix-shell -p editorconfig-checker --run 'xargs -r editorconfig-checker -disable-indent-size' + + - if: ${{ failure() }} + run: | + echo "::error :: Hey! It looks like your changes don't follow our editorconfig settings. Read https://editorconfig.org/#download to configure your editor so you never see this error again." diff --git a/.github/workflows/eval-lib-tests.yml b/.github/workflows/eval-lib-tests.yml index 39fb99ae0ff9e..065fe8fdb282c 100644 --- a/.github/workflows/eval-lib-tests.yml +++ b/.github/workflows/eval-lib-tests.yml @@ -1,12 +1,12 @@ name: "Building Nixpkgs lib-tests" -permissions: - contents: read - on: pull_request_target: paths: - 'lib/**' + +permissions: {} + jobs: get-merge-commit: uses: ./.github/workflows/get-merge-commit.yml @@ -19,12 +19,12 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - # pull_request_target checks out the base branch by default ref: ${{ needs.get-merge-commit.outputs.mergedSha }} + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 with: - # explicitly enable sandbox extra_nix_config: sandbox = true + - name: Building Nixpkgs lib-tests run: | nix-build --arg pkgs "(import ./ci/. {}).pkgs" ./lib/tests/release.nix diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml index 64969dc2b4264..28a93773f5f0a 100644 --- a/.github/workflows/eval.yml +++ b/.github/workflows/eval.yml @@ -12,8 +12,7 @@ on: - haskell-updates - python-updates -permissions: - contents: read +permissions: {} jobs: get-merge-commit: @@ -23,10 +22,9 @@ jobs: name: Attributes runs-on: ubuntu-24.04 needs: get-merge-commit - # Skip this and dependent steps if the PR can't be merged if: needs.get-merge-commit.outputs.mergedSha outputs: - baseSha: ${{ steps.baseSha.outputs.baseSha }} + targetSha: ${{ steps.targetSha.outputs.targetSha }} systems: ${{ steps.systems.outputs.systems }} steps: - name: Check out the PR at the test merge commit @@ -36,15 +34,17 @@ jobs: fetch-depth: 2 path: nixpkgs - - name: Determine base commit + - name: Determine target commit if: github.event_name == 'pull_request_target' - id: baseSha + id: targetSha run: | - baseSha=$(git -C nixpkgs rev-parse HEAD^1) - echo "baseSha=$baseSha" >> "$GITHUB_OUTPUT" + targetSha=$(git -C nixpkgs rev-parse HEAD^1) + echo "targetSha=$targetSha" >> "$GITHUB_OUTPUT" - name: Install Nix uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + with: + extra_nix_config: sandbox = true - name: Evaluate the list of all attributes and get the systems matrix id: systems @@ -61,7 +61,7 @@ jobs: eval-aliases: name: Eval nixpkgs with aliases enabled runs-on: ubuntu-24.04 - needs: [ attrs, get-merge-commit ] + needs: [ get-merge-commit ] steps: - name: Check out the PR at the test merge commit uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -71,6 +71,8 @@ jobs: - name: Install Nix uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + with: + extra_nix_config: sandbox = true - name: Query nixpkgs with aliases enabled to check for basic syntax errors run: | @@ -106,6 +108,8 @@ jobs: - name: Install Nix uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + with: + extra_nix_config: sandbox = true - name: Evaluate the ${{ matrix.system }} output paths for all derivation attributes env: @@ -128,7 +132,7 @@ jobs: runs-on: ubuntu-24.04 needs: [ outpaths, attrs, get-merge-commit ] outputs: - baseRunId: ${{ steps.baseRunId.outputs.baseRunId }} + targetRunId: ${{ steps.targetRunId.outputs.targetRunId }} steps: - name: Download output paths and eval stats for all systems uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 @@ -145,6 +149,8 @@ jobs: - name: Install Nix uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + with: + extra_nix_config: sandbox = true - name: Combine all output paths and eval stats run: | @@ -158,11 +164,11 @@ jobs: name: result path: prResult/* - - name: Get base run id - if: needs.attrs.outputs.baseSha - id: baseRunId + - name: Get target run id + if: needs.attrs.outputs.targetSha + id: targetRunId run: | - # Get the latest eval.yml workflow run for the PR's base commit + # Get the latest eval.yml workflow run for the PR's target commit if ! run=$(gh api --method GET /repos/"$REPOSITORY"/actions/workflows/eval.yml/runs \ -f head_sha="$BASE_SHA" -f event=push \ --jq '.workflow_runs | sort_by(.run_started_at) | .[-1]') \ @@ -185,30 +191,30 @@ jobs: exit 0 fi - echo "baseRunId=$runId" >> "$GITHUB_OUTPUT" + echo "targetRunId=$runId" >> "$GITHUB_OUTPUT" env: REPOSITORY: ${{ github.repository }} - BASE_SHA: ${{ needs.attrs.outputs.baseSha }} + BASE_SHA: ${{ needs.attrs.outputs.targetSha }} GH_TOKEN: ${{ github.token }} - uses: actions/download-artifact@v4 - if: steps.baseRunId.outputs.baseRunId + if: steps.targetRunId.outputs.targetRunId with: name: result - path: baseResult + path: targetResult github-token: ${{ github.token }} - run-id: ${{ steps.baseRunId.outputs.baseRunId }} + run-id: ${{ steps.targetRunId.outputs.targetRunId }} - - name: Compare against the base branch - if: steps.baseRunId.outputs.baseRunId + - name: Compare against the target branch + if: steps.targetRunId.outputs.targetRunId run: | - git -C nixpkgs worktree add ../base ${{ needs.attrs.outputs.baseSha }} - git -C nixpkgs diff --name-only ${{ needs.attrs.outputs.baseSha }} ${{ needs.attrs.outputs.mergedSha }} \ + git -C nixpkgs worktree add ../target ${{ needs.attrs.outputs.targetSha }} + git -C nixpkgs diff --name-only ${{ needs.attrs.outputs.targetSha }} \ | jq --raw-input --slurp 'split("\n")[:-1]' > touched-files.json - # Use the base branch to get accurate maintainer info - nix-build base/ci -A eval.compare \ - --arg beforeResultDir ./baseResult \ + # Use the target branch to get accurate maintainer info + nix-build target/ci -A eval.compare \ + --arg beforeResultDir ./targetResult \ --arg afterResultDir ./prResult \ --arg touchedFilesJson ./touched-files.json \ -o comparison @@ -216,7 +222,7 @@ jobs: cat comparison/step-summary.md >> "$GITHUB_STEP_SUMMARY" - name: Upload the combined results - if: steps.baseRunId.outputs.baseRunId + if: steps.targetRunId.outputs.targetRunId uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: comparison @@ -226,8 +232,8 @@ jobs: tag: name: Tag runs-on: ubuntu-24.04 - needs: [ attrs, process ] - if: needs.process.outputs.baseRunId + needs: [ process ] + if: needs.process.outputs.targetRunId permissions: pull-requests: write statuses: write @@ -249,12 +255,12 @@ jobs: - name: Install Nix uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 - # Important: This workflow job runs with extra permissions, - # so we need to make sure to not run untrusted code from PRs + # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head. + # This is intentional, because this job runs with extra permissions, + # so we need to make sure to not run untrusted code from PRs. - name: Check out Nixpkgs at the base commit uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - ref: ${{ needs.attrs.outputs.baseSha }} path: base sparse-checkout: ci diff --git a/.github/workflows/get-merge-commit.yml b/.github/workflows/get-merge-commit.yml index c76215aff60cc..a32595ae1ad44 100644 --- a/.github/workflows/get-merge-commit.yml +++ b/.github/workflows/get-merge-commit.yml @@ -7,7 +7,6 @@ on: description: "The merge commit SHA" value: ${{ jobs.resolve-merge-commit.outputs.mergedSha }} -# We need a token to query the API, but it doesn't need any special permissions permissions: {} jobs: @@ -16,28 +15,29 @@ jobs: outputs: mergedSha: ${{ steps.merged.outputs.mergedSha }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - path: base - sparse-checkout: ci - - name: Check if the PR can be merged and get the test merge commit - id: merged - env: - GH_TOKEN: ${{ github.token }} - GH_EVENT: ${{ github.event_name }} - run: | - case "$GH_EVENT" in - push) - echo "mergedSha=${{ github.sha }}" >> "$GITHUB_OUTPUT" - ;; - pull_request_target) - if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then - echo "Checking the merge commit $mergedSha" - echo "mergedSha=$mergedSha" >> "$GITHUB_OUTPUT" - else - # Skipping so that no notifications are sent - echo "Skipping the rest..." - fi - ;; - esac - rm -rf base + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + path: base + sparse-checkout: ci + + - name: Check if the PR can be merged and get the test merge commit + id: merged + env: + GH_TOKEN: ${{ github.token }} + GH_EVENT: ${{ github.event_name }} + run: | + case "$GH_EVENT" in + push) + echo "mergedSha=${{ github.sha }}" >> "$GITHUB_OUTPUT" + ;; + pull_request_target) + if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then + echo "Checking the merge commit $mergedSha" + echo "mergedSha=$mergedSha" >> "$GITHUB_OUTPUT" + else + # Skipping so that no notifications are sent + echo "Skipping the rest..." + fi + ;; + esac + rm -rf base diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml index 5e2e3aeb3751f..80a186bbfa62b 100644 --- a/.github/workflows/labels.yml +++ b/.github/workflows/labels.yml @@ -1,14 +1,14 @@ +# WARNING: +# When extending this action, be aware that $GITHUB_TOKEN allows some write +# access to the GitHub API. This means that it should not evaluate user input in +# a way that allows code injection. + name: "Label PR" on: pull_request_target: types: [edited, opened, synchronize, reopened] -# WARNING: -# When extending this action, be aware that $GITHUB_TOKEN allows some write -# access to the GitHub API. This means that it should not evaluate user input in -# a way that allows code injection. - permissions: contents: read pull-requests: write @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-24.04 if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')" steps: - - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - sync-labels: true + - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + sync-labels: true diff --git a/.github/workflows/manual-nixos-v2.yml b/.github/workflows/manual-nixos-v2.yml index 014fef1f5924b..c83d53e8a51aa 100644 --- a/.github/workflows/manual-nixos-v2.yml +++ b/.github/workflows/manual-nixos-v2.yml @@ -1,8 +1,5 @@ name: "Build NixOS manual v2" -permissions: - contents: read - on: pull_request_target: branches: @@ -10,24 +7,27 @@ on: paths: - 'nixos/**' +permissions: {} + jobs: nixos: name: nixos-manual-build runs-on: ubuntu-24.04 - if: github.repository_owner == 'NixOS' steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 with: - # explicitly enable sandbox extra_nix_config: sandbox = true + - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 + if: github.repository_owner == 'NixOS' with: # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. name: nixpkgs-ci authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + - name: Building NixOS manual run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true nixos/release.nix -A manual.x86_64-linux diff --git a/.github/workflows/manual-nixpkgs-v2.yml b/.github/workflows/manual-nixpkgs-v2.yml index ec8a3f6d98767..2eb84dfd327e1 100644 --- a/.github/workflows/manual-nixpkgs-v2.yml +++ b/.github/workflows/manual-nixpkgs-v2.yml @@ -1,8 +1,5 @@ name: "Build Nixpkgs manual v2" -permissions: - contents: read - on: pull_request_target: branches: @@ -12,24 +9,27 @@ on: - 'lib/**' - 'pkgs/tools/nix/nixdoc/**' +permissions: {} + jobs: nixpkgs: name: nixpkgs-manual-build runs-on: ubuntu-24.04 - if: github.repository_owner == 'NixOS' steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 with: - # explicitly enable sandbox extra_nix_config: sandbox = true + - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 + if: github.repository_owner == 'NixOS' with: # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. name: nixpkgs-ci authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + - name: Building Nixpkgs manual run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true pkgs/top-level/release.nix -A manual -A manual.tests diff --git a/.github/workflows/nix-parse-v2.yml b/.github/workflows/nix-parse-v2.yml index 61418079e62f3..2f8e97d3a8a0e 100644 --- a/.github/workflows/nix-parse-v2.yml +++ b/.github/workflows/nix-parse-v2.yml @@ -1,14 +1,9 @@ name: "Check whether nix files are parseable v2" -permissions: - pull-requests: read - contents: read - on: - # avoids approving first time contributors pull_request_target: - branches-ignore: - - 'release-**' + +permissions: {} jobs: get-merge-commit: @@ -18,32 +13,35 @@ jobs: name: nix-files-parseable-check runs-on: ubuntu-24.04 needs: get-merge-commit - if: "needs.get-merge-commit.outputs.mergedSha && github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')" + if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')" steps: - - name: Get list of changed files from PR - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - gh api \ - repos/NixOS/nixpkgs/pulls/${{github.event.number}}/files --paginate \ - | jq --raw-output '.[] | select(.status != "removed" and (.filename | endswith(".nix"))) | .filename' \ - > "$HOME/changed_files" - if [[ -s "$HOME/changed_files" ]]; then - echo "CHANGED_FILES=$HOME/changed_files" > "$GITHUB_ENV" - fi - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - # pull_request_target checks out the base branch by default - ref: ${{ needs.get-merge-commit.outputs.mergedSha }} - if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }} - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 - with: - nix_path: nixpkgs=channel:nixpkgs-unstable - - name: Parse all changed or added nix files - run: | - ret=0 - while IFS= read -r file; do - out="$(nix-instantiate --parse "$file")" || { echo "$out" && ret=1; } - done < "$HOME/changed_files" - exit "$ret" - if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }} + - name: Get list of changed files from PR + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh api \ + repos/${{ github.repository }}/pulls/${{github.event.number}}/files --paginate \ + | jq --raw-output '.[] | select(.status != "removed" and (.filename | endswith(".nix"))) | .filename' \ + > "$HOME/changed_files" + if [[ -s "$HOME/changed_files" ]]; then + echo "CHANGED_FILES=$HOME/changed_files" > "$GITHUB_ENV" + fi + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + ref: ${{ needs.get-merge-commit.outputs.mergedSha }} + if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }} + + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + with: + extra_nix_config: sandbox = true + nix_path: nixpkgs=channel:nixpkgs-unstable + + - name: Parse all changed or added nix files + run: | + ret=0 + while IFS= read -r file; do + out="$(nix-instantiate --parse "$file")" || { echo "$out" && ret=1; } + done < "$HOME/changed_files" + exit "$ret" + if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }} diff --git a/.github/workflows/nixpkgs-vet.yml b/.github/workflows/nixpkgs-vet.yml index 5e39f3873b911..96e2a09add92f 100644 --- a/.github/workflows/nixpkgs-vet.yml +++ b/.github/workflows/nixpkgs-vet.yml @@ -2,16 +2,12 @@ # Among other checks, it makes sure that `pkgs/by-name` (see `../../pkgs/by-name/README.md`) follows the validity rules outlined in [RFC 140](https://github.com/NixOS/rfcs/pull/140). # When you make changes to this workflow, please also update `ci/nixpkgs-vet.sh` to reflect the impact of your work to the CI. # See https://github.com/NixOS/nixpkgs-vet for details on the tool and its checks. + name: Vet nixpkgs on: - # Using pull_request_target instead of pull_request avoids having to approve first time contributors. pull_request_target: - # This workflow depends on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`. - # Instead it causes an `edited` event, so we need to add it explicitly here. - # While `edited` is also triggered when the PR title/body is changed, this PR action is fairly quick, and PRs don't get edited **that** often, so it shouldn't be a problem. - # There is a feature request for adding a `base_changed` event: https://github.com/orgs/community/discussions/35058 - types: [opened, synchronize, reopened, edited] + workflow_call: permissions: {} @@ -33,16 +29,18 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - # pull_request_target checks out the base branch by default ref: ${{ needs.get-merge-commit.outputs.mergedSha }} # Fetches the merge commit and its parents fetch-depth: 2 - - name: Checking out base branch + + - name: Checking out target branch run: | - base=$(mktemp -d) - git worktree add "$base" "$(git rev-parse HEAD^1)" - echo "base=$base" >> "$GITHUB_ENV" + target=$(mktemp -d) + git worktree add "$target" "$(git rev-parse HEAD^1)" + echo "target=$target" >> "$GITHUB_ENV" + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + - name: Fetching the pinned tool # Update the pinned version using ci/nixpkgs-vet/update-pinned-tool.sh run: | @@ -55,12 +53,13 @@ jobs: # Adds a result symlink as a GC root. nix-store --realise "$toolPath" --add-root result + - name: Running nixpkgs-vet env: # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/ CLICOLOR_FORCE: 1 run: | - if result/bin/nixpkgs-vet --base "$base" .; then + if result/bin/nixpkgs-vet --base "$target" .; then exit 0 else exitCode=$? diff --git a/.github/workflows/no-channel.yml b/.github/workflows/no-channel.yml index b7b61f9d64921..acaa937ad9360 100644 --- a/.github/workflows/no-channel.yml +++ b/.github/workflows/no-channel.yml @@ -15,11 +15,11 @@ jobs: name: "This PR is is targeting a channel branch" runs-on: ubuntu-24.04 steps: - - run: | - cat <&2 - echo "merge_base=$merge_base" >> "$GITHUB_OUTPUT" - - - name: git merge-base master staging → haskell-updates - uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0 - with: - type: now - head_to_merge: ${{ steps.find_merge_base_step.outputs.merge_base }} - target_branch: haskell-updates - github_token: ${{ secrets.GITHUB_TOKEN }} - - - name: Comment on failure - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 - if: ${{ failure() }} - with: - issue-number: 367709 - body: | - Periodic merge from `${{ steps.find_merge_base_step.outputs.merge_base }}` into `haskell-updates` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}). diff --git a/.github/workflows/periodic-merge.yml b/.github/workflows/periodic-merge.yml new file mode 100644 index 0000000000000..cd674fd582d67 --- /dev/null +++ b/.github/workflows/periodic-merge.yml @@ -0,0 +1,50 @@ +name: "Merge" + +on: + workflow_call: + inputs: + from: + description: Branch to merge into target branch. Can also be two branches separated by space to find the merge base between them. + required: true + type: string + into: + description: Target branch to merge into. + required: true + type: string + +jobs: + merge: + if: github.repository_owner == 'NixOS' + runs-on: ubuntu-24.04 + name: ${{ inputs.from }} → ${{ inputs.into }} + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Find merge base between two branches + if: contains(inputs.from, ' ') + id: merge_base + env: + branches: ${{ inputs.from }} + run: | + # turn into bash array, split on space + read -ra branches <<< "$branches" + git fetch --shallow-since="1 month ago" origin "${branches[@]}" + merge_base="$(git merge-base "refs/remotes/origin/${branches[0]}" "refs/remotes/origin/${branches[1]}")" + echo "Found merge base: $merge_base" >&2 + echo "merge_base=$merge_base" >> "$GITHUB_OUTPUT" + + - name: ${{ inputs.from }} → ${{ inputs.into }} + uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0 + with: + type: now + from_branch: ${{ steps.merge_base.outputs.merge_base || inputs.from }} + target_branch: ${{ inputs.into }} + github_token: ${{ secrets.GITHUB_TOKEN }} + + - name: Comment on failure + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 + if: ${{ failure() }} + with: + issue-number: 105153 + body: | + Periodic merge from `${{ inputs.from }}` into `${{ inputs.into }}` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}). diff --git a/doc/development.md b/doc/development.md index 0c092befca245..e334e6932de6b 100644 --- a/doc/development.md +++ b/doc/development.md @@ -1,5 +1,7 @@ # Development of Nixpkgs {#part-development} +Hello + This section shows you how Nixpkgs is being developed and how you can interact with the contributors and the latest updates. If you are interested in contributing yourself, see [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md). diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix index 2a3b5a1f2b086..ed8f30f2437bb 100644 --- a/maintainers/maintainer-list.nix +++ b/maintainers/maintainer-list.nix @@ -65,18 +65,18 @@ file located in the root of the Nixpkgs repo. */ { - _0b11stan = { - name = "Tristan Auvinet Pinaudeau"; - email = "tristan@tic.sh"; - github = "0b11stan"; - githubId = 27831931; - }; _0david0mp = { email = "davidmrpr@proton.me"; github = "0david0mp"; githubId = 54892055; name = "David mp"; }; + _0b11stan = { + name = "Tristan Auvinet Pinaudeau"; + email = "tristan@tic.sh"; + github = "0b11stan"; + githubId = 27831931; + }; _0nyr = { email = "onyr.maintainer@gmail.com"; github = "0nyr"; diff --git a/nixos/default.nix b/nixos/default.nix index f338e13fadb05..281651d587114 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -15,7 +15,7 @@ in { inherit (eval) pkgs config options; - system = eval.config.system.build.toplevel; + system = eval.config.system.build.toplevel; inherit (eval.config.system.build) vm vmWithBootLoader; } diff --git a/shell.nix b/shell.nix index ecb444e75ec01..b7d5065f71842 100644 --- a/shell.nix +++ b/shell.nix @@ -29,7 +29,7 @@ in curPkgs // pkgs.mkShellNoCC { packages = with pkgs; [ - # The default formatter for Nix code + # The default formatter for Nix code # See https://github.com/NixOS/nixfmt nixfmt-rfc-style # Helper to review Nixpkgs PRs