Zhong Jianxin
c318085efa
ci/check-shell: fix ci/**
path
2024-11-30 10:32:54 +08:00
Jörg Thalheim
cb016f116b
ci/check-shell: only run if shell.nix
or ./ci/**
is changed
...
saves a bit of CI time
2024-11-29 23:34:33 +01:00
Silvan Mosberger
af1aa40e73
workflows/eval.yml: Run on dev branch pushes and apply rebuild labels
2024-11-28 22:24:23 +01:00
Jörg Thalheim
eeb87082a9
add actionlint script
2024-11-22 14:16:17 +01:00
Jörg Thalheim
2adf409581
ci/check-nixf-tidy: replace sed with variable substitution
...
Update .github/workflows/check-nixf-tidy.yml
Co-authored-by: Zhong Jianxin <azuwis@users.noreply.github.com>
2024-11-22 14:16:17 +01:00
Jörg Thalheim
b998723321
ci/editorconfig-v2: useless use of cat
2024-11-22 08:33:41 +01:00
Silvan Mosberger
19db54eda1
workflows/eval: Minor fixes, ensure the correct commit is checked out
...
- `env.mergedSha` is empty, so it checked out the master version by
default
- The process step used `needs.attrs.outputs.mergedSha`, but apparently
that's empty unless `attrs` is declared as a `needs`, even though
`outputs` implicitly depends on `attrs`
2024-11-21 20:01:18 +01:00
Zhong Jianxin
f80720823b
workflows/eval: avoid potential script injection attack
...
Although matrix.system is supposed to be generated from trusted code,
we'd better follow [Github Actions good practices][1].
[1]: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
2024-11-20 20:50:24 +08:00
Silvan Mosberger
fbbe972898
Parallel GH actions workflow for Nixpkgs eval
...
Motivated by ofborg struggling [1] and its evaluations taking too long,
inspired by Jörg's initial PR [2]
and Adam's previous attempt to parallelise Nixpkgs evaluation [3],
this PR contains initial work to relief ofborg from its evaluation duty
by using GitHub Actions to evaluate Nixpkgs.
For now this doesn't take care of all of what ofborg does, such as
requesting appropriate reviewers or labeling mass rebuilds, but this can
be follow-up work.
[1]: https://discourse.nixos.org/t/infrastructure-announcement-the-future-of-ofborg-your-help-needed/56025?u=infinisil
[2]: https://github.com/NixOS/nixpkgs/pull/352808
[3]: https://github.com/NixOS/nixpkgs/pull/269403
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
Co-Authored-By: Adam Joseph <adam@westernsemico.com>
2024-11-20 10:35:56 +01:00
Tristan Ross
90fcf3aa7e
25.05 is Warbler
2024-11-14 09:10:54 -08:00
dependabot[bot]
6baeff261f
build(deps): bump actions/checkout from 4.2.1 to 4.2.2
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.2.1 to 4.2.2.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](eef61447b9...11bd71901b
)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-10-28 11:50:56 +00:00
Silvan Mosberger
5bbbc3a30b
workflows: Rename after security fixes
...
In the previous two commits, security issues with these workflows were
fixed. In order for these to not be exploitable for PRs to branches that
don't have the fixes yet (including read-only branches like
nixos-unstable), these workflows are renamed, so that the old ones can
be turned off manually via GitHub interface.
Co-Authored-By: 13x1 <tori@disroot.org>
Co-Authored-By: basti564 <e3e@disroot.org>
2024-10-26 15:30:52 +02:00
Silvan Mosberger
6b8ce4aedf
workflows: Fix security issues
...
read-all permissions gives access to e.g. security-events, which these
don't need, and can easily lead to leaks
Co-Authored-By: 13x1 <tori@disroot.org>
Co-Authored-By: basti564 <e3e@disroot.org>
2024-10-26 15:03:37 +02:00
Silvan Mosberger
59aee1ca5d
workflows/codeowners: Fix security issue
...
Co-Authored-By: 13x1 <tori@disroot.org>
Co-Authored-By: basti564 <e3e@disroot.org>
2024-10-26 15:01:12 +02:00
Cole Helbling
705fdd9ccc
ci/basic-eval: check that flake outputs are valid
2024-10-16 08:49:28 -07:00
zowoq
f30a046672
.github/workflows: remove update-terraform-providers
...
semi-broken, will try using r-ryantm bot for updates instead
2024-10-16 17:20:57 +10:00
dependabot[bot]
f3143a7eda
build(deps): bump actions/checkout from 4.2.0 to 4.2.1
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.2.0 to 4.2.1.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](d632683dd7...eef61447b9
)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-10-14 11:35:32 +00:00
Philip Taron
d6d9c6125a
Improve PR merge check for CI ( #347786 )
2024-10-12 09:11:24 -07:00
Silvan Mosberger
7f9d297838
workflows/nixpkgs-vet: Make merge check script reusable
...
This is useful for other workflows as well. Originally I thought it
couldn't be put in the repo, but it can (just needs another checkout)
2024-10-12 03:58:39 +02:00
Silvan Mosberger
f9b28d5678
workflows/codeowners: Cache codeowner validator build
...
The codeowner-validator build declared in ci/codeowners-validator was
not cached before and needed to be built for every PR, which is slow and
wasteful: https://github.com/NixOS/nixpkgs/actions/runs/11280533037/job/31373720922
2024-10-10 21:21:22 +02:00
Silvan Mosberger
b01ca00aed
CODEOWNERS: Switch to alternate mechanism
...
This effectively disables the native GitHub codeowners feature
and enables the new alternate codeowners mechanism introduced in
https://github.com/NixOS/nixpkgs/pull/336261
This means that:
- We can now declare users without write access as code owners!
- Targeting the wrong branch won't trigger mass pings anymore!
2024-10-10 01:40:05 +02:00
Silvan Mosberger
c1710f234c
workflows/codeowners: Dry mode for now
...
Apparently it started requesting reviews from code owners already
because the DRY_MODE from the global env was overridden in the local job
declaration: https://github.com/NixOS/nixpkgs/pull/347354#event-14570645380
2024-10-09 18:34:34 +02:00
Philip Taron
ecf10b087d
Alternate more flexible code owners mechanism, soon to avoid mass pings ( #336261 )
2024-10-08 13:58:11 -07:00
Silvan Mosberger
87a2986c1a
workflows/codeowners: init
2024-10-08 22:23:23 +02:00
dependabot[bot]
557d69a3d0
build(deps): bump cachix/install-nix-action from 29 to 30
...
Bumps [cachix/install-nix-action](https://github.com/cachix/install-nix-action ) from 29 to 30.
- [Release notes](https://github.com/cachix/install-nix-action/releases )
- [Commits](9f70348d77...08dcb3a5e6
)
---
updated-dependencies:
- dependency-name: cachix/install-nix-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-10-07 11:17:58 +00:00
dependabot[bot]
b93144cbc0
build(deps): bump actions/checkout from 4.1.7 to 4.2.0
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.1.7 to 4.2.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](692973e3d9...d632683dd7
)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-09-30 12:02:46 +00:00
dependabot[bot]
7816a35ee7
build(deps): bump cachix/install-nix-action from 27 to 29
...
Bumps [cachix/install-nix-action](https://github.com/cachix/install-nix-action ) from 27 to 29.
- [Release notes](https://github.com/cachix/install-nix-action/releases )
- [Commits](ba0dd844c9...9f70348d77
)
---
updated-dependencies:
- dependency-name: cachix/install-nix-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-09-30 11:58:38 +00:00
dependabot[bot]
d8f973058b
build(deps): bump peter-evans/create-pull-request from 7.0.1 to 7.0.3
...
Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request ) from 7.0.1 to 7.0.3.
- [Release notes](https://github.com/peter-evans/create-pull-request/releases )
- [Commits](8867c4aba1...6cd32fd936
)
---
updated-dependencies:
- dependency-name: peter-evans/create-pull-request
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-09-16 11:06:39 +00:00
dependabot[bot]
02e7ca9482
build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.1
...
Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request ) from 6.1.0 to 7.0.1.
- [Release notes](https://github.com/peter-evans/create-pull-request/releases )
- [Commits](c5a7806660...8867c4aba1
)
---
updated-dependencies:
- dependency-name: peter-evans/create-pull-request
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-09-09 11:37:51 +00:00
Philip Taron
cc45e69475
.github: continue finessing the text and names for nixpkgs-vet
2024-09-03 14:13:13 -07:00
Philip Taron
89cbfde96d
nixpkgs-vet: update CI, docs, and release to 0.1.4
...
Everything gets moved into the `ci/` top-level directory.
We keep behind `maintainers/scripts/check-by-name.sh` and `pkgs/test/check-by-name/pinned-version.txt` as they are going to cause CI errors and confusion until we get all the way through the various channels.
They'll be removed in about a week or so.
2024-09-03 13:53:25 -07:00
Philip Taron
b305dc2006
workflows/check-by-name: Mention who to ping for trouble ( #337120 )
2024-08-29 05:57:28 -07:00
Silvan Mosberger
32b96d3449
workflows/check-by-name: Mention who to ping for trouble
...
The check-by-name team can't be looking through all PRs to see if anybody
is struggling.
2024-08-25 01:18:11 +02:00
Silvan Mosberger
e120425bb2
workflows/check-nix-format: Mention who to ping for trouble
...
The formatting team can't be looking through all PRs to see if anybody
is struggling.
2024-08-25 01:12:25 +02:00
Silvan Mosberger
91add64d00
workflows/check-nix-format: Better nix-shell
message
...
As [suggested](https://github.com/NixOS/nixpkgs/pull/334286#issuecomment-2286131096 ) by @nh2
2024-08-19 16:26:54 +02:00
Adam Stephens
15e9fcd961
workflows/*: ensure jobs have names
2024-07-31 23:28:40 -04:00
Silvan Mosberger
74aba63e9f
Merge pull request #330454 from Aleksanaa/ci-nixf-tidy
...
workflows/check-nixf-tidy.yml: temporarily ignore sema-escaping-with
2024-07-27 20:13:43 +02:00
aleksana
7fcc319d5e
workflows/check-nixf-tidy.yml: temporarily ignore sema-escaping-with
2024-07-28 00:28:21 +08:00
Silvan Mosberger
a64e2c4de1
Merge pull request #330400 from infinisil/nix-format-check-minor-fix
...
Nix format check minor fix
2024-07-27 15:48:27 +02:00
Silvan Mosberger
c1d3cc57ef
Merge pull request #330066 from Aleksanaa/ci-nixf-tidy
...
workflows/check-nixf-tidy.yml: init
2024-07-27 15:47:30 +02:00
Silvan Mosberger
a1c36999b8
workflows/check-nix-format: Allow testing in forks
...
It seems like imposed limitation came from ofborg not running in forks,
which doesn't apply for standard GitHub actions:
88c60d97fc
2024-07-27 14:14:12 +02:00
Silvan Mosberger
44f17f8392
workflows/check-nix-format: Fix reporting of renamed files
...
When a file was renamed, it would previously report the old path as
being unformatted. This fixes it to report the new one instead.
2024-07-27 14:08:22 +02:00
aleksana
81755ffcde
workflows/check-nixf-tidy.yml: init
2024-07-27 16:45:39 +08:00
Silvan Mosberger
eac58dca33
Revert "Partially revert "build(deps): bump cachix/install-nix-action from 26 to 27""
...
This reverts commit 99069476ca
.
With the parent commit,
https://github.com/NixOS/nixpkgs-check-by-name/issues/78 is fixed, so
there's no problem related to the Nix version anymore.
2024-07-27 01:59:48 +02:00
Silvan Mosberger
1f0b359712
Enforce nixfmt on new files and changed files that were already formatted ( #326407 )
...
* workflows/check-nix-format: Enforce nixfmt on new/changed files
This makes the Nix format workflow check new/changed files instead of
just an allowlist.
This enforces that all PRs updated after this is merged are required to
have fully standard formatted Nix files!
* workflows/check-nix-format: determine changed files via base commit
The next commit will use this to have a simpler change
* workflows/check-nix-format: Only ensure for already formatted files
This prevents situations where contributors need to suddenly format a
huge file even if they only changed a small part of it (e.g.
all-packages.nix)
2024-07-23 15:03:15 -04:00
Silvan Mosberger
99069476ca
Partially revert "build(deps): bump cachix/install-nix-action from 26 to 27"
...
This partially reverts commit ab7becf047
.
The pkgs/by-name check doesn't work for newer Nix versions yet,
see https://github.com/NixOS/nixpkgs-check-by-name/issues/78
2024-07-23 17:35:28 +02:00
dependabot[bot]
ab7becf047
build(deps): bump cachix/install-nix-action from 26 to 27
...
Bumps [cachix/install-nix-action](https://github.com/cachix/install-nix-action ) from 26 to 27.
- [Release notes](https://github.com/cachix/install-nix-action/releases )
- [Commits](8887e596b4...ba0dd844c9
)
---
updated-dependencies:
- dependency-name: cachix/install-nix-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-07-22 20:04:12 +00:00
Artturin
4564dfe772
Merge pull request #322157 from NixOS/dependabot/github_actions/peter-evans/create-pull-request-6.1.0
...
build(deps): bump peter-evans/create-pull-request from 6.0.4 to 6.1.0
2024-07-12 22:28:47 +03:00
Artturin
cd538b4b84
Merge pull request #316876 from NixOS/dependabot/github_actions/korthout/backport-action-3.0.2
...
build(deps): bump korthout/backport-action from 2.5.0 to 3.0.2
2024-07-12 22:11:26 +03:00
Silvan Mosberger
d2a6a829ad
Merge pull request #323216 from tweag/github-status
...
workflows/check-by-name: link to githubstatus
2024-07-05 02:13:13 +02:00