.github/workflows/pr.yml at python-updates · tjh.dev/nixpkgs

tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
nixpkgs / .github / workflows / pr.yml
at python-updates 4.8 kB view raw
  1name: PR
  2
  3on:
  4  pull_request:
  5    paths:
  6      - .github/workflows/build.yml
  7      - .github/workflows/check.yml
  8      - .github/workflows/eval.yml
  9      - .github/workflows/lint.yml
 10      - .github/workflows/pr.yml
 11      - .github/workflows/labels.yml
 12      - .github/workflows/reviewers.yml # needs eval results from the same event type
 13  pull_request_target:
 14
 15concurrency:
 16  group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
 17  cancel-in-progress: true
 18
 19permissions: {}
 20
 21jobs:
 22  prepare:
 23    runs-on: ubuntu-24.04-arm
 24    outputs:
 25      baseBranch: ${{ steps.branches.outputs.base }}
 26      headBranch: ${{ steps.branches.outputs.head }}
 27      mergedSha: ${{ steps.get-merge-commit.outputs.mergedSha }}
 28      targetSha: ${{ steps.get-merge-commit.outputs.targetSha }}
 29      systems: ${{ steps.systems.outputs.systems }}
 30    steps:
 31      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 32        with:
 33          sparse-checkout: |
 34            .github/actions
 35            ci/supportedBranches.js
 36            ci/supportedSystems.json
 37      - name: Check if the PR can be merged and get the test merge commit
 38        uses: ./.github/actions/get-merge-commit
 39        id: get-merge-commit
 40
 41      - name: Load supported systems
 42        id: systems
 43        run: |
 44          echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"
 45
 46      - name: Determine branch type
 47        id: branches
 48        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
 49        with:
 50          script: |
 51            const { classify } = require('./ci/supportedBranches.js')
 52            const { base, head } = context.payload.pull_request
 53
 54            const baseClassification = classify(base.ref)
 55            core.setOutput('base', baseClassification)
 56            core.info('base classification:', baseClassification)
 57
 58            const headClassification =
 59              (base.repo.full_name == head.repo.full_name) ?
 60              classify(head.ref) :
 61              // PRs from forks are always considered WIP.
 62              { type: ['wip'] }
 63            core.setOutput('head', headClassification)
 64            core.info('head classification:', headClassification)
 65
 66  check:
 67    name: Check
 68    needs: [prepare]
 69    uses: ./.github/workflows/check.yml
 70    permissions:
 71      # cherry-picks
 72      pull-requests: write
 73    with:
 74      baseBranch: ${{ needs.prepare.outputs.baseBranch }}
 75      headBranch: ${{ needs.prepare.outputs.headBranch }}
 76
 77  lint:
 78    name: Lint
 79    needs: [prepare]
 80    uses: ./.github/workflows/lint.yml
 81    with:
 82      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
 83      targetSha: ${{ needs.prepare.outputs.targetSha }}
 84
 85  eval:
 86    name: Eval
 87    needs: [prepare]
 88    uses: ./.github/workflows/eval.yml
 89    permissions:
 90      # compare
 91      statuses: write
 92    secrets:
 93      OWNER_APP_PRIVATE_KEY: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
 94    with:
 95      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
 96      targetSha: ${{ needs.prepare.outputs.targetSha }}
 97      systems: ${{ needs.prepare.outputs.systems }}
 98
 99  labels:
100    name: Labels
101    needs: [prepare, eval]
102    uses: ./.github/workflows/labels.yml
103    permissions:
104      issues: write
105      pull-requests: write
106    secrets:
107      NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
108    with:
109      headBranch: ${{ needs.prepare.outputs.headBranch }}
110
111  reviewers:
112    name: Reviewers
113    needs: [prepare, eval]
114    if: |
115      needs.prepare.outputs.targetSha &&
116      !contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development')
117    uses: ./.github/workflows/reviewers.yml
118    secrets:
119      OWNER_APP_PRIVATE_KEY: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
120
121  build:
122    name: Build
123    needs: [prepare]
124    uses: ./.github/workflows/build.yml
125    secrets:
126      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
127    with:
128      baseBranch: ${{ needs.prepare.outputs.baseBranch }}
129      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
130
131  # This job's only purpose is to serve as a target for the "Required Status Checks" branch ruleset.
132  # It "needs" all the jobs that should block merging a PR.
133  # If they pass, it is skipped — which counts as "success" for purposes of the branch ruleset.
134  # However, if any of them fail, this job will also fail — thus blocking the branch ruleset.
135  no-pr-failures:
136    # Modify this list to add or remove jobs from required status checks.
137    needs:
138      - check
139      - lint
140      - eval
141      - build
142    # WARNING:
143    # Do NOT change the name of this job, otherwise the rule will not catch it anymore.
144    # This would prevent all PRs from merging.
145    name: no PR failures
146    if: ${{ failure() }}
147    runs-on: ubuntu-24.04-arm
148    steps:
149      - run: exit 1