Commit 3c71cec05d changed the labeler workflow to use grep -c, but grep -c still exits with status 1 when no lines match.
That made the fallback echo another 0, so COUNT became a multi-line value and the write to GITHUB_OUTPUT failed. Use true as the fallback to preserve grep's single-line count while allowing the no-match case.
The test workflow currently relies on GitHub Actions defaults for both
job lifetime and Nix sandboxing. That is acceptable when everything
behaves, but it makes failures noisier: a hung job can run indefinitely
until the platform kills it, and the macOS leg inherits a weaker sandbox
default than Linux.
Add explicit timeout-minutes values to the lightweight change-detection
job and the main test matrix job, and pass sandbox = true through
install-nix-action. The sandbox setting is primarily about making the
macOS runner match the stricter execution model we already expect on
Linux.
The test workflow only needs to evaluate and build repository code. It
does not write statuses, labels, comments, or pull request metadata, so
keeping GitHub's default token scope is broader than necessary.
The parse workflow currently runs the nix and Lix checks as two separate
steps. If the first parser fails, GitHub Actions stops the job before
the second parser runs, which hides useful failure information and
weakens the signal from the new parse gate.
Collapse the two steps into a single invocation that builds both parse
derivations with --keep-going. This keeps the job surface small,
preserves the dedicated parse trigger, and ensures both parser variants
are attempted on every relevant run.
Root cause: DeterminateSystems/update-flake-lock@v27 uses
peter-evans/create-pull-request@v6.0.5 internally, which is incompatible
with actions/checkout@v6's new credential storage mechanism.
The Problem Chain:
- actions/checkout@v6 moved credentials from .git/config to $RUNNER_TEMP
(security improvement)
- peter-evans/create-pull-request@v6.0.5 cannot access credentials from
the new $RUNNER_TEMP location
- This causes exit code 128 when update-flake-lock tries to create PRs
The Fix:
- create-pull-request@v7.0.9 fixed v6 compatibility
- However, update-flake-lock@v27 (released July 2025) hasn't upgraded yet
- Reverting to v5 restores working credential access
Next Steps:
- Can upgrade to v6 once update-flake-lock uses create-pull-request@v7.0.9+
- https://github.com/DeterminateSystems/update-flake-lock/pull/224
- Dependabot configured to ignore v6 upgrades until compatibility is fixed
Fixes: https://github.com/nix-community/home-manager/actions/runs/19712979574
See: https://github.com/peter-evans/create-pull-request/issues/690
Signed-off-by: Austin Horstman <khaneliman12@gmail.com>
We have moved towards running more tests on buildbot for better
performance. Don't duplicate efforts on github actions.
Signed-off-by: Austin Horstman <khaneliman12@gmail.com>
We have lots of tests and would like to add more. However, adding more
testing coverage comes at the cost of a slower CI when we run them
sequentially. This adds test outputs that are chunked however we'd like
to tune for batch sizes. Allowing us to create a parallelized CI
workflow.
Signed-off-by: Austin Horstman <khaneliman12@gmail.com>
Break the workflow into multiple scripts to make it easier to test /
maintain. Also fix the remove reviewer process to not review reviews
from people that were manually requested.
Signed-off-by: Austin Horstman <khaneliman12@gmail.com>
Better support updating existing PRs and summary of changes in workflow
summary. Tested in nixvim.
Signed-off-by: Austin Horstman <khaneliman12@gmail.com>
We dont want need to maintain duplicate entries for maintainers in HM
that already exist in Nixpkgs. Add a check that calls out users that
don't need an entry in our internal list.
Signed-off-by: Austin Horstman <khaneliman12@gmail.com>
We just need to run it once properly and dont need to keep running it
for every push until the last.
Signed-off-by: Austin Horstman <khaneliman12@gmail.com>
We want to ping maintainers whenever files are affected. Right now it
requires changing a PR to a draft and reopening, but we should be more
clever and request the review whenever the file is updated.
Signed-off-by: Austin Horstman <khaneliman12@gmail.com>
Was relying on flawed logic and fragile parsing to identify maintainers
on changed files. Rework to use nix eval to grab the `meta.maintainers`
to use when requesting a review.
Signed-off-by: Austin Horstman <khaneliman12@gmail.com>
Previously, we had to hack together some string matching to identify and
retrieve the maintainers in the repo. We can just eval the modules to
retrieve the list of maintainers more accurately.
Signed-off-by: Austin Horstman <khaneliman12@gmail.com>
Cancel existing runs when a new push happens so we don't unnecessarily
run jobs that are irrelevant.
Signed-off-by: Austin Horstman <khaneliman12@gmail.com>
We need to make sure that we don't insert invalid maintainers otherwise
it breaks the RFC39 invite workflow. Check that we have valid nix and
the required attributes are able to be parsed properly.
Signed-off-by: Austin Horstman <khaneliman12@gmail.com>
Want to create an easier way to notify maintainers that someone is
working on their module. Added a workflow for requesting a review from any maintainers that have joined the `home-manager-maintainers` team in the organization.
Signed-off-by: Austin Horstman <khaneliman12@gmail.com>
