diff options
Diffstat (limited to '.github')
| -rw-r--r-- | .github/CODEOWNERS | 40 | ||||
| -rw-r--r-- | .github/ISSUE_TEMPLATE/unreproducible_package.md | 72 | ||||
| -rw-r--r-- | .github/PULL_REQUEST_TEMPLATE.md | 4 | ||||
| -rw-r--r-- | .github/labeler.yml | 5 | ||||
| -rw-r--r-- | .github/workflows/backport.yml | 2 | ||||
| -rw-r--r-- | .github/workflows/check-by-name.yml | 123 |
6 files changed, 214 insertions, 32 deletions
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index ea2da0a5fe1..3c300d00c6b 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -11,9 +11,6 @@ # This also holds true for GitHub teams. Since almost none of our teams have write # permissions, you need to list all members of the team with commit access individually. -# This file -/.github/CODEOWNERS @edolstra - # GitHub actions /.github/workflows @NixOS/Security @Mic92 @zowoq /.github/workflows/merge-staging @FRidh @@ -22,12 +19,12 @@ /.editorconfig @Mic92 @zowoq # Libraries -/lib @edolstra @infinisil +/lib @infinisil /lib/systems @alyssais @ericson2314 @amjoseph-nixpkgs -/lib/generators.nix @edolstra @Profpatsch -/lib/cli.nix @edolstra @Profpatsch -/lib/debug.nix @edolstra @Profpatsch -/lib/asserts.nix @edolstra @Profpatsch +/lib/generators.nix @infinisil @Profpatsch +/lib/cli.nix @infinisil @Profpatsch +/lib/debug.nix @infinisil @Profpatsch +/lib/asserts.nix @infinisil @Profpatsch /lib/path.* @infinisil @fricklerhandwerk /lib/fileset @infinisil /doc/functions/fileset.section.md @infinisil @@ -48,18 +45,20 @@ /pkgs/build-support/setup-hooks/auto-patchelf.sh @layus /pkgs/build-support/setup-hooks/auto-patchelf.py @layus /pkgs/pkgs-lib @infinisil +## Format generators/serializers +/pkgs/pkgs-lib/formats/libconfig @ckiee # pkgs/by-name /pkgs/test/nixpkgs-check-by-name @infinisil /pkgs/by-name/README.md @infinisil /pkgs/top-level/by-name-overlay.nix @infinisil -/.github/workflows/check-by-name.nix @infinisil +/.github/workflows/check-by-name.yml @infinisil # Nixpkgs build-support /pkgs/build-support/writers @lassulus @Profpatsch # Nixpkgs make-disk-image -/doc/builders/images/makediskimage.section.md @raitobezarius +/doc/build-helpers/images/makediskimage.section.md @raitobezarius /nixos/lib/make-disk-image.nix @raitobezarius # Nixpkgs documentation @@ -116,17 +115,16 @@ /maintainers/scripts/update-python-libraries @FRidh /pkgs/development/interpreters/python @FRidh /doc/languages-frameworks/python.section.md @FRidh @mweinelt -/pkgs/development/tools/poetry2nix @adisbladis /pkgs/development/interpreters/python/hooks @FRidh @jonringer # Haskell -/doc/languages-frameworks/haskell.section.md @cdepillabout @sternenseemann @maralorn -/maintainers/scripts/haskell @cdepillabout @sternenseemann @maralorn -/pkgs/development/compilers/ghc @cdepillabout @sternenseemann @maralorn -/pkgs/development/haskell-modules @cdepillabout @sternenseemann @maralorn -/pkgs/test/haskell @cdepillabout @sternenseemann @maralorn -/pkgs/top-level/release-haskell.nix @cdepillabout @sternenseemann @maralorn -/pkgs/top-level/haskell-packages.nix @cdepillabout @sternenseemann @maralorn +/doc/languages-frameworks/haskell.section.md @cdepillabout @sternenseemann @maralorn @ncfavier +/maintainers/scripts/haskell @cdepillabout @sternenseemann @maralorn @ncfavier +/pkgs/development/compilers/ghc @cdepillabout @sternenseemann @maralorn @ncfavier +/pkgs/development/haskell-modules @cdepillabout @sternenseemann @maralorn @ncfavier +/pkgs/test/haskell @cdepillabout @sternenseemann @maralorn @ncfavier +/pkgs/top-level/release-haskell.nix @cdepillabout @sternenseemann @maralorn @ncfavier +/pkgs/top-level/haskell-packages.nix @cdepillabout @sternenseemann @maralorn @ncfavier # Perl /pkgs/development/interpreters/perl @stigtsp @zakame @dasJ @@ -149,6 +147,8 @@ # C compilers /pkgs/development/compilers/gcc @amjoseph-nixpkgs /pkgs/development/compilers/llvm @RaitoBezarius +/pkgs/development/compilers/emscripten @raitobezarius +/doc/languages-frameworks/emscripten.section.md @raitobezarius # Audio /nixos/modules/services/audio/botamusique.nix @mweinelt @@ -216,7 +216,7 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt /nixos/tests/knot.nix @mweinelt # Web servers -/doc/builders/packages/nginx.section.md @raitobezarius +/doc/packages/nginx.section.md @raitobezarius /pkgs/servers/http/nginx/ @raitobezarius /nixos/modules/services/web-servers/nginx/ @raitobezarius @@ -269,7 +269,7 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt # Docker tools /pkgs/build-support/docker @roberth /nixos/tests/docker-tools* @roberth -/doc/builders/images/dockertools.section.md @roberth +/doc/build-helpers/images/dockertools.section.md @roberth # Blockchains /pkgs/applications/blockchains @mmahut @RaghavSood diff --git a/.github/ISSUE_TEMPLATE/unreproducible_package.md b/.github/ISSUE_TEMPLATE/unreproducible_package.md index a868c26ca54..8046e809a21 100644 --- a/.github/ISSUE_TEMPLATE/unreproducible_package.md +++ b/.github/ISSUE_TEMPLATE/unreproducible_package.md @@ -7,25 +7,81 @@ assignees: '' --- -Building this package twice does not produce the bit-by-bit identical result each time, making it harder to detect CI breaches. You can read more about this at https://reproducible-builds.org/ . +<!-- +Hello dear reporter, -Fixing bit-by-bit reproducibility also has additional advantages, such as avoiding hard-to-reproduce bugs, making content-addressed storage more effective and reducing rebuilds in such systems. +Thank you for bringing attention to this issue. Your insights are valuable to +us, and we appreciate the time you took to document the problem. + +I wanted to kindly point out that in this issue template, it would be beneficial +to replace the placeholder `<package>` with the actual, canonical name of the +package you're reporting the issue for. Doing so will provide better context and +facilitate quicker troubleshooting for anyone who reads this issue in the +future. + +Best regards +--> + +Building this package multiple times does not yield bit-by-bit identical +results, complicating the detection of Continuous Integration (CI) breaches. For +more information on this issue, visit +[reproducible-builds.org](https://reproducible-builds.org/). + +Fixing bit-by-bit reproducibility also has additional advantages, such as +avoiding hard-to-reproduce bugs, making content-addressed storage more effective +and reducing rebuilds in such systems. ### Steps To Reproduce +In the following steps, replace `<package>` with the canonical name of the +package. + +#### 1. Build the package + +This step will build the package. Specific arguments are passed to the command +to keep the build artifacts so we can compare them in case of differences. + +Execute the following command: + ``` -nix-build '<nixpkgs>' -A ... --check --keep-failed +nix-build '<nixpkgs>' -A <package> && nix-build '<nixpkgs>' -A <package> --check --keep-failed ``` -You can use `diffoscope` to analyze the differences in the output of the two builds. +Or using the new command line style: + +``` +nix build nixpkgs#<package> && nix build nixpkgs#<package> --rebuild --keep-failed +``` + +#### 2. Compare the build artifacts + +If the previous command completes successfully, no differences were found and +there's nothing to do, builds are reproducible. +If it terminates with the error message `error: derivation '<X>' may not be +deterministic: output '<Y>' differs from '<Z>'`, use `diffoscope` to investigate +the discrepancies between the two build outputs. You may need to add the +`--exclude-directory-metadata recursive` option to ignore files and directories +metadata (*e.g. timestamp*) differences. + +``` +nix run nixpkgs#diffoscopeMinimal -- --exclude-directory-metadata recursive <Y> <Z> +``` + +#### 3. Examine the build log + +To examine the build log, use: + +``` +nix-store --read-log $(nix-instantiate '<nixpkgs>' -A <package>) +``` -To view the build log of the build that produced the artifact in the binary cache: +Or with the new command line style: ``` -nix-store --read-log $(nix-instantiate '<nixpkgs>' -A ...) +nix log $(nix path-info --derivation nixpkgs#<package>) ``` ### Additional context -(please share the relevant fragment of the diffoscope output here, -and any additional analysis you may have done) +(please share the relevant fragment of the diffoscope output here, and any +additional analysis you may have done) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 4517080bb30..a7d8a178656 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -14,7 +14,9 @@ For new packages please briefly describe the package or provide a link to its ho - [ ] aarch64-linux - [ ] x86_64-darwin - [ ] aarch64-darwin -- [ ] For non-Linux: Is `sandbox = true` set in `nix.conf`? (See [Nix manual](https://nixos.org/manual/nix/stable/command-ref/conf-file.html)) +- For non-Linux: Is sandboxing enabled in `nix.conf`? (See [Nix manual](https://nixos.org/manual/nix/stable/command-ref/conf-file.html)) + - [ ] `sandbox = relaxed` + - [ ] `sandbox = true` - [ ] Tested, as applicable: - [NixOS test(s)](https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests) (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests)) - and/or [package tests](https://nixos.org/manual/nixpkgs/unstable/#sec-package-tests) diff --git a/.github/labeler.yml b/.github/labeler.yml index c05c496cb10..58226031227 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -37,6 +37,11 @@ "6.topic: fetch": - pkgs/build-support/fetch*/**/* +"6.topic: flakes": + - '**/flake.nix' + - lib/systems/flake-systems.nix + - nixos/modules/config/nix-flakes.nix + "6.topic: GNOME": - doc/languages-frameworks/gnome.section.md - nixos/modules/services/desktops/gnome/**/* diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index d174203238c..9343e29d596 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -24,7 +24,7 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} - name: Create backport PRs - uses: korthout/backport-action@v1.3.1 + uses: korthout/backport-action@v2.1.1 with: # Config README: https://github.com/korthout/backport-action#backport-action copy_labels_pattern: 'severity:\ssecurity' diff --git a/.github/workflows/check-by-name.yml b/.github/workflows/check-by-name.yml index 7a3598dbe2a..c6cd142bfa6 100644 --- a/.github/workflows/check-by-name.yml +++ b/.github/workflows/check-by-name.yml @@ -17,10 +17,50 @@ jobs: # as specified in nixos/release-combined.nix runs-on: ubuntu-latest steps: + - name: Resolving the merge commit + env: + GH_TOKEN: ${{ github.token }} + run: | + # This checks for mergeability of a pull request as recommended in + # https://docs.github.com/en/rest/guides/using-the-rest-api-to-interact-with-your-git-database?apiVersion=2022-11-28#checking-mergeability-of-pull-requests + while true; do + echo "Checking whether the pull request can be merged" + prInfo=$(gh api \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + /repos/"$GITHUB_REPOSITORY"/pulls/${{ github.event.pull_request.number }}) + mergeable=$(jq -r .mergeable <<< "$prInfo") + mergedSha=$(jq -r .merge_commit_sha <<< "$prInfo") + + if [[ "$mergeable" == "null" ]]; then + # null indicates that GitHub is still computing whether it's mergeable + # Wait a couple seconds before trying again + echo "GitHub is still computing whether this PR can be merged, waiting 5 seconds before trying again" + sleep 5 + else + break + fi + done + + if [[ "$mergeable" == "true" ]]; then + echo "The PR can be merged, checking the merge commit $mergedSha" + else + echo "The PR cannot be merged, it has a merge conflict" + exit 1 + fi + echo "mergedSha=$mergedSha" >> "$GITHUB_ENV" - uses: actions/checkout@v4 with: # pull_request_target checks out the base branch by default - ref: refs/pull/${{ github.event.pull_request.number }}/merge + ref: ${{ env.mergedSha }} + # Fetches the merge commit and its parents + fetch-depth: 2 + - name: Determining PR git hashes + run: | + # For pull_request_target this is the same as $GITHUB_SHA + echo "baseSha=$(git rev-parse HEAD^1)" >> "$GITHUB_ENV" + + echo "headSha=$(git rev-parse HEAD^2)" >> "$GITHUB_ENV" - uses: cachix/install-nix-action@v23 - name: Determining channel to use for dependencies run: | @@ -51,4 +91,83 @@ jobs: # Passing --max-jobs 0 makes sure that we won't build anything nix-build "$nixpkgs" -A tests.nixpkgs-check-by-name --max-jobs 0 - name: Running nixpkgs-check-by-name - run: result/bin/nixpkgs-check-by-name . + run: | + echo "Checking whether the check succeeds on the base branch $GITHUB_BASE_REF" + git checkout -q "$baseSha" + if baseOutput=$(result/bin/nixpkgs-check-by-name . 2>&1); then + baseSuccess=1 + else + baseSuccess= + fi + printf "%s\n" "$baseOutput" + + echo "Checking whether the check would succeed after merging this pull request" + git checkout -q "$mergedSha" + if mergedOutput=$(result/bin/nixpkgs-check-by-name . 2>&1); then + mergedSuccess=1 + exitCode=0 + else + mergedSuccess= + exitCode=1 + fi + printf "%s\n" "$mergedOutput" + + resultToEmoji() { + if [[ -n "$1" ]]; then + echo ":heavy_check_mark:" + else + echo ":x:" + fi + } + + # Print a markdown summary in GitHub actions + { + echo "| Nixpkgs version | Check result |" + echo "| --- | --- |" + echo "| Latest base commit | $(resultToEmoji "$baseSuccess") |" + echo "| After merging this PR | $(resultToEmoji "$mergedSuccess") |" + echo "" + + if [[ -n "$baseSuccess" ]]; then + if [[ -n "$mergedSuccess" ]]; then + echo "The check succeeds on both the base branch and after merging this PR" + else + echo "The check succeeds on the base branch, but would fail after merging this PR:" + echo "\`\`\`" + echo "$mergedOutput" + echo "\`\`\`" + echo "" + fi + else + if [[ -n "$mergedSuccess" ]]; then + echo "The check fails on the base branch, but this PR fixes it, nicely done!" + else + echo "The check fails on both the base branch and after merging this PR, unknown if only this PRs changes would satisfy the check, the base branch needs to be fixed first." + echo "" + echo "Failure on the base branch:" + echo "\`\`\`" + echo "$baseOutput" + echo "\`\`\`" + echo "" + echo "Failure after merging this PR:" + echo "\`\`\`" + echo "$mergedOutput" + echo "\`\`\`" + echo "" + fi + fi + + echo "### Details" + echo "- nixpkgs-check-by-name tool:" + echo " - Channel: $channel" + echo " - Nixpkgs commit: [$rev](https://github.com/${GITHUB_REPOSITORY}/commit/$rev)" + echo " - Store path: \`$(realpath result)\`" + echo "- Tested Nixpkgs:" + echo " - Base branch: $GITHUB_BASE_REF" + echo " - Latest base branch commit: [$baseSha](https://github.com/${GITHUB_REPOSITORY}/commit/$baseSha)" + echo " - Latest PR commit: [$headSha](https://github.com/${GITHUB_REPOSITORY}/commit/$headSha)" + echo " - Merge commit: [$mergedSha](https://github.com/${GITHUB_REPOSITORY}/commit/$mergedSha)" + } >> "$GITHUB_STEP_SUMMARY" + + exit "$exitCode" + |