mirror of
https://github.com/NixOS/nixpkgs.git
synced 2026-06-05 21:03:40 +00:00
{ci,workflows}: allow multiple blocking reviews
This commit is contained in:
Michael Daniels
37
.github/workflows/check.yml
vendored
37
.github/workflows/check.yml
vendored
@@ -16,6 +16,14 @@ on:
|
||||
required: true
|
||||
type: string
|
||||
secrets:
|
||||
# Can be provided in pull requests because the job it is used in does
|
||||
# not evaluate untrusted code.
|
||||
NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY:
|
||||
required: false
|
||||
# Can be provided in pull requests because the job it is used in does
|
||||
# not evaluate untrusted code.
|
||||
NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY:
|
||||
required: false
|
||||
# Should only be provided in the merge queue, not in pull requests,
|
||||
# where we're evaluating untrusted code.
|
||||
CACHIX_AUTH_TOKEN_GHA:
|
||||
@@ -45,9 +53,19 @@ jobs:
|
||||
- name: Install dependencies
|
||||
run: npm install bottleneck@2.19.5
|
||||
|
||||
# It's fine to reuse this app in the 'pull-request-target / prepare' job,
|
||||
# because that job has to run before this one.
|
||||
- uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
|
||||
if: github.event_name != 'pull_request' && vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID
|
||||
id: app-token
|
||||
with:
|
||||
client-id: ${{ vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID }}
|
||||
private-key: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }}
|
||||
permission-pull-requests: write
|
||||
|
||||
- name: Log current API rate limits
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
|
||||
run: gh api /rate_limit | jq
|
||||
|
||||
- name: Check commits
|
||||
@@ -56,6 +74,7 @@ jobs:
|
||||
env:
|
||||
TARGETS_STABLE: ${{ fromJSON(inputs.baseBranch).stable && !contains(fromJSON(inputs.headBranch).type, 'development') }}
|
||||
with:
|
||||
github-token: ${{ steps.app-token.outputs.token || github.token }}
|
||||
script: |
|
||||
const targetsStable = JSON.parse(process.env.TARGETS_STABLE)
|
||||
require('./trusted/ci/github-script/commits.js')({
|
||||
@@ -68,7 +87,7 @@ jobs:
|
||||
|
||||
- name: Log current API rate limits
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
|
||||
run: gh api /rate_limit | jq
|
||||
|
||||
manual-file-edits:
|
||||
@@ -85,25 +104,35 @@ jobs:
|
||||
sparse-checkout: |
|
||||
ci/github-script
|
||||
|
||||
- uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
|
||||
if: github.event_name != 'pull_request' && vars.NIXPKGS_MANUAL_EDIT_CHECK_CLIENT_ID
|
||||
id: app-token
|
||||
with:
|
||||
client-id: ${{ vars.NIXPKGS_MANUAL_EDIT_CHECK_CLIENT_ID }}
|
||||
private-key: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }}
|
||||
permission-pull-requests: write
|
||||
|
||||
- name: Log current API rate limits
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
|
||||
run: gh api /rate_limit | jq
|
||||
|
||||
- name: Discourage manual edits to certain files
|
||||
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
|
||||
with:
|
||||
github-token: ${{ steps.app-token.outputs.token || github.token }}
|
||||
script: |
|
||||
require('./trusted/ci/github-script/manual-file-edits.js')({
|
||||
github,
|
||||
context,
|
||||
core,
|
||||
dry: context.eventName == 'pull_request',
|
||||
repoPath: 'trusted',
|
||||
})
|
||||
|
||||
- name: Log current API rate limits
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
|
||||
run: gh api /rate_limit | jq
|
||||
|
||||
owners:
|
||||
|
||||
14
.github/workflows/eval.yml
vendored
14
.github/workflows/eval.yml
vendored
@@ -23,6 +23,10 @@ on:
|
||||
default: false
|
||||
type: boolean
|
||||
secrets:
|
||||
# Can be provided in pull requests because the job it is used in does
|
||||
# not evaluate untrusted code.
|
||||
NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY:
|
||||
required: false
|
||||
# Should only be provided in the merge queue, not in pull requests,
|
||||
# where we're evaluating untrusted code.
|
||||
CACHIX_AUTH_TOKEN_GHA:
|
||||
@@ -349,10 +353,20 @@ jobs:
|
||||
description,
|
||||
target_url
|
||||
})
|
||||
|
||||
- uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
|
||||
if: github.event_name == 'pull_request_target' && vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID
|
||||
id: app-token
|
||||
with:
|
||||
client-id: ${{ vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID }}
|
||||
private-key: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }}
|
||||
permission-pull-requests: write
|
||||
|
||||
- name: Request changes if PR is against an inappropriate branch
|
||||
if: ${{ github.event_name == 'pull_request_target' }}
|
||||
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
|
||||
with:
|
||||
github-token: ${{ steps.app-token.outputs.token || github.token }}
|
||||
script: |
|
||||
require('./nixpkgs/trusted/ci/github-script/check-target-branch.js')({
|
||||
github,
|
||||
|
||||
22
.github/workflows/pull-request-target.yml
vendored
22
.github/workflows/pull-request-target.yml
vendored
@@ -10,6 +10,12 @@ on:
|
||||
secrets:
|
||||
NIXPKGS_CI_APP_PRIVATE_KEY:
|
||||
required: true
|
||||
NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY:
|
||||
required: false
|
||||
NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY:
|
||||
required: false
|
||||
NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY:
|
||||
required: false
|
||||
|
||||
concurrency:
|
||||
group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
|
||||
@@ -36,6 +42,17 @@ jobs:
|
||||
sparse-checkout-cone-mode: true # default, for clarity
|
||||
sparse-checkout: |
|
||||
ci/github-script
|
||||
|
||||
# It's fine to reuse this app in the 'check / commits' job,
|
||||
# because this job has to run before that one.
|
||||
- uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
|
||||
if: vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID
|
||||
id: app-token
|
||||
with:
|
||||
client-id: ${{ vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID }}
|
||||
private-key: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }}
|
||||
permission-pull-requests: write
|
||||
|
||||
- id: prepare
|
||||
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
|
||||
with:
|
||||
@@ -60,6 +77,9 @@ jobs:
|
||||
permissions:
|
||||
# cherry-picks
|
||||
pull-requests: write
|
||||
secrets:
|
||||
NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }}
|
||||
NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }}
|
||||
with:
|
||||
baseBranch: ${{ needs.prepare.outputs.baseBranch }}
|
||||
headBranch: ${{ needs.prepare.outputs.headBranch }}
|
||||
@@ -82,6 +102,8 @@ jobs:
|
||||
# compare
|
||||
pull-requests: write
|
||||
statuses: write
|
||||
secrets:
|
||||
NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }}
|
||||
with:
|
||||
artifact-prefix: ${{ inputs.artifact-prefix }}
|
||||
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
|
||||
|
||||
Reference in New Issue
Block a user