nixpkgs/ci
emilylange 674835a9d9
chromium: remove ofborg maintainer ping workaround, use CODEOWNERS
The workaround to have ofborg ping chromium and ungoogled-chromium
maintainers when a change was only made to the upstream-info relied on
string context.

That string context was provided by the upstream-info being a nix file,
not a json file, and then holding on to that string context using
awkward attribute merges.

It was intended as a quick fix until the handling of this would improve
in ofborg itself and worked great.

That was until very recently when we switched from the chromium release
tarball to git source fetching in 8dd2f1add9.

Part of that change included going back from upstream-info.nix to
upstream-info.json and with that losing the string context and the base
on which this workaround used to work.

But this is fine. A lot has happened in the meantime.

CODEOWNERS was reimplemented and no longer requires every user listed in
it to have write permissions to the repository (commit bit).

Meaning we can accept that ofborg pings no longer work and instead rely
on CODEOWNERS exclusively.

It should, however, be noted that CODEOWNERS provide less granularity
than ofborg, meaning we can no longer differentiate between
ungoogled-chromium and chromium or even chromedriver.

Previously, implementing the workaround that is now essentially
reverted: 68c59791fb
2024-12-06 20:30:39 +01:00
..
codeowners-validator ci: Add codeowners validator 2024-10-08 22:14:59 +02:00
eval ci/eval: Also count added packages as rebuilds 2024-12-02 21:28:47 +01:00
nixpkgs-vet
request-reviews Use GHA eval to assign rebuild labels (#359704) 2024-11-29 23:21:39 +01:00
default.nix Parallel GH actions workflow for Nixpkgs eval 2024-11-20 10:35:56 +01:00
get-merge-commit.sh ci/get-merge-commit.sh: Add documentation 2024-10-12 03:59:02 +02:00
nixpkgs-vet.sh
OWNERS chromium: remove ofborg maintainer ping workaround, use CODEOWNERS 2024-12-06 20:30:39 +01:00
pinned-nixpkgs.json ci: Update pinned Nixpkgs 2024-12-02 18:48:53 +01:00
README.md ci: init get-merge-commit workflow 2024-12-05 01:05:00 +05:30
supportedSystems.nix Parallel GH actions workflow for Nixpkgs eval 2024-11-20 10:35:56 +01:00
update-pinned-nixpkgs.sh

CI support files

This directory contains files to support CI, such as GitHub Actions and Ofborg. This is in contrast with maintainers/scripts which is for human use instead.

Pinned Nixpkgs

CI may need certain packages from Nixpkgs. In order to ensure that the needed packages are generally available without building, pinned-nixpkgs.json contains a pinned Nixpkgs version tested by Hydra.

Run update-pinned-nixpkgs.sh to update it.

ci/nixpkgs-vet.sh BASE_BRANCH [REPOSITORY]

Runs the nixpkgs-vet tool on the HEAD commit, closely matching what CI does. This can't do exactly the same as CI, because CI needs to rely on GitHub's server-side Git history to compute the mergeability of PRs before the check can be started. In turn, when contributors are running this tool locally, we don't want to have to push commits to test them, and we can also rely on the local Git history to do the mergeability check.

Arguments:

  • BASE_BRANCH: The base branch to use, e.g. master or release-24.05
  • REPOSITORY: The repository from which to fetch the base branch. Defaults to https://github.com/NixOS/nixpkgs.git.

ci/nixpkgs-vet

This directory contains scripts and files used and related to nixpkgs-vet, which the CI uses to implement pkgs/by-name checks, along with many other Nixpkgs architecture rules. See also the CI GitHub Action.

ci/nixpkgs-vet/update-pinned-tool.sh

Updates the pinned nixpkgs-vet tool in ci/nixpkgs-vet/pinned-version.txt to the latest release.

Each release contains a pre-built x86_64-linux version of the tool which is used by CI.

This script currently needs to be called manually when the CI tooling needs to be updated.

Why not just build the tooling right from the PRs Nixpkgs version?

  • Because it allows CI to check all PRs, even if they would break the CI tooling.
  • Because it makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds.
  • Because it improves security, since we don't have to build potentially untrusted code from PRs. The tool only needs a very minimal Nix evaluation at runtime, which can work with readonly-mode and restrict-eval.

get-merge-commit.sh GITHUB_REPO PR_NUMBER

Check whether a PR is mergeable and return the test merge commit as computed by GitHub.

Arguments:

  • GITHUB_REPO: The repository of the PR, e.g. NixOS/nixpkgs
  • PR_NUMBER: The PR number, e.g. 1234

Exit codes:

  • 0: The PR can be merged, the test merge commit hash is returned on stdout
  • 1: The PR cannot be merged because it's not open anymore
  • 2: The PR cannot be merged because it has a merge conflict
  • 3: The merge commit isn't being computed, GitHub is likely having internal issues, unknown if the PR is mergeable

Usage

This script is implemented as a reusable GitHub Actions workflow, and can be used as follows:

on: pull_request_target

# We need a token to query the API, but it doesn't need any special permissions
permissions: {}

jobs:
  get-merge-commit:
    # use the relative path of the get-merge-commit workflow yaml here
    uses: ./.github/workflows/get-merge-commit.yml

  build:
    name: Build
    runs-on: ubuntu-latest
    needs: get-merge-commit
    steps:
      - uses: actions/checkout@<VERSION>
        # Add this to _all_ subsequent steps to skip them
        if: needs.get-merge-commit.outputs.mergedSha
        with:
          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
      - ...