mirror of
https://github.com/NixOS/nixpkgs.git
synced 2026-06-05 21:03:40 +00:00
5d15d396db
Bumps [cachix/cachix-action](https://github.com/cachix/cachix-action) from 1eb2ef646ac0255473d23a5907ad7b04ce94065c to 5f2d7c5294214f71b873db4b969586b980625e71.
- [Release notes](https://github.com/cachix/cachix-action/releases)
- [Changelog](https://github.com/cachix/cachix-action/blob/master/RELEASE.md)
- [Commits](1eb2ef646a...5f2d7c5294)
---
updated-dependencies:
- dependency-name: cachix/cachix-action
dependency-version: 5f2d7c5294214f71b873db4b969586b980625e71
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
153 lines
5.6 KiB
YAML
153 lines
5.6 KiB
YAML
name: Lint
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
mergedSha:
|
|
required: true
|
|
type: string
|
|
targetSha:
|
|
required: true
|
|
type: string
|
|
secrets:
|
|
# Should only be provided in the merge queue, not in pull requests,
|
|
# where we're evaluating untrusted code.
|
|
CACHIX_AUTH_TOKEN_GHA:
|
|
required: false
|
|
|
|
permissions: {}
|
|
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
|
|
jobs:
|
|
treefmt:
|
|
runs-on: ubuntu-24.04-arm
|
|
timeout-minutes: 10
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
sparse-checkout: .github/actions
|
|
- name: Checkout the merge commit
|
|
uses: ./.github/actions/checkout
|
|
with:
|
|
merged-as-untrusted-at: ${{ inputs.mergedSha }}
|
|
|
|
- uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
|
|
|
|
# TODO: Figure out how to best enable caching for the treefmt job. Cachix won't work well,
|
|
# because the cache would be invalidated on every commit - treefmt checks every file.
|
|
# Maybe we can cache treefmt's eval-cache somehow.
|
|
|
|
- name: Check that files are formatted
|
|
run: |
|
|
# Note that it's fine to run this on untrusted code because:
|
|
# - There's no secrets accessible here
|
|
# - The build is sandboxed
|
|
if ! nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A fmt.check; then
|
|
echo "Some files are not properly formatted"
|
|
echo "Please format them by going to the Nixpkgs root directory and running one of:"
|
|
echo " nix-shell --run treefmt"
|
|
echo " nix develop --command treefmt"
|
|
echo " nix fmt"
|
|
echo "Make sure your branch is up to date with master; rebase if not."
|
|
echo "If you're having trouble, please ping @NixOS/nix-formatting"
|
|
exit 1
|
|
fi
|
|
|
|
parse:
|
|
runs-on: ubuntu-24.04-arm
|
|
timeout-minutes: 10
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
sparse-checkout: .github/actions
|
|
- name: Checkout the merge commit
|
|
uses: ./.github/actions/checkout
|
|
with:
|
|
merged-as-untrusted-at: ${{ inputs.mergedSha }}
|
|
|
|
- uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
|
|
|
|
- uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
|
|
continue-on-error: true
|
|
with:
|
|
# The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
|
|
name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }}
|
|
extraPullNames: nixpkgs-gha
|
|
authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
|
|
pushFilter: -source$
|
|
|
|
- name: Parse all nix files
|
|
run: |
|
|
# Tests multiple versions at once, let's make sure all of them run, so keep-going.
|
|
nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A parse --keep-going
|
|
|
|
nixpkgs-vet:
|
|
runs-on: ubuntu-24.04-arm
|
|
timeout-minutes: 10
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
sparse-checkout: .github/actions
|
|
- name: Checkout merge and target commits
|
|
uses: ./.github/actions/checkout
|
|
with:
|
|
merged-as-untrusted-at: ${{ inputs.mergedSha }}
|
|
target-as-trusted-at: ${{ inputs.targetSha }}
|
|
|
|
- uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
|
|
|
|
- uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
|
|
continue-on-error: true
|
|
with:
|
|
# The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
|
|
name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }}
|
|
extraPullNames: nixpkgs-gha
|
|
authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
|
|
pushFilter: -source$
|
|
|
|
- name: Running nixpkgs-vet
|
|
env:
|
|
# Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
|
|
CLICOLOR_FORCE: 1
|
|
run: |
|
|
if nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A nixpkgs-vet --arg base "./nixpkgs/trusted" --arg head "./nixpkgs/untrusted"; then
|
|
exit 0
|
|
else
|
|
exitCode=$?
|
|
echo "To run locally: ./ci/nixpkgs-vet.sh $GITHUB_BASE_REF https://github.com/$GITHUB_REPOSITORY.git"
|
|
echo "If you're having trouble, ping @NixOS/nixpkgs-vet"
|
|
exit "$exitCode"
|
|
fi
|
|
|
|
commits:
|
|
# Only check commits if we have access to the pull_request context.
|
|
#
|
|
# Luckily there's no need to lint commit messages in the Merge Queue, because
|
|
# changes to the target branch can't change commit messages on the base branch.
|
|
if: ${{ github.event.pull_request.number }}
|
|
runs-on: ubuntu-slim
|
|
timeout-minutes: 5
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: true # Needed to run git fetch for large PRs.
|
|
path: trusted
|
|
- name: Check commit messages
|
|
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
|
|
with:
|
|
script: |
|
|
const checkCommitMessages = require('./trusted/ci/github-script/lint-commits.js')
|
|
|
|
checkCommitMessages({
|
|
github,
|
|
context,
|
|
core,
|
|
repoPath: 'trusted',
|
|
})
|