diff options
Diffstat (limited to '.github/workflows')
| -rw-r--r-- | .github/workflows/backport.yml | 35 | ||||
| -rw-r--r-- | .github/workflows/basic-eval.yml | 25 | ||||
| -rw-r--r-- | .github/workflows/direct-push.yml | 32 | ||||
| -rw-r--r-- | .github/workflows/editorconfig.yml | 43 | ||||
| -rw-r--r-- | .github/workflows/labels.yml | 24 | ||||
| -rw-r--r-- | .github/workflows/manual-nixos.yml | 31 | ||||
| -rw-r--r-- | .github/workflows/manual-nixpkgs.yml | 31 | ||||
| -rw-r--r-- | .github/workflows/nixos-manual.yml | 26 | ||||
| -rw-r--r-- | .github/workflows/no-channel.yml | 21 | ||||
| -rw-r--r-- | .github/workflows/pending-clear.yml | 21 | ||||
| -rw-r--r-- | .github/workflows/pending-set.yml | 25 | ||||
| -rw-r--r-- | .github/workflows/periodic-merge-24h.yml | 57 | ||||
| -rw-r--r-- | .github/workflows/periodic-merge-6h.yml | 51 | ||||
| -rw-r--r-- | .github/workflows/update-terraform-providers.yml | 47 |
14 files changed, 469 insertions, 0 deletions
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml new file mode 100644 index 00000000000..4ee5adfaac1 --- /dev/null +++ b/.github/workflows/backport.yml @@ -0,0 +1,35 @@ +name: Backport +on: + pull_request_target: + types: [closed, labeled] + +# WARNING: +# When extending this action, be aware that $GITHUB_TOKEN allows write access to +# the GitHub repository. This means that it should not evaluate user input in a +# way that allows code injection. + +jobs: + backport: + name: Backport Pull Request + if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name)) + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + # required to find all branches + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.sha }} + - name: Create backport PRs + # should be kept in sync with `version` + uses: zeebe-io/backport-action@v0.0.5 + with: + # Config README: https://github.com/zeebe-io/backport-action#backport-action + github_token: ${{ secrets.GITHUB_TOKEN }} + github_workspace: ${{ github.workspace }} + # should be kept in sync with `uses` + version: v0.0.5 + pull_description: |- + Bot-based backport to `${target_branch}`, triggered by a label in #${pull_number}. + + * [ ] Before merging, ensure that this backport complies with the [Criteria for Backporting](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#criteria-for-backporting-changes). + * Even as a non-commiter, if you find that it does not comply, leave a comment. diff --git a/.github/workflows/basic-eval.yml b/.github/workflows/basic-eval.yml new file mode 100644 index 00000000000..51429ae40be --- /dev/null +++ b/.github/workflows/basic-eval.yml @@ -0,0 +1,25 @@ +name: Basic evaluation checks + +on: + pull_request: + branches: + - master + - release-** + push: + branches: + - master + - release-** +jobs: + tests: + runs-on: ubuntu-latest + # we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback + steps: + - uses: actions/checkout@v3 + - uses: cachix/install-nix-action@v16 + - uses: cachix/cachix-action@v10 + with: + # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. + name: nixpkgs-ci + signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' + # explicit list of supportedSystems is needed until aarch64-darwin becomes part of the trunk jobset + - run: nix-build pkgs/top-level/release.nix -A tarball.nixpkgs-basic-release-checks --arg supportedSystems '[ "aarch64-darwin" "aarch64-linux" "x86_64-linux" "x86_64-darwin" ]' diff --git a/.github/workflows/direct-push.yml b/.github/workflows/direct-push.yml new file mode 100644 index 00000000000..459475c3c6b --- /dev/null +++ b/.github/workflows/direct-push.yml @@ -0,0 +1,32 @@ +name: "Direct Push Warning" +on: + push: + branches: + - master + - release-** +jobs: + build: + runs-on: ubuntu-latest + if: github.repository_owner == 'NixOS' + env: + GITHUB_SHA: ${{ github.sha }} + GITHUB_REPOSITORY: ${{ github.repository }} + steps: + - name: Check if commit is a merge commit + id: ismerge + run: | + ISMERGE=$(curl -H 'Accept: application/vnd.github.groot-preview+json' -H "authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/${{ env.GITHUB_REPOSITORY }}/commits/${{ env.GITHUB_SHA }}/pulls | jq -r '.[] | select(.merge_commit_sha == "${{ env.GITHUB_SHA }}") | any') + echo "::set-output name=ismerge::$ISMERGE" + # github events are eventually consistent, so wait until changes propagate to thier DB + - run: sleep 60 + if: steps.ismerge.outputs.ismerge != 'true' + - name: Warn if the commit was a direct push + if: steps.ismerge.outputs.ismerge != 'true' + uses: peter-evans/commit-comment@v1 + with: + body: | + @${{ github.actor }}, you pushed a commit directly to master/release branch + instead of going through a Pull Request. + + That's highly discouraged beyond the few exceptions listed + on https://github.com/NixOS/nixpkgs/issues/118661 diff --git a/.github/workflows/editorconfig.yml b/.github/workflows/editorconfig.yml new file mode 100644 index 00000000000..de49e55ef2a --- /dev/null +++ b/.github/workflows/editorconfig.yml @@ -0,0 +1,43 @@ +name: "Checking EditorConfig" + +permissions: read-all + +on: + # avoids approving first time contributors + pull_request_target: + branches-ignore: + - 'release-**' + +jobs: + tests: + runs-on: ubuntu-latest + if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip editorconfig]')" + steps: + - name: Get list of changed files from PR + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh api \ + repos/NixOS/nixpkgs/pulls/${{github.event.number}}/files --paginate \ + | jq '.[] | select(.status != "removed") | .filename' \ + > "$HOME/changed_files" + - name: print list of changed files + run: | + cat "$HOME/changed_files" + - uses: actions/checkout@v3 + with: + # pull_request_target checks out the base branch by default + ref: refs/pull/${{ github.event.pull_request.number }}/merge + - uses: cachix/install-nix-action@v16 + with: + # nixpkgs commit is pinned so that it doesn't break + # editorconfig-checker 2.4.0 + nix_path: nixpkgs=https://github.com/NixOS/nixpkgs/archive/c473cc8714710179df205b153f4e9fa007107ff9.tar.gz + - name: install editorconfig-checker + run: nix-env -iA editorconfig-checker -f '<nixpkgs>' + - name: Checking EditorConfig + run: | + cat "$HOME/changed_files" | xargs -r editorconfig-checker -disable-indent-size + - if: ${{ failure() }} + run: | + echo "::error :: Hey! It looks like your changes don't follow our editorconfig settings. Read https://editorconfig.org/#download to configure your editor so you never see this error again." diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml new file mode 100644 index 00000000000..5f949ddc56b --- /dev/null +++ b/.github/workflows/labels.yml @@ -0,0 +1,24 @@ +name: "Label PR" + +on: + pull_request_target: + types: [edited, opened, synchronize, reopened] + +# WARNING: +# When extending this action, be aware that $GITHUB_TOKEN allows some write +# access to the GitHub API. This means that it should not evaluate user input in +# a way that allows code injection. + +permissions: + contents: read + pull-requests: write + +jobs: + labels: + runs-on: ubuntu-latest + if: github.repository_owner == 'NixOS' + steps: + - uses: actions/labeler@v4 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + sync-labels: true diff --git a/.github/workflows/manual-nixos.yml b/.github/workflows/manual-nixos.yml new file mode 100644 index 00000000000..61a8a217651 --- /dev/null +++ b/.github/workflows/manual-nixos.yml @@ -0,0 +1,31 @@ +name: "Build NixOS manual" + +permissions: read-all + +on: + pull_request_target: + branches: + - master + paths: + - 'nixos/**' + +jobs: + nixos: + runs-on: ubuntu-latest + if: github.repository_owner == 'NixOS' + steps: + - uses: actions/checkout@v3 + with: + # pull_request_target checks out the base branch by default + ref: refs/pull/${{ github.event.pull_request.number }}/merge + - uses: cachix/install-nix-action@v16 + with: + # explicitly enable sandbox + extra_nix_config: sandbox = true + - uses: cachix/cachix-action@v10 + with: + # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. + name: nixpkgs-ci + signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' + - name: Building NixOS manual + run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true nixos/release.nix -A manual.x86_64-linux diff --git a/.github/workflows/manual-nixpkgs.yml b/.github/workflows/manual-nixpkgs.yml new file mode 100644 index 00000000000..70d9aab6982 --- /dev/null +++ b/.github/workflows/manual-nixpkgs.yml @@ -0,0 +1,31 @@ +name: "Build Nixpkgs manual" + +permissions: read-all + +on: + pull_request_target: + branches: + - master + paths: + - 'doc/**' + +jobs: + nixpkgs: + runs-on: ubuntu-latest + if: github.repository_owner == 'NixOS' + steps: + - uses: actions/checkout@v3 + with: + # pull_request_target checks out the base branch by default + ref: refs/pull/${{ github.event.pull_request.number }}/merge + - uses: cachix/install-nix-action@v16 + with: + # explicitly enable sandbox + extra_nix_config: sandbox = true + - uses: cachix/cachix-action@v10 + with: + # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. + name: nixpkgs-ci + signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' + - name: Building Nixpkgs manual + run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true pkgs/top-level/release.nix -A manual diff --git a/.github/workflows/nixos-manual.yml b/.github/workflows/nixos-manual.yml new file mode 100644 index 00000000000..bd70f228d46 --- /dev/null +++ b/.github/workflows/nixos-manual.yml @@ -0,0 +1,26 @@ +name: NixOS manual checks + +permissions: read-all + +on: + pull_request_target: + branches-ignore: + - 'release-**' + paths: + - 'nixos/**/*.xml' + - 'nixos/**/*.md' + +jobs: + tests: + runs-on: ubuntu-latest + if: github.repository_owner == 'NixOS' + steps: + - uses: actions/checkout@v3 + with: + # pull_request_target checks out the base branch by default + ref: refs/pull/${{ github.event.pull_request.number }}/merge + - uses: cachix/install-nix-action@v16 + - name: Check DocBook files generated from Markdown are consistent + run: | + nixos/doc/manual/md-to-db.sh + git diff --exit-code diff --git a/.github/workflows/no-channel.yml b/.github/workflows/no-channel.yml new file mode 100644 index 00000000000..fb9a95851f0 --- /dev/null +++ b/.github/workflows/no-channel.yml @@ -0,0 +1,21 @@ +name: "No channel PR" + +on: + pull_request: + branches: + - 'nixos-**' + - 'nixpkgs-**' + +jobs: + fail: + name: "This PR is is targeting a channel branch" + runs-on: ubuntu-latest + steps: + - run: | + cat <<EOF + The nixos-* and nixpkgs-* branches are pushed to by the channel + release script and should not be merged into directly. + + Please target the equivalent release-* branch or master instead. + EOF + exit 1 diff --git a/.github/workflows/pending-clear.yml b/.github/workflows/pending-clear.yml new file mode 100644 index 00000000000..d06b1e2143f --- /dev/null +++ b/.github/workflows/pending-clear.yml @@ -0,0 +1,21 @@ +name: "clear pending status" + +on: + check_suite: + types: [ completed ] + +jobs: + action: + runs-on: ubuntu-latest + steps: + - name: clear pending status + if: github.repository_owner == 'NixOS' && github.event.check_suite.app.name == 'OfBorg' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + curl \ + -X POST \ + -H "Accept: application/vnd.github.v3+json" \ + -H "Authorization: token $GITHUB_TOKEN" \ + -d '{"state": "success", "target_url": " ", "description": " ", "context": "Wait for ofborg"}' \ + "https://api.github.com/repos/NixOS/nixpkgs/statuses/${{ github.event.check_suite.head_sha }}" diff --git a/.github/workflows/pending-set.yml b/.github/workflows/pending-set.yml new file mode 100644 index 00000000000..b15e4847e67 --- /dev/null +++ b/.github/workflows/pending-set.yml @@ -0,0 +1,25 @@ +name: "set pending status" + +on: + pull_request_target: + +# WARNING: +# When extending this action, be aware that $GITHUB_TOKEN allows write access to +# the GitHub repository. This means that it should not evaluate user input in a +# way that allows code injection. + +jobs: + action: + runs-on: ubuntu-latest + steps: + - name: set pending status + if: github.repository_owner == 'NixOS' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + curl \ + -X POST \ + -H "Accept: application/vnd.github.v3+json" \ + -H "Authorization: token $GITHUB_TOKEN" \ + -d '{"state": "pending", "target_url": " ", "description": "This pending status will be cleared when ofborg starts eval.", "context": "Wait for ofborg"}' \ + "https://api.github.com/repos/NixOS/nixpkgs/statuses/${{ github.event.pull_request.head.sha }}" diff --git a/.github/workflows/periodic-merge-24h.yml b/.github/workflows/periodic-merge-24h.yml new file mode 100644 index 00000000000..5ad0db1db51 --- /dev/null +++ b/.github/workflows/periodic-merge-24h.yml @@ -0,0 +1,57 @@ +# This action periodically merges base branches into staging branches. +# This is done to +# * prevent conflicts or rather resolve them early +# * make all potential breakage happen on the staging branch +# * and make sure that all major rebuilds happen before the staging +# branch get’s merged back into its base branch. + +name: "Periodic Merges (24h)" + + +on: + schedule: + # * is a special character in YAML so you have to quote this string + # Merge every 24 hours + - cron: '0 0 * * *' + +jobs: + periodic-merge: + if: github.repository_owner == 'NixOS' + runs-on: ubuntu-latest + strategy: + # don't fail fast, so that all pairs are tried + fail-fast: false + # certain branches need to be merged in order, like master->staging-next->staging + # and disabling parallelism ensures the order of the pairs below. + max-parallel: 1 + matrix: + pairs: + - from: master + into: haskell-updates + - from: release-21.05 + into: staging-next-21.05 + - from: staging-next-21.05 + into: staging-21.05 + - from: release-21.11 + into: staging-next-21.11 + - from: staging-next-21.11 + into: staging-21.11 + name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }} + steps: + - uses: actions/checkout@v3 + + - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }} + uses: devmasx/merge-branch@1.4.0 + with: + type: now + from_branch: ${{ matrix.pairs.from }} + target_branch: ${{ matrix.pairs.into }} + github_token: ${{ secrets.GITHUB_TOKEN }} + + - name: Comment on failure + uses: peter-evans/create-or-update-comment@v1 + if: ${{ failure() }} + with: + issue-number: 105153 + body: | + Periodic merge from `${{ matrix.pairs.from }}` into `${{ matrix.pairs.into }}` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}). diff --git a/.github/workflows/periodic-merge-6h.yml b/.github/workflows/periodic-merge-6h.yml new file mode 100644 index 00000000000..a8af04b78bc --- /dev/null +++ b/.github/workflows/periodic-merge-6h.yml @@ -0,0 +1,51 @@ +# This action periodically merges base branches into staging branches. +# This is done to +# * prevent conflicts or rather resolve them early +# * make all potential breakage happen on the staging branch +# * and make sure that all major rebuilds happen before the staging +# branch get’s merged back into its base branch. + +name: "Periodic Merges (6h)" + + +on: + schedule: + # * is a special character in YAML so you have to quote this string + # Merge every 6 hours + - cron: '0 */6 * * *' + +jobs: + periodic-merge: + if: github.repository_owner == 'NixOS' + runs-on: ubuntu-latest + strategy: + # don't fail fast, so that all pairs are tried + fail-fast: false + # certain branches need to be merged in order, like master->staging-next->staging + # and disabling parallelism ensures the order of the pairs below. + max-parallel: 1 + matrix: + pairs: + - from: master + into: staging-next + - from: staging-next + into: staging + name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }} + steps: + - uses: actions/checkout@v3 + + - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }} + uses: devmasx/merge-branch@1.4.0 + with: + type: now + from_branch: ${{ matrix.pairs.from }} + target_branch: ${{ matrix.pairs.into }} + github_token: ${{ secrets.GITHUB_TOKEN }} + + - name: Comment on failure + uses: peter-evans/create-or-update-comment@v1 + if: ${{ failure() }} + with: + issue-number: 105153 + body: | + Periodic merge from `${{ matrix.pairs.from }}` into `${{ matrix.pairs.into }}` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}). diff --git a/.github/workflows/update-terraform-providers.yml b/.github/workflows/update-terraform-providers.yml new file mode 100644 index 00000000000..09d208a6216 --- /dev/null +++ b/.github/workflows/update-terraform-providers.yml @@ -0,0 +1,47 @@ +name: "Update terraform-providers" + +on: + schedule: + - cron: "14 3 * * 1" + workflow_dispatch: + +jobs: + tf-providers: + if: github.repository_owner == 'NixOS' && github.ref == 'refs/heads/master' # ensure workflow_dispatch only runs on master + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: cachix/install-nix-action@v16 + - name: setup + id: setup + run: | + echo ::set-output name=title::"terraform-providers: update $(date -u +"%Y-%m-%d")" + - name: update terraform-providers + run: | + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git config user.name "github-actions[bot]" + pushd pkgs/applications/networking/cluster/terraform-providers + ./update-all-providers --no-build + git commit -m "${{ steps.setup.outputs.title }}" providers.json + popd + - name: create PR + uses: peter-evans/create-pull-request@v3 + with: + body: | + Automatic update of terraform providers. + + Created by [update-terraform-providers](https://github.com/NixOS/nixpkgs/blob/master/.github/workflows/update-terraform-providers.yml) action. + + Check that all providers build with `@ofborg build terraform-full` + branch: terraform-providers-update + delete-branch: false + labels: "2.status: work-in-progress" + title: ${{ steps.setup.outputs.title }} + token: ${{ secrets.GITHUB_TOKEN }} + - name: comment on failure + uses: peter-evans/create-or-update-comment@v1 + if: ${{ failure() }} + with: + issue-number: 153416 + body: | + Automatic update of terraform providers [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}). |