.github/workflows/pull-request-target.yml at release-25.11

tjh.dev / nixpkgs
fork atom
nixpkgs mirror (for testing) github.com/NixOS/nixpkgs
nix
fork atom
nixpkgs / .github / workflows / pull-request-target.yml
at release-25.11 146 lines 5.1 kB view raw
wrap content
  1name: PR
  2
  3on:
  4  pull_request_target:
  5  workflow_call:
  6    inputs:
  7      artifact-prefix:
  8        required: true
  9        type: string
 10    secrets:
 11      NIXPKGS_CI_APP_PRIVATE_KEY:
 12        required: true
 13
 14concurrency:
 15  group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
 16  cancel-in-progress: true
 17
 18permissions: {}
 19
 20jobs:
 21  prepare:
 22    runs-on: ubuntu-slim
 23    permissions:
 24      pull-requests: write # submitting 'wrong branch' reviews
 25    outputs:
 26      baseBranch: ${{ steps.prepare.outputs.base }}
 27      headBranch: ${{ steps.prepare.outputs.head }}
 28      mergedSha: ${{ steps.prepare.outputs.mergedSha }}
 29      targetSha: ${{ steps.prepare.outputs.targetSha }}
 30      systems: ${{ steps.prepare.outputs.systems }}
 31      touched: ${{ steps.prepare.outputs.touched }}
 32    steps:
 33      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 34        with:
 35          persist-credentials: false
 36          sparse-checkout-cone-mode: true # default, for clarity
 37          sparse-checkout: |
 38            ci/github-script
 39      - id: prepare
 40        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
 41        with:
 42          retries: 10
 43          # The default for this includes code 422, which happens regularly for us when comparing commits:
 44          #   422 - Server Error: Sorry, this diff is taking too long to generate.
 45          # Listing all other values from here to effectively remove 422:
 46          #   https://github.com/octokit/plugin-retry.js/blob/9a2443746c350b3beedec35cf26e197ea318a261/src/index.ts#L14
 47          retry-exempt-status-codes: 400,401,403,404
 48          script: |
 49            require('./ci/github-script/prepare.js')({
 50              github,
 51              context,
 52              core,
 53              dry: context.eventName == 'pull_request',
 54            })
 55
 56  check:
 57    name: Check
 58    needs: [prepare]
 59    uses: ./.github/workflows/check.yml
 60    permissions:
 61      # cherry-picks
 62      pull-requests: write
 63    with:
 64      baseBranch: ${{ needs.prepare.outputs.baseBranch }}
 65      headBranch: ${{ needs.prepare.outputs.headBranch }}
 66      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
 67      targetSha: ${{ needs.prepare.outputs.targetSha }}
 68
 69  lint:
 70    name: Lint
 71    needs: [prepare]
 72    uses: ./.github/workflows/lint.yml
 73    with:
 74      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
 75      targetSha: ${{ needs.prepare.outputs.targetSha }}
 76
 77  eval:
 78    name: Eval
 79    needs: [prepare]
 80    uses: ./.github/workflows/eval.yml
 81    permissions:
 82      # compare
 83      pull-requests: write
 84      statuses: write
 85    with:
 86      artifact-prefix: ${{ inputs.artifact-prefix }}
 87      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
 88      headSha: ${{ github.event.pull_request.head.sha }}
 89      targetSha: ${{ needs.prepare.outputs.targetSha }}
 90      systems: ${{ needs.prepare.outputs.systems }}
 91      testVersions: ${{ contains(fromJSON(needs.prepare.outputs.touched), 'pinned') && !contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development') }}
 92
 93  bot:
 94    name: Bot
 95    needs: [prepare, eval]
 96    uses: ./.github/workflows/bot.yml
 97    permissions:
 98      issues: write
 99      pull-requests: write
100    secrets:
101      NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
102    with:
103      headBranch: ${{ needs.prepare.outputs.headBranch }}
104
105  build:
106    name: Build
107    needs: [prepare]
108    uses: ./.github/workflows/build.yml
109    with:
110      artifact-prefix: ${{ inputs.artifact-prefix }}
111      baseBranch: ${{ needs.prepare.outputs.baseBranch }}
112      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
113      targetSha: ${{ needs.prepare.outputs.targetSha }}
114
115  # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset.
116  # It "needs" all the jobs that should block merging a PR.
117  unlock:
118    if: github.event_name != 'pull_request' && always()
119    # Modify this list to add or remove jobs from required status checks.
120    needs:
121      - check
122      - lint
123      - eval
124      - build
125    runs-on: ubuntu-slim
126    permissions:
127      statuses: write
128    steps:
129      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
130        env:
131          RESULTS: ${{ toJSON(needs.*.result) }}
132        with:
133          script: |
134            const { serverUrl, repo, runId, payload } = context
135            const target_url =
136              `${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}?pr=${payload.pull_request.number}`
137            await github.rest.repos.createCommitStatus({
138              ...repo,
139              sha: payload.pull_request.head.sha,
140              // WARNING:
141              // Do NOT change the name of this, otherwise the rule will not catch it anymore.
142              // This would prevent all PRs from merging.
143              context: 'no PR failures',
144              state: JSON.parse(process.env.RESULTS).every(status => status == 'success') ? 'success' : 'error',
145              target_url,
146            })