review #429353 #12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: review | |
| run-name: "review #${{ inputs.pr }}${{ inputs.extra-args && format(' ({0})', inputs.extra-args) || '' }}" | |
| permissions: {} | |
| env: | |
| PR_NUMBER: ${{ inputs.pr }} | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| pr: | |
| description: "Pull Request Number" | |
| required: true | |
| type: string | |
| x86_64-linux: | |
| description: "Run on x86_64-linux" | |
| required: true | |
| type: boolean | |
| default: true | |
| aarch64-linux: | |
| description: "Run on aarch64-linux" | |
| required: true | |
| type: boolean | |
| default: true | |
| x86_64-darwin: | |
| description: "Run on x86_64-darwin" | |
| required: true | |
| type: choice | |
| default: yes_sandbox_true | |
| options: | |
| - 'no' | |
| - yes_sandbox_false | |
| - yes_sandbox_relaxed | |
| - yes_sandbox_true | |
| aarch64-darwin: | |
| description: "Run on aarch64-darwin" | |
| required: true | |
| type: choice | |
| default: yes_sandbox_true | |
| options: | |
| - 'no' | |
| - yes_sandbox_false | |
| - yes_sandbox_relaxed | |
| - yes_sandbox_true | |
| extra-args: | |
| description: "nixpkgs-review extra args" | |
| required: false | |
| type: string | |
| push-to-cache: | |
| description: "Push to cache" | |
| required: true | |
| type: boolean | |
| default: true | |
| upterm: | |
| description: "Start upterm session after nixpkgs-review" | |
| required: true | |
| type: boolean | |
| default: false | |
| post-result: | |
| description: "Post Result" | |
| required: true | |
| type: boolean | |
| default: true | |
| approve-on-success: | |
| description: "Approve PR on review success" | |
| required: true | |
| type: boolean | |
| default: false | |
| jobs: | |
| review: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| system: | |
| - x86_64-linux | |
| - aarch64-linux | |
| - x86_64-darwin | |
| - aarch64-darwin | |
| exclude: | |
| - system: ${{ !inputs.x86_64-linux && 'x86_64-linux' || '' }} | |
| - system: ${{ !inputs.aarch64-linux && 'aarch64-linux' || '' }} | |
| - system: ${{ inputs.x86_64-darwin == 'no' && 'x86_64-darwin' || '' }} | |
| - system: ${{ inputs.aarch64-darwin == 'no' && 'aarch64-darwin' || '' }} | |
| runs-on: >- | |
| ${{ (matrix.system == 'x86_64-linux' && 'ubuntu-latest') | |
| || (matrix.system == 'aarch64-linux' && 'ubuntu-24.04-arm') | |
| || (matrix.system == 'x86_64-darwin' && 'macos-latest') | |
| || (matrix.system == 'aarch64-darwin' && 'macos-latest') }} | |
| outputs: | |
| report_x86_64-linux: ${{ steps.report.outputs.report_x86_64-linux }} | |
| report_aarch64-linux: ${{ steps.report.outputs.report_aarch64-linux }} | |
| report_x86_64-darwin: ${{ steps.report.outputs.report_x86_64-darwin }} | |
| report_aarch64-darwin: ${{ steps.report.outputs.report_aarch64-darwin }} | |
| fetch_cmd_x86_64-linux: ${{ steps.report.outputs.fetch_cmd_x86_64-linux }} | |
| fetch_cmd_aarch64-linux: ${{ steps.report.outputs.fetch_cmd_aarch64-linux }} | |
| fetch_cmd_x86_64-darwin: ${{ steps.report.outputs.fetch_cmd_x86_64-darwin }} | |
| fetch_cmd_aarch64-darwin: ${{ steps.report.outputs.fetch_cmd_aarch64-darwin }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| sparse-checkout: .github/actions | |
| - name: setup nix | |
| uses: ./.github/actions/setup-nix | |
| with: | |
| system: ${{ matrix.system }} | |
| sandbox: ${{ | |
| (matrix.system == 'x86_64-darwin' && inputs.x86_64-darwin == 'yes_sandbox_false' | |
| || matrix.system == 'aarch64-darwin' && inputs.aarch64-darwin == 'yes_sandbox_false') && 'false' | |
| || (matrix.system == 'x86_64-darwin' && inputs.x86_64-darwin == 'yes_sandbox_relaxed' | |
| || matrix.system == 'aarch64-darwin' && inputs.aarch64-darwin == 'yes_sandbox_relaxed') && 'relaxed' | |
| || 'true' }} | |
| - name: install packages | |
| run: | | |
| pkgs=(coreutils nixpkgs-review jq gnused) | |
| if [[ ${{ inputs.push-to-cache && vars.ATTIC_SERVER != '' && vars.ATTIC_CACHE != '' }} = true ]]; then | |
| pkgs+=(attic-client) | |
| elif [[ ${{ inputs.push-to-cache && vars.CACHIX_CACHE != '' }} = true ]]; then | |
| pkgs+=(cachix) | |
| fi | |
| args=() | |
| for pkg in ${pkgs[@]}; do args+=("github:nixos/nixpkgs/nixpkgs-unstable#$pkg"); done | |
| nix profile install ${args[@]} | |
| - name: clone nixpkgs | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: NixOS/nixpkgs | |
| path: nixpkgs | |
| persist-credentials: false | |
| - name: run nixpkgs-review ${{ inputs.extra-args }} | |
| run: | | |
| nixpkgs-review -- \ | |
| pr ${PR_NUMBER} \ | |
| --no-shell \ | |
| --no-headers \ | |
| --print-result \ | |
| --build-args="-L" \ | |
| $EXTRA_ARGS \ | |
| || true | |
| working-directory: nixpkgs | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| EXTRA_ARGS: ${{ inputs.extra-args }} | |
| - name: push results to cache | |
| if: ${{ inputs.push-to-cache && ((vars.ATTIC_SERVER != '' && vars.ATTIC_CACHE != '') || vars.CACHIX_CACHE != '') }} | |
| run: | | |
| set -ex | |
| (realpath -qe ~/.cache/nixpkgs-review/pr-${PR_NUMBER}/results/* || true) > paths | |
| [[ -s paths ]] || exit 0 | |
| if [[ ${{ vars.ATTIC_SERVER != '' && vars.ATTIC_CACHE != '' }} = true ]]; then | |
| attic login default "$ATTIC_SERVER" "$ATTIC_TOKEN" | |
| if ! attic cache info "$ATTIC_CACHE"; then | |
| echo "::error:: attic returned an error" | |
| exit 0 | |
| fi | |
| attic push --stdin "$ATTIC_CACHE" < paths | |
| info=$(curl -f -H "Authorization: Bearer ${ATTIC_TOKEN}" "${ATTIC_SERVER}_api/v1/cache-config/${ATTIC_CACHE}") | |
| substituter_endpoint=$(jq -r .substituter_endpoint <<< "$info") | |
| public_key=$(jq -r .public_key <<< "$info") | |
| is_public=$(jq -r .is_public <<< "$info") | |
| elif [[ ${{ vars.CACHIX_CACHE != '' }} = true ]]; then | |
| [[ -n "$CACHIX_SIGNING_KEY" ]] || unset CACHIX_SIGNING_KEY | |
| cachix push "$CACHIX_CACHE" < paths | |
| info=$(curl -f -H "Authorization: Bearer ${CACHIX_AUTH_TOKEN}" "https://app.cachix.org/api/v1/cache/${CACHIX_CACHE}") | |
| substituter_endpoint=$(jq -r .uri <<< "$info") | |
| public_key=$(jq -r '.publicSigningKeys[]' <<< "$info") | |
| is_public=$(jq -r .isPublic <<< "$info") | |
| fi | |
| [[ "$is_public" = true ]] || exit 0 | |
| echo "nix-store -r --add-root nixpkgs-pr-${PR_NUMBER}-${{ matrix.system }} \\" >> fetch_cmd | |
| echo " --option binary-caches 'https://cache.nixos.org/ $substituter_endpoint' \\" >> fetch_cmd | |
| echo " --option trusted-public-keys '" >> fetch_cmd | |
| echo " cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" >> fetch_cmd | |
| echo " $public_key" >> fetch_cmd | |
| echo -n " '" >> fetch_cmd | |
| for p in $(cat paths); do | |
| echo -e " \\" >> fetch_cmd | |
| echo -n " $p" >> fetch_cmd | |
| done | |
| env: | |
| ATTIC_SERVER: ${{ vars.ATTIC_SERVER }} | |
| ATTIC_CACHE: ${{ vars.ATTIC_CACHE }} | |
| ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }} | |
| CACHIX_CACHE: ${{ vars.CACHIX_CACHE }} | |
| CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }} | |
| - name: start upterm session | |
| if: ${{ inputs.upterm }} | |
| uses: owenthereal/action-upterm@v1 | |
| with: | |
| limit-access-to-actor: true | |
| - name: generate report | |
| id: report | |
| run: | | |
| if [[ -s fetch_cmd ]]; then | |
| cat fetch_cmd | |
| echo fetch_cmd_${{ matrix.system }}=$(base64 -w0 fetch_cmd) >> "$GITHUB_OUTPUT" | |
| fi | |
| dir=~/.cache/nixpkgs-review/pr-${PR_NUMBER} | |
| if [[ "$OS" != "Linux" ]]; then | |
| sandbox=$(nix config show sandbox) | |
| sed -i '/^###/s/$/ (sandbox = '"$sandbox"')/' "$dir/report.md" | |
| fi | |
| if ! [[ -s "$dir/report.md" ]]; then | |
| echo -e "\n---" >> "$dir/report.md" | |
| echo "### \`${{ matrix.system }}\`" >> "$dir/report.md" | |
| echo ":white_check_mark: *No rebuilds*" >> "$dir/report.md" | |
| fi | |
| cat $dir/report.md | |
| report=$(jq -c '.+{$md}' $dir/report.json --rawfile md $dir/report.md | base64 -w0) | |
| echo report_${{ matrix.system }}=$report >> "$GITHUB_OUTPUT" | |
| env: | |
| OS: ${{ runner.os }} | |
| report: | |
| runs-on: ubuntu-latest | |
| needs: [review] | |
| outputs: | |
| report: ${{ steps.report.outputs.report }} | |
| success: ${{ steps.report.outputs.success }} | |
| steps: | |
| - name: generate report | |
| id: report | |
| run: | | |
| echo -e "## \`nixpkgs-review\` result\n" >> report.md | |
| echo -e "Generated using [\`nixpkgs-review-gha\`](https://github.com/Defelo/nixpkgs-review-gha)\n" >> report.md | |
| echo -e "Command: \`nixpkgs-review pr ${PR_NUMBER}${EXTRA_ARGS:+ $EXTRA_ARGS}\`\n" >> report.md | |
| echo -e "Logs: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}\n" >> report.md | |
| mkdir .tmp | |
| cd .tmp | |
| echo ${FETCH_CMD_X86_64_LINUX} | base64 -d > x86_64-linux | |
| echo ${FETCH_CMD_AARCH64_LINUX} | base64 -d > aarch64-linux | |
| echo ${FETCH_CMD_X86_64_DARWIN} | base64 -d > x86_64-darwin | |
| echo ${FETCH_CMD_AARCH64_DARWIN} | base64 -d > aarch64-darwin | |
| for system in x86_64-linux aarch64-linux x86_64-darwin aarch64-darwin; do | |
| [[ -s $system ]] || continue | |
| echo -e "<li><details><summary><code>$system</code></summary>\n\n\`\`\`shell" >> ../cache.md | |
| cat $system >> ../cache.md | |
| echo -e "\n\`\`\`\n</details></li>" >> ../cache.md | |
| done | |
| cd .. | |
| if [[ -s cache.md ]]; then | |
| echo -e "<details><summary>Download packages from cache:</summary><ul>" >> report.md | |
| cat cache.md >> report.md | |
| echo -e "</ul></details>\n" >> report.md | |
| fi | |
| mkdir reports | |
| echo ${REPORT_X86_64_LINUX} | base64 -d > reports/x86_64-linux.json | |
| echo ${REPORT_AARCH64_LINUX} | base64 -d > reports/aarch64-linux.json | |
| echo ${REPORT_X86_64_DARWIN} | base64 -d > reports/x86_64-darwin.json | |
| echo ${REPORT_AARCH64_DARWIN} | base64 -d > reports/aarch64-darwin.json | |
| for system in x86_64-linux aarch64-linux x86_64-darwin aarch64-darwin; do | |
| if [[ -s reports/$system.json ]]; then | |
| jq -r '.md' reports/$system.json >> report.md | |
| fi | |
| done | |
| cat report.md | |
| echo report=$(base64 -w0 report.md) >> "$GITHUB_OUTPUT" | |
| echo success=$(jq -s 'all(.[].result[]; .failed==[])' reports/*.json) >> "$GITHUB_OUTPUT" | |
| sed '1s|$| for [#'"$PR_NUMBER"'](https://github.com/NixOS/nixpkgs/pull/'"$PR_NUMBER"')|' report.md >> $GITHUB_STEP_SUMMARY | |
| env: | |
| EXTRA_ARGS: ${{ inputs.extra-args }} | |
| FETCH_CMD_X86_64_LINUX: ${{ needs.review.outputs.fetch_cmd_x86_64-linux }} | |
| FETCH_CMD_AARCH64_LINUX: ${{ needs.review.outputs.fetch_cmd_aarch64-linux }} | |
| FETCH_CMD_X86_64_DARWIN: ${{ needs.review.outputs.fetch_cmd_x86_64-darwin }} | |
| FETCH_CMD_AARCH64_DARWIN: ${{ needs.review.outputs.fetch_cmd_aarch64-darwin }} | |
| REPORT_X86_64_LINUX: ${{ needs.review.outputs.report_x86_64-linux }} | |
| REPORT_AARCH64_LINUX: ${{ needs.review.outputs.report_aarch64-linux }} | |
| REPORT_X86_64_DARWIN: ${{ needs.review.outputs.report_x86_64-darwin }} | |
| REPORT_AARCH64_DARWIN: ${{ needs.review.outputs.report_aarch64-darwin }} | |
| post-result: | |
| runs-on: ubuntu-latest | |
| needs: [report] | |
| if: ${{ inputs.post-result || inputs.approve-on-success }} | |
| steps: | |
| - name: fetch report | |
| run: echo ${REPORT} | base64 -d > report.md | |
| env: | |
| REPORT: ${{ needs.report.outputs.report }} | |
| - name: post comment | |
| if: ${{ inputs.post-result }} | |
| run: | | |
| if [[ -n "$GH_TOKEN" ]]; then | |
| gh pr -R NixOS/nixpkgs comment ${PR_NUMBER} -F report.md | |
| fi | |
| env: | |
| GH_TOKEN: ${{ secrets.GH_TOKEN }} | |
| - name: approve pull request | |
| if: ${{ inputs.approve-on-success && needs.report.outputs.success == 'true' }} | |
| run: | | |
| if [[ -n "$GH_TOKEN" ]]; then | |
| gh pr -R NixOS/nixpkgs review ${PR_NUMBER} --approve -b "Approved automatically following the successful run of \`nixpkgs-review\`." || true | |
| fi | |
| env: | |
| GH_TOKEN: ${{ secrets.GH_TOKEN }} |