tools: add workflow to review Nix changes #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Review Nix changes | |
| on: | |
| pull_request: | |
| paths: | |
| - '**.nix' | |
| - '.github/workflows/review-nix-changes.yml' | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| push: | |
| branches: | |
| - main | |
| - canary | |
| - v[0-9]+.x-staging | |
| - v[0-9]+.x | |
| paths: | |
| - '**.nix' | |
| - '.github/workflows/review-nix-changes.yml' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| eval: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - runner: ubuntu-24.04 | |
| system: x86_64-linux | |
| - runner: ubuntu-24.04-arm | |
| system: aarch64-linux | |
| - runner: macos-15-intel | |
| system: x86_64-darwin | |
| - runner: macos-latest | |
| system: aarch64-darwin | |
| name: '${{ matrix.system }}: Evaluate shell.nix' | |
| runs-on: ${{ matrix.runner }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| sparse-checkout: '*.nix' | |
| sparse-checkout-cone-mode: false | |
| fetch-depth: 2 | |
| - uses: cachix/install-nix-action@96951a368ba55167b55f1c916f7d416bac6505fe # v31.10.3 | |
| with: | |
| extra_nix_config: sandbox = true | |
| - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17 | |
| with: | |
| name: nodejs | |
| - name: Compare | |
| run: | | |
| NIX_DIR=./tools/nix | |
| nix_show_derivation () { | |
| nix --extra-experimental-features nix-command derivation show $2 "$1" | |
| } | |
| list_nix_derivations () { | |
| DRV="$( | |
| nix-instantiate -I "nixpkgs=$NIX_DIR/pkgs.nix" "./shell.nix" \ | |
| --arg devTools " | |
| (import $NIX_DIR/devTools.nix {}) | |
| ++ builtins.attrValues ( | |
| { inherit (import <nixpkgs> {}) nixfmt-tree sccache; } | |
| // import $NIX_DIR/openssl-matrix.nix {} | |
| )" \ | |
| --arg withTemporal true \ | |
| --arg withQuic true | |
| )" | |
| nix-store -qR --include-outputs "$DRV" | sort -k1.45 > "${{ matrix.system }}-$1-shallow.json" | |
| nix_show_derivation "$DRV" -r | jq '( | |
| .derivations |= ( | |
| to_entries | |
| | sort_by(.key | .[32:]) | |
| | .[].value.inputs.drvs |= ( | |
| to_entries | |
| | sort_by(.key | .[32:]) | |
| | from_entries) | |
| | from_entries))' > "${{ matrix.system }}-$1-deep.json" | |
| } | |
| list_nix_derivations after | |
| git reset HEAD^ --hard | |
| list_nix_derivations before | |
| - name: Upload tarball artifact | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| path: '*.json' | |
| compare: | |
| runs-on: ubuntu-slim | |
| needs: eval | |
| if: ${{ github.event.pull_request }} | |
| permissions: | |
| pull-requests: write | |
| steps: | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| path: '*-shallow.json' | |
| - name: Add comment | |
| run: | | |
| { | |
| echo "This PR touches some Nix files. To help review it, here's a quick overview of the changes that were detected:" | |
| for system in x86_64-linux aarch64-linux x86_64-darwin aarch64-darwin; do | |
| echo | |
| echo "<details><summary>$system</summary>" | |
| echo | |
| echo '```diff' | |
| diff "$system-before-shallow.json" "$system-after-shallow.json" || true | |
| echo '```' | |
| echo | |
| echo "</details>" | |
| done | |
| echo | |
| echo "To dig deeper, please review manually the `-deep.json` files." | |
| } | gh pr comment "$PR_URL" --edit-last --create-if-none -F- | |