dependabot[bot]
d90a8da39f
.github: Bump actions/checkout from 6.0.2 to 6.0.3
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 6.0.2 to 6.0.3.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](de0fac2e45...df4cb1c069support@github.com >
2026-06-05 11:22:54 +00:00
Martin Weinelt
1cf127e528
workflows: migrate from app-id to client-id
...
See https://github.com/actions/create-github-app-token/releases/tag/v3.1.0 .
2026-05-26 03:06:17 +02:00
Michael Daniels
aa7cf0cd79
.github: Bump actions/create-github-app-token from 3.1.1 to 3.2.0 ( #520404 )
2026-05-15 22:21:01 +00:00
dependabot[bot]
40120a3150
.github: Bump korthout/backport-action from 4.5.1 to 4.5.2
...
Bumps [korthout/backport-action](https://github.com/korthout/backport-action ) from 4.5.1 to 4.5.2.
- [Release notes](https://github.com/korthout/backport-action/releases )
- [Commits](bf97bcfb53...6606540695support@github.com >
2026-05-15 11:25:52 +00:00
dependabot[bot]
8a91364b57
.github: Bump actions/create-github-app-token from 3.1.1 to 3.2.0
...
Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token ) from 3.1.1 to 3.2.0.
- [Release notes](https://github.com/actions/create-github-app-token/releases )
- [Changelog](https://github.com/actions/create-github-app-token/blob/main/CHANGELOG.md )
- [Commits](1b10c78c78...bcd2ba4921support@github.com >
2026-05-15 11:25:37 +00:00
Matt Sturgeon
b4772dcc67
workflows/backport: Label failed backports ( #517744 )
2026-05-10 10:05:07 +00:00
dependabot[bot]
04e886c586
.github: Bump korthout/backport-action from 4.5.0 to 4.5.1
...
Bumps [korthout/backport-action](https://github.com/korthout/backport-action ) from 4.5.0 to 4.5.1.
- [Release notes](https://github.com/korthout/backport-action/releases )
- [Commits](7c3f6cd584...bf97bcfb53support@github.com >
2026-05-08 11:27:34 +00:00
Samuel Dionne-Riel
afb1bec526
workflows/backport: Label failed backports
...
The intent behind this new label is to allow filtering on the label,
which can then allow Nixpkgs contributors to *act* on such failures.
The label **must** be removed *only* when a PR was then successfully
made, or the change has been verified to not need a backport.
Removing the label is intended to make the list of PRs with the label
actionable.
The following search query could be used to ensure no security changes
that were marked for being backported are left behind:
- https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+label%3A%221.severity%3A+security%22+label%3A%228.has%3A+failed+backport%22+
(Obviously not right now. The label does not exist and isn't used.)
2026-05-07 12:05:25 -04:00
dependabot[bot]
e745785f80
.github: Bump korthout/backport-action from 4.4.0 to 4.5.0
...
Bumps [korthout/backport-action](https://github.com/korthout/backport-action ) from 4.4.0 to 4.5.0.
- [Release notes](https://github.com/korthout/backport-action/releases )
- [Commits](ad30f01dbe...7c3f6cd584support@github.com >
2026-05-01 13:06:17 +00:00
dependabot[bot]
9c623775f2
.github: Bump korthout/backport-action from 4.3.0 to 4.4.0
...
Bumps [korthout/backport-action](https://github.com/korthout/backport-action ) from 4.3.0 to 4.4.0.
- [Release notes](https://github.com/korthout/backport-action/releases )
- [Commits](3c06f323a5...ad30f01dbesupport@github.com >
2026-04-24 11:23:19 +00:00
dependabot[bot]
a641fbe953
.github: Bump actions/create-github-app-token from 3.0.0 to 3.1.1
...
Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token ) from 3.0.0 to 3.1.1.
- [Release notes](https://github.com/actions/create-github-app-token/releases )
- [Commits](f8d387b68d...1b10c78c78support@github.com >
2026-04-17 11:23:22 +00:00
dependabot[bot]
b7e66be21f
.github: Bump actions/github-script from 8.0.0 to 9.0.0
...
Bumps [actions/github-script](https://github.com/actions/github-script ) from 8.0.0 to 9.0.0.
- [Release notes](https://github.com/actions/github-script/releases )
- [Commits](ed597411d8...3a2844b7e9support@github.com >
2026-04-10 11:23:10 +00:00
dependabot[bot]
cd17e1fe33
.github: Bump korthout/backport-action from 4.2.0 to 4.3.0
...
Bumps [korthout/backport-action](https://github.com/korthout/backport-action ) from 4.2.0 to 4.3.0.
- [Release notes](https://github.com/korthout/backport-action/releases )
- [Commits](4aaf0e03a9...3c06f323a5support@github.com >
2026-03-27 11:23:11 +00:00
dependabot[bot]
c9593d281a
workflows: bump actions/create-github-app-token from 2.2.1 to 3.0.0
...
Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token ) from 2.2.1 to 3.0.0.
- [Release notes](https://github.com/actions/create-github-app-token/releases )
- [Commits](29824e69f5...f8d387b68dsupport@github.com >
2026-03-16 18:12:34 -04:00
Michael Daniels
4f08fc3c7e
workflows/backport: request review from original PR author
2026-03-10 19:46:53 -04:00
dependabot[bot]
b6430f3fa6
workflows/backport: bump korthout/backport-action from 4.1.0 to 4.2.0
...
Bumps [korthout/backport-action](https://github.com/korthout/backport-action ) from 4.1.0 to 4.2.0.
- [Release notes](https://github.com/korthout/backport-action/releases )
- [Commits](01619ebc9a...4aaf0e03a9support@github.com >
2026-03-10 19:46:16 -04:00
Jamie Magee
55b21e9fd6
workflows: document write permissions
2026-03-04 14:46:50 -08:00
dependabot[bot]
1645d075ed
build(deps): bump korthout/backport-action from 4.0.1 to 4.1.0
...
Bumps [korthout/backport-action](https://github.com/korthout/backport-action ) from 4.0.1 to 4.1.0.
- [Release notes](https://github.com/korthout/backport-action/releases )
- [Commits](c656f5d585...01619ebc9asupport@github.com >
2026-02-16 12:27:15 +00:00
dependabot[bot]
0f2f886044
build(deps): bump actions/checkout from 6.0.1 to 6.0.2
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 6.0.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](8e8c483db8...de0fac2e45support@github.com >
2026-01-26 12:24:55 +00:00
dependabot[bot]
5685208a8e
build(deps): bump korthout/backport-action from 4.0.0 to 4.0.1
...
Bumps [korthout/backport-action](https://github.com/korthout/backport-action ) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/korthout/backport-action/releases )
- [Commits](3634249d41...c656f5d585support@github.com >
2025-12-22 11:03:06 +00:00
dependabot[bot]
7e249c37da
build(deps): bump korthout/backport-action from 3.4.1 to 4.0.0
...
Bumps [korthout/backport-action](https://github.com/korthout/backport-action ) from 3.4.1 to 4.0.0.
- [Release notes](https://github.com/korthout/backport-action/releases )
- [Commits](d07416681c...3634249d41support@github.com >
2025-12-15 11:03:34 +00:00
Philip Taron
1821a13456
build(deps): bump actions/create-github-app-token from 2.2.0 to 2.2.1 ( #468943 )
2025-12-08 12:57:00 +00:00
dependabot[bot]
5e90578a17
build(deps): bump actions/create-github-app-token from 2.2.0 to 2.2.1
...
Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token ) from 2.2.0 to 2.2.1.
- [Release notes](https://github.com/actions/create-github-app-token/releases )
- [Commits](7e473efe3c...29824e69f5support@github.com >
2025-12-08 11:04:06 +00:00
dependabot[bot]
25c33e559a
build(deps): bump actions/checkout from 6.0.0 to 6.0.1
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 6.0.0 to 6.0.1.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](1af3b93b68...8e8c483db8support@github.com >
2025-12-08 11:03:57 +00:00
Michael Daniels
b4db7c6341
workflows/backport: advertise that merge bot can be used on eligible backports
...
Some maintainers aren't aware that the merge bot had this capability added.
This would be more prominent than the existing label.
2025-12-07 12:50:51 -05:00
Wolfgang Walther
1289456d3b
workflows: run smaller jobs on ubuntu-slim
...
This is in public preview now. These runners run in a docker container
with only a single vCPU instead of 4 like the other jobs. For most of
our jobs, this should be plenty, except for eval and linting.
2025-11-25 11:44:14 +01:00
Wolfgang Walther
64aa47acf0
build(deps): bump actions/create-github-app-token from 2.1.4 to 2.2.0 ( #464561 )
2025-11-24 13:03:24 +00:00
dependabot[bot]
6029d82a8a
build(deps): bump actions/checkout from 5.0.0 to 6.0.0
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 5.0.0 to 6.0.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](08c6903cd8...1af3b93b68support@github.com >
2025-11-24 12:17:05 +00:00
dependabot[bot]
7c482d98e1
build(deps): bump actions/create-github-app-token from 2.1.4 to 2.2.0
...
Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token ) from 2.1.4 to 2.2.0.
- [Release notes](https://github.com/actions/create-github-app-token/releases )
- [Commits](6701853927...7e473efe3csupport@github.com >
2025-11-24 12:16:50 +00:00
Wolfgang Walther
91c4d9236b
workflows/bot: allow maintainers to merge backports
...
All other conditions equal, there is no reason to prevent maintainers
from backporting changes to their packages. Maintainers are probably in
the *best* position to tell whether a certain change is backportable or
not - because they know the package well.
2025-11-02 17:26:01 +01:00
Wolfgang Walther
623b33839a
workflows/backport: persist credentials
...
This was added when introducing zizmor. It appears that the backport
action actually needs these credentials to persist, to be able to push
the branch.
2025-10-27 09:01:17 +01:00
Winter
65bb095948
ci: fix issues found by zizmor
...
Co-authored-by: Thomas Gerbet <thomas@gerbet.me >
2025-10-26 20:19:08 +01:00
dependabot[bot]
84fadb88cc
build(deps): bump korthout/backport-action from 3.3.0 to 3.4.1
...
Bumps [korthout/backport-action](https://github.com/korthout/backport-action ) from 3.3.0 to 3.4.1.
- [Release notes](https://github.com/korthout/backport-action/releases )
- [Commits](ca4972adce...d07416681csupport@github.com >
2025-10-06 11:47:16 +00:00
dependabot[bot]
83d35a9485
build(deps): bump actions/create-github-app-token from 2.1.1 to 2.1.4
...
Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token ) from 2.1.1 to 2.1.4.
- [Release notes](https://github.com/actions/create-github-app-token/releases )
- [Commits](a8d6161485...6701853927support@github.com >
2025-09-15 11:42:25 +00:00
dependabot[bot]
4ea8216576
build(deps): bump actions/github-script from 7.0.1 to 8.0.0
...
Bumps [actions/github-script](https://github.com/actions/github-script ) from 7.0.1 to 8.0.0.
- [Release notes](https://github.com/actions/github-script/releases )
- [Commits](60a0d83039...ed597411d8support@github.com >
2025-09-08 11:21:35 +00:00
Wolfgang Walther
a8634c2572
build(deps): bump actions/create-github-app-token from 2.1.0 to 2.1.1 ( #436918 )
2025-08-26 12:07:45 +00:00
dependabot[bot]
c1853d5ea1
build(deps): bump actions/create-github-app-token from 2.1.0 to 2.1.1
...
Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token ) from 2.1.0 to 2.1.1.
- [Release notes](https://github.com/actions/create-github-app-token/releases )
- [Commits](0f859bf9e6...a8d6161485support@github.com >
2025-08-26 12:01:49 +00:00
dependabot[bot]
2240ad8625
build(deps): bump korthout/backport-action from 3.2.1 to 3.3.0
...
Bumps [korthout/backport-action](https://github.com/korthout/backport-action ) from 3.2.1 to 3.3.0.
- [Release notes](https://github.com/korthout/backport-action/releases )
- [Commits](0193454f0c...ca4972adcesupport@github.com >
2025-08-25 21:00:45 +00:00
Wolfgang Walther
bb1529ef6a
workflows/backport: fix token permissions
...
The additional `workflows` permissions are required to backport
Dependabot updates. The permissions had been added to the app a while
ago, but we forgot to actually use them.
2025-08-12 10:30:03 +02:00
Wolfgang Walther
da4839720b
build(deps): bump actions/create-github-app-token from 2.0.6 to 2.1.0 ( #432840 )
2025-08-11 15:43:00 +00:00
dependabot[bot]
593aee095f
build(deps): bump actions/checkout from 4.2.2 to 5.0.0
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.2.2 to 5.0.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](11bd71901b...08c6903cd8support@github.com >
2025-08-11 15:06:58 +00:00
dependabot[bot]
d1d2650cba
build(deps): bump actions/create-github-app-token from 2.0.6 to 2.1.0
...
Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token ) from 2.0.6 to 2.1.0.
- [Release notes](https://github.com/actions/create-github-app-token/releases )
- [Commits](df432ceedc...0f859bf9e6support@github.com >
2025-08-11 15:06:38 +00:00
Wolfgang Walther
436d54174d
.github/workflows: set timeouts
...
None of our jobs is expected to run for 6 hours, the GitHub limit. These
limits are generous and take into accounts that some jobs need to wait
for others.
If jobs exceed these times, most likely something else is wrong and
needs investigation.
2025-08-09 17:26:03 +02:00
Wolfgang Walther
58a3001a3a
workflows/backport: fix concurrent jobs cancelling each other
...
When a PR is merged and labeled afterwards - with a non-backport label -
the following will happen:
- The first backport job is triggered on the merge.
- The second backport job is triggered on the label event.
- The second job will cancel the first one due to the concurrency group.
- The second job will cancel itself because the label event didn't
contain a backport label.
Both jobs end up cancelled and no backport happens.
We made the backport action idempotent upstream a while ago, so we don't
need to cancel those actions. Instead, we'll run all of them -
subsequent actions running through will just stay silent anyway.
2025-07-12 16:33:33 +02:00
Wolfgang Walther
de8f3e2cbf
workflows/backport: korthout/backport-action: 3.2.0 -> 3.2.1
...
Release Notes:
https://github.com/korthout/backport-action/releases/tag/v3.2.1
This should many of the annoying, duplicated error messages that the
backport action comments.
2025-06-26 14:58:32 +02:00
Wolfgang Walther
356bf98a32
workflows: log rate limits consistently
...
This will give us a better idea about:
- Which jobs use the most API calls and can possibly be made more
efficient.
- Which rate limits apply exactly to which tokens.
2025-06-22 22:08:42 +02:00
Wolfgang Walther
6793e238fa
workflows/{labels,reviewers}: fix concurrency groups for nested workflows
...
This didn't work as intended. When a workflow is run with
`workflow_call`, it will have `github.workflow` set to the *parent*
workflow. So the `caller` input that we passed, resulted in this
concurrency key:
```
Eval-Eval-...
```
But that's bad, because the labels and reviewers workflows will cancel
each other!
What we actually want is this:
- Label and Reviewers workflow should have different groups.
- Reviewers called via Eval and called directly via undraft should have
*different* groups.
We can't use the default condition we use everywhere else, because
`github.workflow` is the same for Label and Reviewers. Thus, we hardcode
the workflow's name as well. This essentially means we have this as a
key:
```
<name-of-running-workflow>-<name-of-triggering-workflow>-<name-of-event>-<name-of-head-branch>
```
This should do what we want.
Since workflows can be made reusable workflows later on, we add those
hardcoded names to *all* concurrency groups. This avoids copy&paste
errors later on.
2025-06-13 17:31:27 +02:00
Wolfgang Walther
7ba7720b28
workflows: prevent accidental cancelling of other PRs
...
This can happen when two PRs run at the same time, which come from
different forks, but have the same head branch name.
github.head_ref is suggested by GitHub's docs, but.. that's not really
useful for cases with forks.
2025-06-13 17:00:31 +02:00
Wolfgang Walther
2b1c99db41
workflows/reviewers: actually ping maintainers when undrafting ( #415680 )
2025-06-11 07:24:41 +00:00
Wolfgang Walther
0f5e504f9e
workflows: use bash shell explicitly
...
This forces better error handling as described in [1].
Without this change, bash would *not* run with `-o pipefail`, which
means some errors go unnoticed. By naming `bash` explicitly, `-o
pipefail` is enabled.
1:
https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#defaultsrunshell
2025-06-10 21:59:37 +02:00
