Skip to content

Commit 45f7567

Browse files
aduh95aduh95
committed
tools: add workflow to review Nix changes
1 parent b2f6aa3 commit 45f7567

1 file changed

Lines changed: 129 additions & 0 deletions

File tree

.github/workflows/review-nix-changes.yml

Lines changed: 129 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,129 @@
1+
name: Review Nix changes
2+
3+
on:
4+
pull_request:
5+
paths:
6+
- '**.nix'
7+
- '.github/workflows/review-nix-changes.yml'
8+
types: [opened, synchronize, reopened, ready_for_review]
9+
push:
10+
branches:
11+
- main
12+
- canary
13+
- v[0-9]+.x-staging
14+
- v[0-9]+.x
15+
paths-ignore:
16+
- '**.nix'
17+
- '.github/workflows/review-nix-changes.yml'
18+
19+
concurrency:
20+
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
21+
cancel-in-progress: true
22+
23+
permissions:
24+
contents: read
25+
26+
jobs:
27+
eval:
28+
strategy:
29+
fail-fast: false
30+
matrix:
31+
include:
32+
- runner: ubuntu-24.04
33+
system: x86_64-linux
34+
- runner: ubuntu-24.04-arm
35+
system: aarch64-linux
36+
- runner: macos-15-intel
37+
system: x86_64-darwin
38+
- runner: macos-latest
39+
system: aarch64-darwin
40+
name: '${{ matrix.system }}: Evaluate shell.nix'
41+
runs-on: ${{ matrix.runner }}
42+
steps:
43+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
44+
with:
45+
persist-credentials: false
46+
sparse-checkout: '*.nix'
47+
sparse-checkout-cone-mode: false
48+
depth: 2
49+
50+
- uses: cachix/install-nix-action@96951a368ba55167b55f1c916f7d416bac6505fe # v31.10.3
51+
with:
52+
extra_nix_config: sandbox = true
53+
54+
- uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17
55+
with:
56+
name: nodejs
57+
58+
- name: Compare
59+
run: |
60+
nix_show_derivation () {
61+
nix --extra-experimental-features nix-command derivation show $2 "$1"
62+
}
63+
list_nix_derivations () {
64+
DRV="$(
65+
nix-instantiate -I "nixpkgs=$NIXPKGS_PIN_FILE" "$BASE_DIR/shell.nix" \
66+
--arg devTools "
67+
(import $BASE_DIR/tools/nix/devTools.nix {})
68+
++ builtins.attrValues (
69+
{ inherit (import <nixpkgs> {}) nixfmt-tree sccache; }
70+
// import $OPENSSL_MATRIX_FILE {}
71+
)" \
72+
--arg withTemporal true \
73+
--arg withQuic true
74+
)"
75+
nix_show_derivation "$DRV" | jq '{
76+
inputs: .derivations.[].inputs.drvs | to_entries | sort_by(.key | .[32:]) | map(.key),
77+
env: .derivations.[].env | (.nativeBuildInputs |= "[REDACTED]") | (.out |= "[REDACTED]")
78+
}' > "${{ matrix.system }}-$1-shallow.json"
79+
nix_show_derivation "$DRV" -r | jq '(
80+
.derivations |= (
81+
to_entries
82+
| sort_by(.key | .[32:])
83+
| .[].value.inputs.drvs |= (
84+
to_entries
85+
| sort_by(.key | .[32:])
86+
| from_entries)
87+
| from_entries))' > "${{ matrix.system }}-$1-deep.json"
88+
}
89+
list_nix_derivations after
90+
git reset HEAD^ --hard
91+
list_nix_derivations before
92+
93+
- name: Upload tarball artifact
94+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
95+
with:
96+
path: '*.json'
97+
98+
compare:
99+
runs-on: ubuntu-slim
100+
needs: eval
101+
if: ${{ github.event.pull_request }}
102+
permissions:
103+
pull-requests: write
104+
steps:
105+
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
106+
with:
107+
path: '*-shallow.json'
108+
109+
- name: Add comment
110+
run: |
111+
{
112+
echo "This PR touches some Nix files. To help review it, here's a quick overview of the changes that were detected:"
113+
114+
for system in x86_64-linux aarch64-linux x86_64-darwin aarch64-darwin; do
115+
echo
116+
echo "<details><summary>$system</summary>"
117+
echo
118+
echo '```diff'
119+
diff $system-* || true
120+
echo '```'
121+
echo
122+
echo "</details>"
123+
done
124+
125+
echo
126+
echo "To dig deeper, please review manually the `-deep.json` files."
127+
} | gh pr comment "$PR_URL" --edit-last --create-if-none -F-
128+
129+

0 commit comments

Comments
 (0)