tools: add workflow to review Nix changes #12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Review Nix changes | |
| on: | |
| pull_request: | |
| paths: | |
| - '**.nix' | |
| - '.github/workflows/review-nix-changes.yml' | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| push: | |
| branches: | |
| - main | |
| - canary | |
| - v[0-9]+.x-staging | |
| - v[0-9]+.x | |
| paths: | |
| - '**.nix' | |
| - '.github/workflows/review-nix-changes.yml' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| eval: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - runner: ubuntu-24.04 | |
| system: x86_64-linux | |
| - runner: ubuntu-24.04-arm | |
| system: aarch64-linux | |
| - runner: macos-15-intel | |
| system: x86_64-darwin | |
| - runner: macos-latest | |
| system: aarch64-darwin | |
| name: '${{ matrix.system }}: Evaluate shell.nix' | |
| runs-on: ${{ matrix.runner }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| sparse-checkout: '*.nix' | |
| sparse-checkout-cone-mode: false | |
| fetch-depth: 2 | |
| - uses: cachix/install-nix-action@96951a368ba55167b55f1c916f7d416bac6505fe # v31.10.3 | |
| with: | |
| extra_nix_config: sandbox = true | |
| - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17 | |
| with: | |
| name: nodejs | |
| - name: Compare | |
| run: | | |
| NIX_DIR=./tools/nix | |
| nix_show_derivation () { | |
| nix --extra-experimental-features nix-command derivation show $2 "$1" | |
| } | |
| list_nix_derivations () { | |
| DRV="$( | |
| nix-instantiate -I "nixpkgs=$NIX_DIR/pkgs.nix" "./shell.nix" \ | |
| --arg devTools " | |
| (import $NIX_DIR/devTools.nix {}) | |
| ++ builtins.attrValues ( | |
| { inherit (import <nixpkgs> {}) nixfmt-tree sccache; } | |
| // import $NIX_DIR/openssl-matrix.nix {} | |
| )" \ | |
| --arg withTemporal true \ | |
| --arg withQuic true | |
| )" | |
| nix-store -qR --include-outputs "$DRV" | grep -v '.drv$' | sort -k1.45 > "out/${{ matrix.system }}-$1-paths.txt" | |
| nix_show_derivation "$DRV" -r | jq '( | |
| .derivations |= ( | |
| to_entries | |
| | sort_by(.key | .[32:]) | |
| | .[].value.inputs.drvs |= ( | |
| to_entries | |
| | sort_by(.key | .[32:]) | |
| | from_entries) | |
| | from_entries))' > "out/${{ matrix.system }}-$1-drv.json" | |
| } | |
| mkdir out | |
| list_nix_derivations after | |
| git reset HEAD^ --hard | |
| list_nix_derivations before | |
| - name: Upload tarball artifact | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| path: out/ | |
| name: diff-${{ matrix.system }} | |
| compare: | |
| runs-on: ubuntu-slim | |
| needs: eval | |
| permissions: | |
| pull-requests: write | |
| steps: | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| - name: Generate aggregated summary | |
| run: | | |
| set -ex | |
| { | |
| echo "This PR touches some Nix files. To help review it, here's a quick overview of the changes that were detected:" | |
| for system in x86_64-linux aarch64-linux x86_64-darwin aarch64-darwin; do | |
| echo | |
| echo "<details><summary>$system</summary>" | |
| echo | |
| { | |
| diff "diff-$system/$system-before-paths.txt" "diff-$system/$system-after-paths.txt" && EXIT_CODE="$?" || EXIT_CODE="$?" | |
| } > computed_diff | |
| if [ "$EXIT_CODE" = "0" ]; then | |
| echo "No changes detected." | |
| else | |
| echo '```diff' | |
| grep '^[<>]' computed_diff | |
| echo '```' | |
| fi | |
| echo | |
| echo "</details>" | |
| done | |
| echo | |
| echo "There might be more changes that are not shown here" | |
| } >> "$GITHUB_STEP_SUMMARY" | |