[pull] master from NixOS:master #16311
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# `nixpkgs-vet` is a tool to vet Nixpkgs: its architecture, package structure, and more. | |
# Among other checks, it makes sure that `pkgs/by-name` (see `../../pkgs/by-name/README.md`) follows the validity rules outlined in [RFC 140](https://github.com/NixOS/rfcs/pull/140). | |
# When you make changes to this workflow, please also update `ci/nixpkgs-vet.sh` to reflect the impact of your work to the CI. | |
# See https://github.com/NixOS/nixpkgs-vet for details on the tool and its checks. | |
name: Vet nixpkgs | |
on: | |
# Using pull_request_target instead of pull_request avoids having to approve first time contributors. | |
pull_request_target: | |
# This workflow depends on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`. | |
# Instead it causes an `edited` event, so we need to add it explicitly here. | |
# While `edited` is also triggered when the PR title/body is changed, this PR action is fairly quick, and PRs don't get edited **that** often, so it shouldn't be a problem. | |
# There is a feature request for adding a `base_changed` event: https://github.com/orgs/community/discussions/35058 | |
types: [opened, synchronize, reopened, edited] | |
permissions: {} | |
# We don't use a concurrency group here, because the action is triggered quite often (due to the PR edit trigger), and contributors would get notified on any canceled run. | |
# There is a feature request for suppressing notifications on concurrency-canceled runs: https://github.com/orgs/community/discussions/13015 | |
jobs: | |
get-merge-commit: | |
uses: ./.github/workflows/get-merge-commit.yml | |
check: | |
name: nixpkgs-vet | |
# This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases. | |
runs-on: ubuntu-latest | |
# This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long. | |
timeout-minutes: 10 | |
needs: get-merge-commit | |
if: needs.get-merge-commit.outputs.mergedSha | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
# pull_request_target checks out the base branch by default | |
ref: ${{ needs.get-merge-commit.outputs.mergedSha }} | |
# Fetches the merge commit and its parents | |
fetch-depth: 2 | |
- name: Checking out base branch | |
run: | | |
base=$(mktemp -d) | |
git worktree add "$base" "$(git rev-parse HEAD^1)" | |
echo "base=$base" >> "$GITHUB_ENV" | |
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 | |
- name: Fetching the pinned tool | |
# Update the pinned version using ci/nixpkgs-vet/update-pinned-tool.sh | |
run: | | |
# The pinned version of the tooling to use. | |
toolVersion=$(<ci/nixpkgs-vet/pinned-version.txt) | |
# Fetch the x86_64-linux-specific release artifact containing the gzipped NAR of the pre-built tool. | |
toolPath=$(curl -sSfL https://github.com/NixOS/nixpkgs-vet/releases/download/"$toolVersion"/x86_64-linux.nar.gz \ | |
| gzip -cd | nix-store --import | tail -1) | |
# Adds a result symlink as a GC root. | |
nix-store --realise "$toolPath" --add-root result | |
- name: Running nixpkgs-vet | |
env: | |
# Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/ | |
CLICOLOR_FORCE: 1 | |
run: | | |
if result/bin/nixpkgs-vet --base "$base" .; then | |
exit 0 | |
else | |
exitCode=$? | |
echo "To run locally: ./ci/nixpkgs-vet.sh $GITHUB_BASE_REF https://github.com/$GITHUB_REPOSITORY.git" | |
echo "If you're having trouble, ping @NixOS/nixpkgs-vet" | |
exit "$exitCode" | |
fi |