# `nixpkgs-vet` is a tool to vet Nixpkgs: its architecture, package structure, and more. # Among other checks, it makes sure that `pkgs/by-name` (see `../../pkgs/by-name/README.md`) follows the validity rules outlined in [RFC 140](https://github.com/NixOS/rfcs/pull/140). # When you make changes to this workflow, please also update `ci/nixpkgs-vet.sh` to reflect the impact of your work to the CI. # See https://github.com/NixOS/nixpkgs-vet for details on the tool and its checks. name: Vet nixpkgs on: # Using pull_request_target instead of pull_request avoids having to approve first time contributors. pull_request_target: # This workflow depends on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`. # Instead it causes an `edited` event, so we need to add it explicitly here. # While `edited` is also triggered when the PR title/body is changed, this PR action is fairly quick, and PRs don't get edited **that** often, so it shouldn't be a problem. # There is a feature request for adding a `base_changed` event: https://github.com/orgs/community/discussions/35058 types: [opened, synchronize, reopened, edited] permissions: {} # We don't use a concurrency group here, because the action is triggered quite often (due to the PR edit trigger), and contributors would get notified on any canceled run. # There is a feature request for suppressing notifications on concurrency-canceled runs: https://github.com/orgs/community/discussions/13015 jobs: check: name: nixpkgs-vet # This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases. runs-on: ubuntu-latest # This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long. timeout-minutes: 10 steps: # This checks out the base branch because of pull_request_target - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: path: base sparse-checkout: ci - name: Resolving the merge commit env: GH_TOKEN: ${{ github.token }} run: | if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then echo "Checking the merge commit $mergedSha" echo "mergedSha=$mergedSha" >> "$GITHUB_ENV" else echo "Skipping the rest..." fi rm -rf base - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 if: env.mergedSha with: # pull_request_target checks out the base branch by default ref: ${{ env.mergedSha }} # Fetches the merge commit and its parents fetch-depth: 2 - name: Checking out base branch if: env.mergedSha run: | base=$(mktemp -d) git worktree add "$base" "$(git rev-parse HEAD^1)" echo "base=$base" >> "$GITHUB_ENV" - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 if: env.mergedSha - name: Fetching the pinned tool if: env.mergedSha # Update the pinned version using ci/nixpkgs-vet/update-pinned-tool.sh run: | # The pinned version of the tooling to use. toolVersion=$(