review #434831 #63
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: review | |
| run-name: "review #${{ inputs.pr }}${{ inputs.extra-args && format(' ({0})', inputs.extra-args) || '' }}" | |
| permissions: {} | |
| env: | |
| PR_NUMBER: ${{ inputs.pr }} | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| pr: | |
| description: "Pull Request Number" | |
| required: true | |
| type: string | |
| x86_64-linux: | |
| description: "Run on x86_64-linux" | |
| required: true | |
| type: boolean | |
| default: true | |
| aarch64-linux: | |
| description: "Run on aarch64-linux" | |
| required: true | |
| type: boolean | |
| default: true | |
| x86_64-darwin: | |
| description: "Run on x86_64-darwin" | |
| required: true | |
| type: choice | |
| default: yes_sandbox_true | |
| options: | |
| - 'no' | |
| - yes_sandbox_false | |
| - yes_sandbox_relaxed | |
| - yes_sandbox_true | |
| aarch64-darwin: | |
| description: "Run on aarch64-darwin" | |
| required: true | |
| type: choice | |
| default: yes_sandbox_true | |
| options: | |
| - 'no' | |
| - yes_sandbox_false | |
| - yes_sandbox_relaxed | |
| - yes_sandbox_true | |
| extra-args: | |
| description: "nixpkgs-review extra args" | |
| required: false | |
| type: string | |
| push-to-cache: | |
| description: "Push to cache" | |
| required: true | |
| type: boolean | |
| default: true | |
| upterm: | |
| description: "Start upterm session after nixpkgs-review" | |
| required: true | |
| type: boolean | |
| default: false | |
| post-result: | |
| description: "Post Result" | |
| required: true | |
| type: boolean | |
| default: true | |
| approve-on-success: | |
| description: "Approve PR on review success" | |
| required: true | |
| type: boolean | |
| default: false | |
| jobs: | |
| prepare: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| pr: ${{ steps.pr.outputs.pr }} | |
| head: ${{ steps.pr.outputs.head }} | |
| merge: ${{ steps.pr.outputs.merge }} | |
| steps: | |
| - name: get pr | |
| id: pr | |
| run: | | |
| while true; do | |
| pr="$(gh api "/repos/NixOS/nixpkgs/pulls/$PR_NUMBER")" | |
| jq -e '.mergeable_state == "unknown" and (.merged | not)' <<< "$pr" > /dev/null || break | |
| echo "mergeable state not known yet, retrying..." | |
| sleep 2 | |
| done | |
| jq <<< "$pr" | |
| if [[ "$(jq '.merged or .mergeable' <<< "$pr")" != "true" ]]; then | |
| echo "::error::PR is not mergeable" | |
| exit 1 | |
| fi | |
| echo "pr=$pr" >> "$GITHUB_OUTPUT" | |
| echo "head=$(jq -r '.head.sha' <<< "$pr")" >> "$GITHUB_OUTPUT" | |
| echo "merge=$(jq -r '.merge_commit_sha' <<< "$pr")" >> "$GITHUB_OUTPUT" | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| review: | |
| needs: [prepare] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| system: | |
| - x86_64-linux | |
| - aarch64-linux | |
| - x86_64-darwin | |
| - aarch64-darwin | |
| exclude: | |
| - system: ${{ !inputs.x86_64-linux && 'x86_64-linux' || '' }} | |
| - system: ${{ !inputs.aarch64-linux && 'aarch64-linux' || '' }} | |
| - system: ${{ inputs.x86_64-darwin == 'no' && 'x86_64-darwin' || '' }} | |
| - system: ${{ inputs.aarch64-darwin == 'no' && 'aarch64-darwin' || '' }} | |
| runs-on: >- | |
| ${{ (matrix.system == 'x86_64-linux' && 'ubuntu-latest') | |
| || (matrix.system == 'aarch64-linux' && 'ubuntu-24.04-arm') | |
| || (matrix.system == 'x86_64-darwin' && 'macos-latest') | |
| || (matrix.system == 'aarch64-darwin' && 'macos-latest') }} | |
| outputs: | |
| report_x86_64-linux: ${{ steps.report.outputs.report_x86_64-linux }} | |
| report_aarch64-linux: ${{ steps.report.outputs.report_aarch64-linux }} | |
| report_x86_64-darwin: ${{ steps.report.outputs.report_x86_64-darwin }} | |
| report_aarch64-darwin: ${{ steps.report.outputs.report_aarch64-darwin }} | |
| fetch_cmd_x86_64-linux: ${{ steps.report.outputs.fetch_cmd_x86_64-linux }} | |
| fetch_cmd_aarch64-linux: ${{ steps.report.outputs.fetch_cmd_aarch64-linux }} | |
| fetch_cmd_x86_64-darwin: ${{ steps.report.outputs.fetch_cmd_x86_64-darwin }} | |
| fetch_cmd_aarch64-darwin: ${{ steps.report.outputs.fetch_cmd_aarch64-darwin }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| sparse-checkout: | | |
| .github/actions | |
| packages.nix | |
| - name: setup nix | |
| uses: ./.github/actions/setup-nix | |
| with: | |
| system: ${{ matrix.system }} | |
| sandbox: ${{ | |
| (matrix.system == 'x86_64-darwin' && inputs.x86_64-darwin == 'yes_sandbox_false' | |
| || matrix.system == 'aarch64-darwin' && inputs.aarch64-darwin == 'yes_sandbox_false') && 'false' | |
| || (matrix.system == 'x86_64-darwin' && inputs.x86_64-darwin == 'yes_sandbox_relaxed' | |
| || matrix.system == 'aarch64-darwin' && inputs.aarch64-darwin == 'yes_sandbox_relaxed') && 'relaxed' | |
| || 'true' }} | |
| - name: install packages | |
| run: | | |
| pkgs=(coreutils nixpkgs-review jq gnused) | |
| if [[ ${{ inputs.push-to-cache && vars.ATTIC_SERVER != '' && vars.ATTIC_CACHE != '' }} = true ]]; then | |
| pkgs+=(attic-client) | |
| elif [[ ${{ inputs.push-to-cache && vars.CACHIX_CACHE != '' }} = true ]]; then | |
| pkgs+=(cachix) | |
| fi | |
| nix profile install -f packages.nix ${pkgs[@]} | |
| - name: clone nixpkgs | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: NixOS/nixpkgs | |
| path: nixpkgs | |
| persist-credentials: false | |
| - name: run nixpkgs-review ${{ inputs.extra-args }} | |
| run: | | |
| nixpkgs-review -- \ | |
| pr ${PR_NUMBER} \ | |
| --no-shell \ | |
| --no-headers \ | |
| --print-result \ | |
| --build-args="-L" \ | |
| --pr-json="$PR_JSON" \ | |
| $EXTRA_ARGS \ | |
| || true | |
| working-directory: nixpkgs | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| EXTRA_ARGS: ${{ inputs.extra-args }} | |
| PR_JSON: ${{ needs.prepare.outputs.pr }} | |
| - name: push results to cache | |
| if: ${{ inputs.push-to-cache && ((vars.ATTIC_SERVER != '' && vars.ATTIC_CACHE != '') || vars.CACHIX_CACHE != '') }} | |
| run: | | |
| set -ex | |
| (realpath -qe ~/.cache/nixpkgs-review/pr-${PR_NUMBER}/results/* || true) > paths | |
| [[ -s paths ]] || exit 0 | |
| if [[ ${{ vars.ATTIC_SERVER != '' && vars.ATTIC_CACHE != '' }} = true ]]; then | |
| attic login default "$ATTIC_SERVER" "$ATTIC_TOKEN" | |
| if ! attic cache info "$ATTIC_CACHE"; then | |
| echo "::error:: attic returned an error" | |
| exit 0 | |
| fi | |
| attic push --stdin "$ATTIC_CACHE" < paths | |
| info=$(curl -f -H "Authorization: Bearer ${ATTIC_TOKEN}" "${ATTIC_SERVER}_api/v1/cache-config/${ATTIC_CACHE}") | |
| substituter_endpoint=$(jq -r .substituter_endpoint <<< "$info") | |
| public_key=$(jq -r .public_key <<< "$info") | |
| is_public=$(jq -r .is_public <<< "$info") | |
| elif [[ ${{ vars.CACHIX_CACHE != '' }} = true ]]; then | |
| [[ -n "$CACHIX_SIGNING_KEY" ]] || unset CACHIX_SIGNING_KEY | |
| cachix push "$CACHIX_CACHE" < paths | |
| info=$(curl -f -H "Authorization: Bearer ${CACHIX_AUTH_TOKEN}" "https://app.cachix.org/api/v1/cache/${CACHIX_CACHE}") | |
| substituter_endpoint=$(jq -r .uri <<< "$info") | |
| public_key=$(jq -r '.publicSigningKeys[]' <<< "$info") | |
| is_public=$(jq -r .isPublic <<< "$info") | |
| fi | |
| [[ "$is_public" = true ]] || exit 0 | |
| echo "nix-store -r --add-root nixpkgs-pr-${PR_NUMBER}-${{ matrix.system }} \\" >> fetch_cmd | |
| echo " --option binary-caches 'https://cache.nixos.org/ $substituter_endpoint' \\" >> fetch_cmd | |
| echo " --option trusted-public-keys '" >> fetch_cmd | |
| echo " cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" >> fetch_cmd | |
| echo " $public_key" >> fetch_cmd | |
| echo -n " '" >> fetch_cmd | |
| for p in $(cat paths); do | |
| echo -e " \\" >> fetch_cmd | |
| echo -n " $p" >> fetch_cmd | |
| done | |
| env: | |
| ATTIC_SERVER: ${{ vars.ATTIC_SERVER }} | |
| ATTIC_CACHE: ${{ vars.ATTIC_CACHE }} | |
| ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }} | |
| CACHIX_CACHE: ${{ vars.CACHIX_CACHE }} | |
| CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }} | |
| - name: start upterm session | |
| if: ${{ inputs.upterm }} | |
| uses: owenthereal/action-upterm@v1 | |
| with: | |
| limit-access-to-actor: true | |
| - name: generate report | |
| id: report | |
| run: | | |
| if [[ -s fetch_cmd ]]; then | |
| cat fetch_cmd | |
| echo fetch_cmd_${{ matrix.system }}=$(base64 -w0 fetch_cmd) >> "$GITHUB_OUTPUT" | |
| fi | |
| dir=~/.cache/nixpkgs-review/pr-${PR_NUMBER} | |
| if [[ "$OS" != "Linux" ]]; then | |
| sandbox=$(nix config show sandbox) | |
| sed -i '/^###/s/$/ (sandbox = '"$sandbox"')/' "$dir/report.md" | |
| fi | |
| if ! [[ -s "$dir/report.md" ]]; then | |
| echo -e "\n---" >> "$dir/report.md" | |
| echo "### \`${{ matrix.system }}\`" >> "$dir/report.md" | |
| echo ":white_check_mark: *No rebuilds*" >> "$dir/report.md" | |
| fi | |
| cat $dir/report.md | |
| report=$(jq -c '.+{$md}' $dir/report.json --rawfile md $dir/report.md | base64 -w0) | |
| echo report_${{ matrix.system }}=$report >> "$GITHUB_OUTPUT" | |
| env: | |
| OS: ${{ runner.os }} | |
| report: | |
| runs-on: ubuntu-latest | |
| needs: [prepare, review] | |
| outputs: | |
| report: ${{ steps.report.outputs.report }} | |
| success: ${{ steps.report.outputs.success }} | |
| steps: | |
| - name: generate report | |
| id: report | |
| run: | | |
| echo -e "## \`nixpkgs-review\` result\n" >> report.md | |
| echo -e "Generated using [\`nixpkgs-review-gha\`](https://github.com/Defelo/nixpkgs-review-gha)\n" >> report.md | |
| echo -e "Command: \`nixpkgs-review pr ${PR_NUMBER}${EXTRA_ARGS:+ $EXTRA_ARGS}\`" >> report.md | |
| echo -e "Commit: [\`$HEAD\`](https://github.com/NixOS/nixpkgs/commit/$HEAD) ([subsequent changes](https://github.com/NixOS/nixpkgs/compare/$HEAD..pull/$PR_NUMBER/head))" >> report.md | |
| echo -e "Merge: [\`$MERGE\`](https://github.com/NixOS/nixpkgs/commit/$MERGE)\n" >> report.md | |
| echo -e "Logs: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}\n" >> report.md | |
| mkdir .tmp | |
| cd .tmp | |
| echo ${FETCH_CMD_X86_64_LINUX} | base64 -d > x86_64-linux | |
| echo ${FETCH_CMD_AARCH64_LINUX} | base64 -d > aarch64-linux | |
| echo ${FETCH_CMD_X86_64_DARWIN} | base64 -d > x86_64-darwin | |
| echo ${FETCH_CMD_AARCH64_DARWIN} | base64 -d > aarch64-darwin | |
| for system in x86_64-linux aarch64-linux x86_64-darwin aarch64-darwin; do | |
| [[ -s $system ]] || continue | |
| echo -e "<li><details><summary><code>$system</code></summary>\n\n\`\`\`shell" >> ../cache.md | |
| cat $system >> ../cache.md | |
| echo -e "\n\`\`\`\n</details></li>" >> ../cache.md | |
| done | |
| cd .. | |
| if [[ -s cache.md ]]; then | |
| echo -e "<details><summary>Download packages from cache:</summary><ul>" >> report.md | |
| cat cache.md >> report.md | |
| echo -e "</ul></details>\n" >> report.md | |
| fi | |
| mkdir reports | |
| echo ${REPORT_X86_64_LINUX} | base64 -d > reports/x86_64-linux.json | |
| echo ${REPORT_AARCH64_LINUX} | base64 -d > reports/aarch64-linux.json | |
| echo ${REPORT_X86_64_DARWIN} | base64 -d > reports/x86_64-darwin.json | |
| echo ${REPORT_AARCH64_DARWIN} | base64 -d > reports/aarch64-darwin.json | |
| for system in x86_64-linux aarch64-linux x86_64-darwin aarch64-darwin; do | |
| if [[ -s reports/$system.json ]]; then | |
| jq -r '.md' reports/$system.json >> report.md | |
| fi | |
| done | |
| cat report.md | |
| echo report=$(base64 -w0 report.md) >> "$GITHUB_OUTPUT" | |
| echo success=$(jq -s 'all(.[].result[]; .failed==[])' reports/*.json) >> "$GITHUB_OUTPUT" | |
| sed '1s|$| for [#'"$PR_NUMBER"'](https://github.com/NixOS/nixpkgs/pull/'"$PR_NUMBER"')|' report.md >> $GITHUB_STEP_SUMMARY | |
| env: | |
| HEAD: ${{ needs.prepare.outputs.head }} | |
| MERGE: ${{ needs.prepare.outputs.merge }} | |
| EXTRA_ARGS: ${{ inputs.extra-args }} | |
| FETCH_CMD_X86_64_LINUX: ${{ needs.review.outputs.fetch_cmd_x86_64-linux }} | |
| FETCH_CMD_AARCH64_LINUX: ${{ needs.review.outputs.fetch_cmd_aarch64-linux }} | |
| FETCH_CMD_X86_64_DARWIN: ${{ needs.review.outputs.fetch_cmd_x86_64-darwin }} | |
| FETCH_CMD_AARCH64_DARWIN: ${{ needs.review.outputs.fetch_cmd_aarch64-darwin }} | |
| REPORT_X86_64_LINUX: ${{ needs.review.outputs.report_x86_64-linux }} | |
| REPORT_AARCH64_LINUX: ${{ needs.review.outputs.report_aarch64-linux }} | |
| REPORT_X86_64_DARWIN: ${{ needs.review.outputs.report_x86_64-darwin }} | |
| REPORT_AARCH64_DARWIN: ${{ needs.review.outputs.report_aarch64-darwin }} | |
| post-result: | |
| runs-on: ubuntu-latest | |
| needs: [report] | |
| if: ${{ inputs.post-result || inputs.approve-on-success }} | |
| steps: | |
| - name: fetch report | |
| run: echo ${REPORT} | base64 -d > report.md | |
| env: | |
| REPORT: ${{ needs.report.outputs.report }} | |
| - name: post comment | |
| if: ${{ inputs.post-result }} | |
| run: | | |
| if [[ -n "$GH_TOKEN" ]]; then | |
| gh pr -R NixOS/nixpkgs comment ${PR_NUMBER} -F report.md | |
| fi | |
| env: | |
| GH_TOKEN: ${{ secrets.GH_TOKEN }} | |
| - name: approve pull request | |
| if: ${{ inputs.approve-on-success && needs.report.outputs.success == 'true' }} | |
| run: | | |
| if [[ -n "$GH_TOKEN" ]]; then | |
| gh pr -R NixOS/nixpkgs review ${PR_NUMBER} --approve -b "Approved automatically following the successful run of \`nixpkgs-review\`." || true | |
| fi | |
| env: | |
| GH_TOKEN: ${{ secrets.GH_TOKEN }} |