tjh.dev
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
1# `nixpkgs-vet` is a tool to vet Nixpkgs: its architecture, package structure, and more.
2# Among other checks, it makes sure that `pkgs/by-name` (see `../../pkgs/by-name/README.md`) follows the validity rules outlined in [RFC 140](https://github.com/NixOS/rfcs/pull/140).
3# When you make changes to this workflow, please also update `ci/nixpkgs-vet.sh` to reflect the impact of your work to the CI.
4# See https://github.com/NixOS/nixpkgs-vet for details on the tool and its checks.
5
6name: Vet nixpkgs
7
8on:
9 pull_request:
10 paths:
11 - .github/workflows/nixpkgs-vet.yml
12 pull_request_target:
13 # This workflow depends on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`.
14 # Instead it causes an `edited` event, so we need to add it explicitly here.
15 # While `edited` is also triggered when the PR title/body is changed, this PR action is fairly quick, and PRs don't get edited **that** often, so it shouldn't be a problem.
16 # There is a feature request for adding a `base_changed` event: https://github.com/orgs/community/discussions/35058
17 types: [opened, synchronize, reopened, edited]
18
19permissions: {}
20
21# We don't use a concurrency group here, because the action is triggered quite often (due to the PR edit trigger), and contributors would get notified on any canceled run.
22# There is a feature request for suppressing notifications on concurrency-canceled runs: https://github.com/orgs/community/discussions/13015
23
24jobs:
25 get-merge-commit:
26 uses: ./.github/workflows/get-merge-commit.yml
27
28 check:
29 name: nixpkgs-vet
30 # This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases.
31 runs-on: ubuntu-24.04
32 # This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long.
33 timeout-minutes: 10
34 needs: get-merge-commit
35 if: needs.get-merge-commit.outputs.mergedSha
36 steps:
37 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
38 with:
39 ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
40 # Fetches the merge commit and its parents
41 fetch-depth: 2
42
43 - name: Checking out target branch
44 run: |
45 target=$(mktemp -d)
46 git worktree add "$target" "$(git rev-parse HEAD^1)"
47 echo "target=$target" >> "$GITHUB_ENV"
48
49 - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
50
51 - name: Fetching the pinned tool
52 # Update the pinned version using ci/nixpkgs-vet/update-pinned-tool.sh
53 run: |
54 # The pinned version of the tooling to use.
55 toolVersion=$(<ci/nixpkgs-vet/pinned-version.txt)
56
57 # Fetch the x86_64-linux-specific release artifact containing the gzipped NAR of the pre-built tool.
58 toolPath=$(curl -sSfL https://github.com/NixOS/nixpkgs-vet/releases/download/"$toolVersion"/x86_64-linux.nar.gz \
59 | gzip -cd | nix-store --import | tail -1)
60
61 # Adds a result symlink as a GC root.
62 nix-store --realise "$toolPath" --add-root result
63
64 - name: Running nixpkgs-vet
65 env:
66 # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
67 CLICOLOR_FORCE: 1
68 run: |
69 if result/bin/nixpkgs-vet --base "$target" .; then
70 exit 0
71 else
72 exitCode=$?
73 echo "To run locally: ./ci/nixpkgs-vet.sh $GITHUB_BASE_REF https://github.com/$GITHUB_REPOSITORY.git"
74 echo "If you're having trouble, ping @NixOS/nixpkgs-vet"
75 exit "$exitCode"
76 fi