diff options
Diffstat (limited to '.github/workflows')
-rw-r--r-- | .github/workflows/backport.yml | 23 | ||||
-rw-r--r-- | .github/workflows/direct-push.yml | 29 | ||||
-rw-r--r-- | .github/workflows/editorconfig.yml | 29 | ||||
-rw-r--r-- | .github/workflows/labels.yml | 19 | ||||
-rw-r--r-- | .github/workflows/manual-nixos.yml | 7 | ||||
-rw-r--r-- | .github/workflows/manual-nixpkgs.yml | 7 | ||||
-rw-r--r-- | .github/workflows/merge-staging.yml | 6 | ||||
-rw-r--r-- | .github/workflows/nixos-manual.yml | 21 | ||||
-rw-r--r-- | .github/workflows/rebase.yml | 2 |
9 files changed, 126 insertions, 17 deletions
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml new file mode 100644 index 00000000000..766b5aa831a --- /dev/null +++ b/.github/workflows/backport.yml @@ -0,0 +1,23 @@ +name: Backport +on: + pull_request_target: + types: [closed, labeled] +jobs: + backport: + name: Backport Pull Request + if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + # required to find all branches + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.sha }} + - name: Create backport PRs + # should be kept in sync with `version` + uses: zeebe-io/backport-action@9b8949dcd4295d364b0939f07d0c7593598d26cd + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + github_workspace: ${{ github.workspace }} + # should be kept in sync with `uses` + version: 9b8949dcd4295d364b0939f07d0c7593598d26cd diff --git a/.github/workflows/direct-push.yml b/.github/workflows/direct-push.yml new file mode 100644 index 00000000000..6177004295f --- /dev/null +++ b/.github/workflows/direct-push.yml @@ -0,0 +1,29 @@ +name: "Direct Push Warning" +on: + push: + branches: + - master + - release-** +jobs: + build: + runs-on: ubuntu-latest + if: github.repository_owner == 'NixOS' + env: + GITHUB_SHA: ${{ github.sha }} + GITHUB_REPOSITORY: ${{ github.repository }} + steps: + - name: Check if commit is a merge commit + id: ismerge + run: | + ISMERGE=$(curl -H 'Accept: application/vnd.github.groot-preview+json' -H "authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/${{ env.GITHUB_REPOSITORY }}/commits/${{ env.GITHUB_SHA }}/pulls | jq -r '.[] | select(.merge_commit_sha == "${{ env.GITHUB_SHA }}") | any') + echo "::set-output name=ismerge::$ISMERGE" + - name: Warn if the commit was a direct push + if: steps.ismerge.outputs.ismerge != 'true' + uses: peter-evans/commit-comment@v1 + with: + body: | + @${{ github.actor }}, you pushed a commit directly to master/release branch + instead of going through a Pull Request. + + That's highly discouraged beyond the few exceptions listed + on https://github.com/NixOS/nixpkgs/issues/118661 diff --git a/.github/workflows/editorconfig.yml b/.github/workflows/editorconfig.yml index 270728a61c6..4960e9fd3d2 100644 --- a/.github/workflows/editorconfig.yml +++ b/.github/workflows/editorconfig.yml @@ -1,7 +1,10 @@ name: "Checking EditorConfig" +permissions: read-all + on: - pull_request: + # avoids approving first time contributors + pull_request_target: branches-ignore: - 'release-**' @@ -21,17 +24,23 @@ jobs: >> $GITHUB_ENV echo 'EOF' >> $GITHUB_ENV - uses: actions/checkout@v2 + with: + # pull_request_target checks out the base branch by default + ref: refs/pull/${{ github.event.pull_request.number }}/merge if: env.PR_DIFF - - name: Fetch editorconfig-checker + - uses: cachix/install-nix-action@v13 + if: env.PR_DIFF + with: + # nixpkgs commit is pinned so that it doesn't break + nix_path: nixpkgs=https://github.com/NixOS/nixpkgs/archive/f93ecc4f6bc60414d8b73dbdf615ceb6a2c604df.tar.gz + - name: install editorconfig-checker + run: nix-env -iA editorconfig-checker -f '<nixpkgs>' if: env.PR_DIFF - env: - ECC_VERSION: "2.3.1" - ECC_URL: "https://github.com/editorconfig-checker/editorconfig-checker/releases/download" - run: | - curl -sSf -O -L -C - "$ECC_URL/$ECC_VERSION/ec-linux-amd64.tar.gz" && \ - tar xzf ec-linux-amd64.tar.gz && \ - mv ./bin/ec-linux-amd64 ./bin/editorconfig-checker - name: Checking EditorConfig if: env.PR_DIFF run: | - echo "$PR_DIFF" | xargs ./bin/editorconfig-checker -disable-indent-size + echo "$PR_DIFF" | xargs editorconfig-checker -disable-indent-size + - if: ${{ failure() }} + run: | + echo "::error :: Hey! It looks like your changes don't follow our editorconfig settings. Read https://editorconfig.org/#download to configure your editor so you never see this error again." + diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml new file mode 100644 index 00000000000..4d1e2a2a0f9 --- /dev/null +++ b/.github/workflows/labels.yml @@ -0,0 +1,19 @@ +name: "Label PR" + +on: + pull_request_target: + types: [edited, opened, synchronize, reopened] + +permissions: + contents: read + pull-requests: write + +jobs: + labels: + runs-on: ubuntu-latest + if: github.repository_owner == 'NixOS' + steps: + - uses: actions/labeler@v3 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + sync-labels: true diff --git a/.github/workflows/manual-nixos.yml b/.github/workflows/manual-nixos.yml index a75e8402930..032a456569d 100644 --- a/.github/workflows/manual-nixos.yml +++ b/.github/workflows/manual-nixos.yml @@ -1,5 +1,7 @@ name: "Build NixOS manual" +permissions: read-all + on: pull_request_target: branches: @@ -10,16 +12,17 @@ on: jobs: nixos: runs-on: ubuntu-latest + if: github.repository_owner == 'NixOS' steps: - uses: actions/checkout@v2 with: # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge - - uses: cachix/install-nix-action@v12 + - uses: cachix/install-nix-action@v13 with: # explicitly enable sandbox extra_nix_config: sandbox = true - - uses: cachix/cachix-action@v8 + - uses: cachix/cachix-action@v9 with: # This cache is for the nixos/nixpkgs manual builds and should not be trusted or used elsewhere. name: nixpkgs-ci diff --git a/.github/workflows/manual-nixpkgs.yml b/.github/workflows/manual-nixpkgs.yml index 7596719d9b5..77655c494e0 100644 --- a/.github/workflows/manual-nixpkgs.yml +++ b/.github/workflows/manual-nixpkgs.yml @@ -1,5 +1,7 @@ name: "Build Nixpkgs manual" +permissions: read-all + on: pull_request_target: branches: @@ -10,16 +12,17 @@ on: jobs: nixpkgs: runs-on: ubuntu-latest + if: github.repository_owner == 'NixOS' steps: - uses: actions/checkout@v2 with: # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge - - uses: cachix/install-nix-action@v12 + - uses: cachix/install-nix-action@v13 with: # explicitly enable sandbox extra_nix_config: sandbox = true - - uses: cachix/cachix-action@v8 + - uses: cachix/cachix-action@v9 with: # This cache is for the nixos/nixpkgs manual builds and should not be trusted or used elsewhere. name: nixpkgs-ci diff --git a/.github/workflows/merge-staging.yml b/.github/workflows/merge-staging.yml index 1aadef16328..e499630a083 100644 --- a/.github/workflows/merge-staging.yml +++ b/.github/workflows/merge-staging.yml @@ -8,12 +8,13 @@ on: jobs: sync-branch: - if: github.repository == 'NixOS/nixpkgs' + if: github.repository_owner == 'NixOS' runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - name: Merge master into staging-next + id: staging_next uses: devmasx/merge-branch@v1.3.1 with: type: now @@ -22,6 +23,7 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN }} - name: Merge staging-next into staging + id: staging uses: devmasx/merge-branch@v1.3.1 with: type: now @@ -35,5 +37,5 @@ jobs: with: issue-number: 105153 body: | - An automatic merge [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}). + An automatic merge${{ (steps.staging_next.outcome == 'failure' && ' from master to staging-next') || ((steps.staging.outcome == 'failure' && ' from staging-next to staging') || '') }} [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}). diff --git a/.github/workflows/nixos-manual.yml b/.github/workflows/nixos-manual.yml new file mode 100644 index 00000000000..80ffc9c12be --- /dev/null +++ b/.github/workflows/nixos-manual.yml @@ -0,0 +1,21 @@ +name: NixOS manual checks + +on: + pull_request: + branches-ignore: + - 'release-**' + paths: + - 'nixos/**/*.xml' + - 'nixos/**/*.md' + +jobs: + tests: + runs-on: ubuntu-latest + if: github.repository_owner == 'NixOS' + steps: + - uses: actions/checkout@v2 + - uses: cachix/install-nix-action@v12 + - name: Check DocBook files generated from Markdown are consistent + run: | + nixos/doc/manual/md-to-db.sh + git diff --exit-code diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml index 50d066dd754..47e8f4e4e42 100644 --- a/.github/workflows/rebase.yml +++ b/.github/workflows/rebase.yml @@ -41,7 +41,7 @@ jobs: - name: check branch env: PERMANENT_BRANCHES: "haskell-updates|master|nixos|nixpkgs|python-unstable|release|staging" - VALID_BRANCHES: "haskell-updates|master|python-unstable|release-20.09|staging|staging-20.09|staging-next" + VALID_BRANCHES: "haskell-updates|master|python-unstable|release-20.09|release-21.05|staging|staging-20.09|staging-21.05|staging-next|staging-next-21.05" run: | message() { cat <<EOF |