ci/github-script/prepare: move more steps from workflow (#435302)

+51

.github/actions/checkout/action.yml

···

··· 1 + name: Checkout 2 + 3 + description: 'Checkout into trusted / untrusted / pinned folders consistently.' 4 + 5 + inputs: 6 + merged-as-untrusted-at: 7 + description: "Whether and which SHA to checkout for the merge commit in the ./untrusted folder." 8 + pinned-from: 9 + description: "Whether to checkout the pinned nixpkgs for CI and from where (trusted, untrusted)." 10 + target-as-trusted-at: 11 + description: "Whether and which SHA to checkout for the target commit in the ./trusted folder." 12 + 13 + runs: 14 + using: composite 15 + steps: 16 + - if: inputs.merged-as-untrusted-at 17 + # Would be great to do the checkouts in git worktrees of the existing spare checkout instead, 18 + # but Nix is broken with them: 19 + # https://github.com/NixOS/nix/issues/6073 20 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 21 + with: 22 + ref: ${{ inputs.merged-as-untrusted-at }} 23 + path: untrusted 24 + 25 + - if: inputs.target-as-trusted-at 26 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 27 + with: 28 + ref: ${{ inputs.target-as-trusted-at }} 29 + path: trusted 30 + 31 + - if: inputs.pinned-from 32 + id: pinned 33 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 34 + env: 35 + PINNED_FROM: ${{ inputs.pinned-from }} 36 + with: 37 + script: | 38 + const path = require('node:path') 39 + const pinned = require(path.resolve(path.join(process.env.PINNED_FROM, 'ci', 'pinned.json'))) 40 + core.setOutput('pinned-at', pinned.pins.nixpkgs.revision) 41 + 42 + - if: steps.pinned.outputs.pinned-at 43 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 44 + with: 45 + ref: ${{ steps.pinned.outputs.pinned-at }} 46 + path: pinned 47 + sparse-checkout: | 48 + lib 49 + maintainers 50 + nixos/lib 51 + pkgs

-80

.github/actions/get-merge-commit/action.yml

··· 1 - name: Get merge commit 2 - 3 - description: 'Checks whether the Pull Request is mergeable and checks out the repo at up to two commits: The result of a temporary merge of the head branch into the target branch ("merged"), and the parent of that commit on the target branch ("target"). Handles push events and merge conflicts gracefully.' 4 - 5 - inputs: 6 - mergedSha: 7 - description: "The merge commit SHA, previously collected." 8 - type: string 9 - merged-as-untrusted: 10 - description: "Whether to checkout the merge commit in the ./untrusted folder." 11 - type: boolean 12 - pinnedFrom: 13 - description: "Whether to checkout the pinned nixpkgs for CI and from where (trusted, untrusted)." 14 - type: string 15 - targetSha: 16 - description: "The target commit SHA, previously collected." 17 - type: string 18 - target-as-trusted: 19 - description: "Whether to checkout the target commit in the ./trusted folder." 20 - type: boolean 21 - 22 - outputs: 23 - mergedSha: 24 - description: "The merge commit SHA" 25 - value: ${{ steps.commits.outputs.mergedSha }} 26 - targetSha: 27 - description: "The target commit SHA" 28 - value: ${{ steps.commits.outputs.targetSha }} 29 - 30 - runs: 31 - using: composite 32 - steps: 33 - - id: commits 34 - if: ${{ !inputs.mergedSha && !inputs.targetSha }} 35 - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 36 - with: 37 - script: | 38 - require('./ci/github-script/prepare.js')({ 39 - github, 40 - context, 41 - core, 42 - }) 43 - 44 - - if: inputs.merged-as-untrusted && (inputs.mergedSha || steps.commits.outputs.mergedSha) 45 - # Would be great to do the checkouts in git worktrees of the existing spare checkout instead, 46 - # but Nix is broken with them: 47 - # https://github.com/NixOS/nix/issues/6073 48 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 49 - with: 50 - ref: ${{ inputs.mergedSha || steps.commits.outputs.mergedSha }} 51 - path: untrusted 52 - 53 - - if: inputs.target-as-trusted && (inputs.targetSha || steps.commits.outputs.targetSha) 54 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 55 - with: 56 - ref: ${{ inputs.targetSha || steps.commits.outputs.targetSha }} 57 - path: trusted 58 - 59 - - if: inputs.pinnedFrom 60 - id: pinned 61 - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 62 - env: 63 - PINNED_FROM: ${{ inputs.pinnedFrom }} 64 - with: 65 - script: | 66 - const path = require('node:path') 67 - const pinned = require(path.resolve(path.join(process.env.PINNED_FROM, 'ci', 'pinned.json'))) 68 - core.setOutput('pinnedSha', pinned.pins.nixpkgs.revision) 69 - 70 - - if: steps.pinned.outputs.pinnedSha 71 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 72 - with: 73 - ref: ${{ steps.pinned.outputs.pinnedSha }} 74 - path: pinned 75 - sparse-checkout: | 76 - lib 77 - maintainers 78 - nixos/lib 79 - pkgs 80 -

···

+1 -1

.github/workflows/README.md

··· 17 This is a temporary commit that GitHub creates automatically as "what would happen, if this PR was merged into the base branch now?". 18 The checkout could be done via the virtual branch `refs/pull/<pr-number>/merge`, but doing so would cause failures when this virtual branch doesn't exist (anymore). 19 This can happen when the PR has conflicts, in which case the virtual branch is not created, or when the PR is getting merged while workflows are still running, in which case the branch won't exist anymore at the time of checkout. 20 - Thus, we use the `get-merge-commit.yml` workflow to check whether the PR is mergeable and the test merge commit exists and only then run the relevant jobs. 21 22 - Various workflows need to make comparisons against the base branch. 23 In this case, we checkout the parent of the "test merge commit" for best results.

··· 17 This is a temporary commit that GitHub creates automatically as "what would happen, if this PR was merged into the base branch now?". 18 The checkout could be done via the virtual branch `refs/pull/<pr-number>/merge`, but doing so would cause failures when this virtual branch doesn't exist (anymore). 19 This can happen when the PR has conflicts, in which case the virtual branch is not created, or when the PR is getting merged while workflows are still running, in which case the branch won't exist anymore at the time of checkout. 20 + Thus, we use the `prepare` job to check whether the PR is mergeable and the test merge commit exists and only then run the relevant jobs. 21 22 - Various workflows need to make comparisons against the base branch. 23 In this case, we checkout the parent of the "test merge commit" for best results.

+4 -5

.github/workflows/build.yml

··· 47 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 48 with: 49 sparse-checkout: .github/actions 50 - - name: Check if the PR can be merged and checkout the merge commit 51 - uses: ./.github/actions/get-merge-commit 52 with: 53 - mergedSha: ${{ inputs.mergedSha }} 54 - merged-as-untrusted: true 55 - pinnedFrom: untrusted 56 57 - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 58 with:

··· 47 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 48 with: 49 sparse-checkout: .github/actions 50 + - name: Checkout the merge commit 51 + uses: ./.github/actions/checkout 52 with: 53 + merged-as-untrusted-at: ${{ inputs.mergedSha }} 54 + pinned-from: untrusted 55 56 - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 57 with:

+5 -7

.github/workflows/check.yml

··· 99 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 100 with: 101 sparse-checkout: .github/actions 102 - - name: Check if the PR can be merged and checkout the merge and target commits 103 - uses: ./.github/actions/get-merge-commit 104 with: 105 - mergedSha: ${{ inputs.mergedSha }} 106 - merged-as-untrusted: true 107 - pinnedFrom: trusted 108 - targetSha: ${{ inputs.targetSha }} 109 - target-as-trusted: true 110 111 - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 112

··· 99 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 100 with: 101 sparse-checkout: .github/actions 102 + - name: Checkout merge and target commits 103 + uses: ./.github/actions/checkout 104 with: 105 + merged-as-untrusted-at: ${{ inputs.mergedSha }} 106 + pinned-from: trusted 107 + target-as-trusted-at: ${{ inputs.targetSha }} 108 109 - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 110

+9 -12

.github/workflows/eval.yml

··· 90 with: 91 sparse-checkout: .github/actions 92 - name: Check out the PR at the test merge commit 93 - uses: ./.github/actions/get-merge-commit 94 with: 95 - mergedSha: ${{ inputs.mergedSha }} 96 - merged-as-untrusted: true 97 - pinnedFrom: untrusted 98 99 - name: Install Nix 100 uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 ··· 216 with: 217 sparse-checkout: .github/actions 218 - name: Check out the PR at the target commit 219 - uses: ./.github/actions/get-merge-commit 220 with: 221 - targetSha: ${{ inputs.targetSha }} 222 - target-as-trusted: true 223 - pinnedFrom: trusted 224 225 - name: Download output paths and eval stats for all systems 226 uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 ··· 385 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 386 with: 387 sparse-checkout: .github/actions 388 - - name: Check if the PR can be merged and checkout the merge commit 389 - uses: ./.github/actions/get-merge-commit 390 with: 391 - mergedSha: ${{ inputs.mergedSha }} 392 - merged-as-untrusted: true 393 394 - name: Install Nix 395 uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31

··· 90 with: 91 sparse-checkout: .github/actions 92 - name: Check out the PR at the test merge commit 93 + uses: ./.github/actions/checkout 94 with: 95 + merged-as-untrusted-at: ${{ inputs.mergedSha }} 96 + pinned-from: untrusted 97 98 - name: Install Nix 99 uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 ··· 215 with: 216 sparse-checkout: .github/actions 217 - name: Check out the PR at the target commit 218 + uses: ./.github/actions/checkout 219 with: 220 + target-as-trusted-at: ${{ inputs.targetSha }} 221 + pinned-from: trusted 222 223 - name: Download output paths and eval stats for all systems 224 uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 ··· 383 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 384 with: 385 sparse-checkout: .github/actions 386 + - name: Checkout the merge commit 387 + uses: ./.github/actions/checkout 388 with: 389 + merged-as-untrusted-at: ${{ inputs.mergedSha }} 390 391 - name: Install Nix 392 uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31

+13 -17

.github/workflows/lint.yml

··· 27 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 28 with: 29 sparse-checkout: .github/actions 30 - - name: Check if the PR can be merged and checkout the merge commit 31 - uses: ./.github/actions/get-merge-commit 32 with: 33 - mergedSha: ${{ inputs.mergedSha }} 34 - merged-as-untrusted: true 35 - pinnedFrom: untrusted 36 37 - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 38 ··· 63 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 64 with: 65 sparse-checkout: .github/actions 66 - - name: Check if the PR can be merged and checkout the merge commit 67 - uses: ./.github/actions/get-merge-commit 68 with: 69 - mergedSha: ${{ inputs.mergedSha }} 70 - merged-as-untrusted: true 71 - pinnedFrom: untrusted 72 73 - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 74 ··· 92 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 93 with: 94 sparse-checkout: .github/actions 95 - - name: Check if the PR can be merged and checkout merged and target commits 96 - uses: ./.github/actions/get-merge-commit 97 with: 98 - mergedSha: ${{ inputs.mergedSha }} 99 - merged-as-untrusted: true 100 - pinnedFrom: untrusted 101 - targetSha: ${{ inputs.targetSha }} 102 - target-as-trusted: true 103 104 - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 105

··· 27 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 28 with: 29 sparse-checkout: .github/actions 30 + - name: Checkout the merge commit 31 + uses: ./.github/actions/checkout 32 with: 33 + merged-as-untrusted-at: ${{ inputs.mergedSha }} 34 + pinned-from: untrusted 35 36 - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 37 ··· 62 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 63 with: 64 sparse-checkout: .github/actions 65 + - name: Checkout the merge commit 66 + uses: ./.github/actions/checkout 67 with: 68 + merged-as-untrusted-at: ${{ inputs.mergedSha }} 69 + pinned-from: untrusted 70 71 - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 72 ··· 90 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 91 with: 92 sparse-checkout: .github/actions 93 + - name: Checkout merge and target commits 94 + uses: ./.github/actions/checkout 95 with: 96 + merged-as-untrusted-at: ${{ inputs.mergedSha }} 97 + pinned-from: untrusted 98 + target-as-trusted-at: ${{ inputs.targetSha }} 99 100 - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31 101

+14 -49

.github/workflows/pr.yml

··· 3 on: 4 pull_request: 5 paths: 6 - - .github/actions/get-merge-commit/action.yml 7 - .github/workflows/build.yml 8 - .github/workflows/check.yml 9 - .github/workflows/eval.yml ··· 23 prepare: 24 runs-on: ubuntu-24.04-arm 25 outputs: 26 - baseBranch: ${{ steps.branches.outputs.base }} 27 - headBranch: ${{ steps.branches.outputs.head }} 28 - mergedSha: ${{ steps.get-merge-commit.outputs.mergedSha }} 29 - targetSha: ${{ steps.get-merge-commit.outputs.targetSha }} 30 - systems: ${{ steps.systems.outputs.systems }} 31 - touched: ${{ steps.files.outputs.touched }} 32 steps: 33 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 34 with: 35 sparse-checkout: | 36 - .github/actions 37 ci/github-script 38 - ci/supportedBranches.js 39 - ci/supportedSystems.json 40 - - name: Check if the PR can be merged and get the test merge commit 41 - uses: ./.github/actions/get-merge-commit 42 - id: get-merge-commit 43 - 44 - - name: Load supported systems 45 - id: systems 46 - run: | 47 - echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT" 48 - 49 - - name: Determine branch type 50 - id: branches 51 uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 52 with: 53 script: | 54 - const { classify } = require('./ci/supportedBranches.js') 55 - const { base, head } = context.payload.pull_request 56 - 57 - const baseClassification = classify(base.ref) 58 - core.setOutput('base', baseClassification) 59 - core.info('base classification:', baseClassification) 60 - 61 - const headClassification = 62 - (base.repo.full_name == head.repo.full_name) ? 63 - classify(head.ref) : 64 - // PRs from forks are always considered WIP. 65 - { type: ['wip'] } 66 - core.setOutput('head', headClassification) 67 - core.info('head classification:', headClassification) 68 - 69 - - name: Determine changed files 70 - id: files 71 - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 72 - with: 73 - script: | 74 - const files = (await github.paginate(github.rest.pulls.listFiles, { 75 - ...context.repo, 76 - pull_number: context.payload.pull_request.number, 77 - per_page: 100, 78 - })).map(file => file.filename) 79 - 80 - if (files.includes('ci/pinned.json')) core.setOutput('touched', ['pinned']) 81 - else core.setOutput('touched', []) 82 83 check: 84 name: Check

··· 3 on: 4 pull_request: 5 paths: 6 + - .github/actions/checkout/action.yml 7 - .github/workflows/build.yml 8 - .github/workflows/check.yml 9 - .github/workflows/eval.yml ··· 23 prepare: 24 runs-on: ubuntu-24.04-arm 25 outputs: 26 + baseBranch: ${{ steps.prepare.outputs.base }} 27 + headBranch: ${{ steps.prepare.outputs.head }} 28 + mergedSha: ${{ steps.prepare.outputs.mergedSha }} 29 + targetSha: ${{ steps.prepare.outputs.targetSha }} 30 + systems: ${{ steps.prepare.outputs.systems }} 31 + touched: ${{ steps.prepare.outputs.touched }} 32 steps: 33 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 34 with: 35 + sparse-checkout-cone-mode: true # default, for clarity 36 sparse-checkout: | 37 ci/github-script 38 + - id: prepare 39 uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 40 with: 41 script: | 42 + require('./ci/github-script/prepare.js')({ 43 + github, 44 + context, 45 + core, 46 + }) 47 48 check: 49 name: Check

+31 -1

ci/github-script/prepare.js

··· 1 module.exports = async ({ github, context, core }) => { 2 const pull_number = context.payload.pull_request.number 3 ··· 19 await new Promise((resolve) => setTimeout(resolve, retryInterval * 1000)) 20 continue 21 } 22 23 let mergedSha, targetSha 24 ··· 39 targetSha = ( 40 await github.rest.repos.compareCommitsWithBasehead({ 41 ...context.repo, 42 - basehead: `${prInfo.base.sha}...${prInfo.head.sha}`, 43 }) 44 ).data.merge_base_commit.sha 45 } ··· 49 ) 50 core.setOutput('mergedSha', mergedSha) 51 core.setOutput('targetSha', targetSha) 52 return 53 } 54 throw new Error(

··· 1 + const { classify } = require('../supportedBranches.js') 2 + 3 module.exports = async ({ github, context, core }) => { 4 const pull_number = context.payload.pull_request.number 5 ··· 21 await new Promise((resolve) => setTimeout(resolve, retryInterval * 1000)) 22 continue 23 } 24 + 25 + const { base, head } = prInfo 26 27 let mergedSha, targetSha 28 ··· 43 targetSha = ( 44 await github.rest.repos.compareCommitsWithBasehead({ 45 ...context.repo, 46 + basehead: `${base.sha}...${head.sha}`, 47 }) 48 ).data.merge_base_commit.sha 49 } ··· 53 ) 54 core.setOutput('mergedSha', mergedSha) 55 core.setOutput('targetSha', targetSha) 56 + 57 + core.setOutput('systems', require('../supportedSystems.json')) 58 + 59 + const baseClassification = classify(base.ref) 60 + core.setOutput('base', baseClassification) 61 + console.log('base classification:', baseClassification) 62 + 63 + const headClassification = 64 + base.repo.full_name === head.repo.full_name 65 + ? classify(head.ref) 66 + : // PRs from forks are always considered WIP. 67 + { type: ['wip'] } 68 + core.setOutput('head', headClassification) 69 + console.log('head classification:', headClassification) 70 + 71 + const files = ( 72 + await github.paginate(github.rest.pulls.listFiles, { 73 + ...context.repo, 74 + pull_number: context.payload.pull_request.number, 75 + per_page: 100, 76 + }) 77 + ).map((file) => file.filename) 78 + 79 + if (files.includes('ci/pinned.json')) core.setOutput('touched', ['pinned']) 80 + else core.setOutput('touched', []) 81 + 82 return 83 } 84 throw new Error(

Configure Feed

Configure Feed