talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity
nixpkgs/ci/default.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

141 lines
4.7 KiB
Nix
Raw Permalink Normal View History

ci: Add default.nix with exposed pkgs Allows reusing it in more places
2024-10-01 05:59:38 +02:00
let
ci/pinned: manage nixpkgs and treefmt-nix with npins Instead of rolling our own update script which only works for a single pin, let's use npins. We can then use it for the treefmtNix pin as well, which was mostly unmaintained, so far.
2025-05-31 19:09:58 +02:00
pinned = (builtins.fromJSON (builtins.readFile ./pinned.json)).pins;
ci: Add default.nix with exposed pkgs Allows reusing it in more places
2024-10-01 05:59:38 +02:00
in
{
system ? builtins.currentSystem,
nixpkgs ? null,
workflows/eval: test all available versions With this change, we start running Eval on all available Lix and Nix versions. Because this requires a lot of resources, this complete test is only run when `ci/pinned.json` is updated. The resulting outpaths are checked for consistency with the target branch. A difference will cause the `report` job to fail, thus blocking the merge, ensuring Eval consistency for Nixpkgs across different versions. This implements a kind of "ratchet style" check: Since we originally confirmed that the versions currently in Nixpkgs at the time of this commit match Eval behavior of Nix 2.3, we can ensure consistency with Nix 2.3 down the road, even without testing for it explicitly. There had been one regression in Eval consistency for Nix between 2.18 and 2.24 - two tests in `tests.devShellTools` produce different results between Lix 2.91+ (which was forked from Nix 2.18) and Nix 2.24+. I assume it's unlikely that such a change would be "fixed" by now, thus I added an exception for these. As a bonus, we also present the total time in seconds it takes for Eval to complete for every tested version in a summary table. This allows us to easily see performance improvements for Eval due to version updates. At this stage, this time only includes the "outpaths" step of Eval, but not the generation of attrpaths beforehand.
2025-07-23 13:28:44 +02:00
nixPath ? "nixVersions.latest",
ci: Add default.nix with exposed pkgs Allows reusing it in more places
2024-10-01 05:59:38 +02:00
}:
let
nixpkgs' =
if nixpkgs == null then
fetchTarball {
ci/pinned: manage nixpkgs and treefmt-nix with npins Instead of rolling our own update script which only works for a single pin, let's use npins. We can then use it for the treefmtNix pin as well, which was mostly unmaintained, so far.
2025-05-31 19:09:58 +02:00
inherit (pinned.nixpkgs) url;
sha256 = pinned.nixpkgs.hash;
ci: Add default.nix with exposed pkgs Allows reusing it in more places
2024-10-01 05:59:38 +02:00
}
else
nixpkgs;
nix_2_3: drop This has been marked insecure a while ago, as some CVEs have not been backported. Even if *some* CVEs are fixed, we'd need **all** of them to be, to get it back into the cache. Not having it in the cache means, we can not test it in CI. This means we can't make sure to actually support this version to evaluate Nixpkgs.
2025-07-24 16:08:14 +02:00
pkgs = import nixpkgs' { inherit system; };
shell: Introduce treefmt Introduces treefmt with a simple nixfmt-rfc-style configuration to format all Nix files. This is only practically usable with the following commit that formats all files accordingly.
2025-02-12 19:58:29 +01:00
fmt =
let
treefmtNixSrc = fetchTarball {
ci/pinned: manage nixpkgs and treefmt-nix with npins Instead of rolling our own update script which only works for a single pin, let's use npins. We can then use it for the treefmtNix pin as well, which was mostly unmaintained, so far.
2025-05-31 19:09:58 +02:00
inherit (pinned.treefmt-nix) url;
sha256 = pinned.treefmt-nix.hash;
shell: Introduce treefmt Introduces treefmt with a simple nixfmt-rfc-style configuration to format all Nix files. This is only practically usable with the following commit that formats all files accordingly.
2025-02-12 19:58:29 +01:00
};
treefmtEval = (import treefmtNixSrc).evalModule pkgs {
# Important: The auto-rebase script uses `git filter-branch --tree-filter`,
# which creates trees within the Git repository under `.git-rewrite/t`,
# notably without having a `.git` themselves.
# So if this projectRootFile were the default `.git/config`,
# having the auto-rebase script use treefmt on such a tree would make it
# format all files in the _parent_ Git tree as well.
projectRootFile = ".git-blame-ignore-revs";
# Be a bit more verbose by default, so we can see progress happening
settings.verbose = 1;
# By default it's info, which is too noisy since we have many unmatched files
settings.on-unmatched = "debug";
workflows/check-format: add actionlint I added a lint-action.sh script in .github/workflows a while ago while fixing some warnings. But I haven't run it myself ever since. This needs to be part of CI to make any use of it.
2025-05-11 11:04:30 +02:00
programs.actionlint.enable = true;
workflows/keep-sorted: drop and move to treefmt Same reasoning as the commit before, but keep-sorted has even less overhead than editorconfig-checker. Benchmark has it at 1 second per run.
2025-05-09 21:54:12 +02:00
programs.keep-sorted.enable = true;
treewide: nixfmt-rfc-style -> nixfmt Except: - Instances in documentation, because people in older versions can't switch to nixfmt yet due to it having pointed to nixfmt-classic before - In code that runs based on a CI Nixpkgs version, which is also a bit older still - In update script shebangs, because many of them don't pin Nixpkgs, and run with whatever is in NIX_PATH (and it's not easy to fix this, see https://github.com/NixOS/nixpkgs/issues/425551)
2025-07-14 16:24:06 +02:00
# This uses nixfmt underneath,
shell: Introduce treefmt Introduces treefmt with a simple nixfmt-rfc-style configuration to format all Nix files. This is only practically usable with the following commit that formats all files accordingly.
2025-02-12 19:58:29 +01:00
# the default formatter for Nix code.
# See https://github.com/NixOS/nixfmt
programs.nixfmt.enable = true;
workflows/editorconfig: drop and move to treefmt We already have treefmt running for nixfmt, so it's easy to just add another formatter to it. This gives a much better UX, because all formatting errors are reported through the same channel. It also saves us one CI job, which takes most of the time to just set up the machine, clone the repo and download Nix - while doing a minimum of actual work. Total execution time for treefmt is ~10% slower: - 38s only nixfmt - 43s nixfmt + editorconfig-checker
2025-05-09 20:56:58 +02:00
ci/treefmt: add yamlfmt Most workflow files are already well formatted, but to make it easier to keep it that way, we can add yamlfmt. I personally have a preference for non-indented arrays for YAML, but wanted to avoid bigger diffs here - the status-quo clearly are indented arrays. Some changes are made manually to the get-merge-commit action and the issue templates. Those would otherwise make yamlfmt misbehave on those.
2025-06-11 16:36:07 +02:00
programs.yamlfmt = {
enable = true;
settings.formatter = {
retain_line_breaks = true;
};
};
settings.formatter.yamlfmt.excludes = [
# Breaks helm templating
"nixos/tests/k3s/k3s-test-chart/templates/*"
# Aligns comments with whitespace
"pkgs/development/haskell-modules/configuration-hackage2nix/main.yaml"
# TODO: Fix formatting for auto-generated file
"pkgs/development/haskell-modules/configuration-hackage2nix/transitive-broken.yaml"
];
workflows/editorconfig: drop and move to treefmt We already have treefmt running for nixfmt, so it's easy to just add another formatter to it. This gives a much better UX, because all formatting errors are reported through the same channel. It also saves us one CI job, which takes most of the time to just set up the machine, clone the repo and download Nix - while doing a minimum of actual work. Total execution time for treefmt is ~10% slower: - 38s only nixfmt - 43s nixfmt + editorconfig-checker
2025-05-09 20:56:58 +02:00
settings.formatter.editorconfig-checker = {
command = "${pkgs.lib.getExe pkgs.editorconfig-checker}";
options = [ "-disable-indent-size" ];
includes = [ "*" ];
priority = 1;
};
ci/treefmt: add markdown-code-runner This was run as a test in `doc/tests/check-nix-code-blocks.nix` before, but its DX can be improved: By including it in `treefmt` we get better error reporting and auto-fixing, as well as running it on *all* markdown files (including READMEs etc.) for free.
2025-07-22 16:12:42 +02:00
# TODO: Upstream this into treefmt-nix eventually:
# https://github.com/numtide/treefmt-nix/issues/387
settings.formatter.markdown-code-runner = {
command = pkgs.lib.getExe pkgs.markdown-code-runner;
options =
let
config = pkgs.writers.writeTOML "markdown-code-runner-config" {
presets.nixfmt = {
language = "nix";
command = [ (pkgs.lib.getExe pkgs.nixfmt) ];
};
};
in
[ "--config=${config}" ];
includes = [ "*.md" ];
};
shell: Introduce treefmt Introduces treefmt with a simple nixfmt-rfc-style configuration to format all Nix files. This is only practically usable with the following commit that formats all files accordingly.
2025-02-12 19:58:29 +01:00
};
workflows/check-nix-format: Enforce formatting on all files Changes the Nix format checking workflow to now strictly enforce formatting of all Nix files using the treefmt setup introduced in the pre-previous commit. This is in [accordance with the approved RFC 166](https://github.com/NixOS/rfcs/blob/master/rfcs/0166-nix-formatting.md#reformat-nixpkgs). Note that the "skip treewide" thing is no longer necessary, already before, because there's nothing that would fail for treewide changes. Previously the problem was that the GitHub API would be bombarded.
2025-02-12 20:01:58 +01:00
fs = pkgs.lib.fileset;
nixFilesSrc = fs.toSource {
root = ../.;
workflows/check-format: run on all files This was run on .nix files only, but we recently added keep-sorted, editorconfig-checker and actionlint to treefmt, so CI needs to check all files instead.
2025-05-13 08:24:25 +02:00
fileset = fs.difference ../. (fs.maybeMissing ../.git);
workflows/check-nix-format: Enforce formatting on all files Changes the Nix format checking workflow to now strictly enforce formatting of all Nix files using the treefmt setup introduced in the pre-previous commit. This is in [accordance with the approved RFC 166](https://github.com/NixOS/rfcs/blob/master/rfcs/0166-nix-formatting.md#reformat-nixpkgs). Note that the "skip treewide" thing is no longer necessary, already before, because there's nothing that would fail for treewide changes. Previously the problem was that the GitHub API would be bombarded.
2025-02-12 20:01:58 +01:00
};
shell: Introduce treefmt Introduces treefmt with a simple nixfmt-rfc-style configuration to format all Nix files. This is only practically usable with the following commit that formats all files accordingly.
2025-02-12 19:58:29 +01:00
in
{
shell = treefmtEval.config.build.devShell;
flake.nix: Set formatter This enables `nix fmt`, though it won't be practically usable without also reformatting all files, which is done in a following commit.
2025-02-12 20:00:04 +01:00
pkg = treefmtEval.config.build.wrapper;
workflows/check-nix-format: Enforce formatting on all files Changes the Nix format checking workflow to now strictly enforce formatting of all Nix files using the treefmt setup introduced in the pre-previous commit. This is in [accordance with the approved RFC 166](https://github.com/NixOS/rfcs/blob/master/rfcs/0166-nix-formatting.md#reformat-nixpkgs). Note that the "skip treewide" thing is no longer necessary, already before, because there's nothing that would fail for treewide changes. Previously the problem was that the GitHub API would be bombarded.
2025-02-12 20:01:58 +01:00
check = treefmtEval.config.build.check nixFilesSrc;
shell: Introduce treefmt Introduces treefmt with a simple nixfmt-rfc-style configuration to format all Nix files. This is only practically usable with the following commit that formats all files accordingly.
2025-02-12 19:58:29 +01:00
};
ci: Add default.nix with exposed pkgs Allows reusing it in more places
2024-10-01 05:59:38 +02:00
in
workflows/build: build nixpkgs tarball This adds a build job for the tarball, which might help uncover eval issues on attributes not normally touched by Eval, aka those added in `pkgs/top-level/packages-config.nix`.
2025-07-22 14:12:49 +02:00
rec {
shell: Introduce treefmt Introduces treefmt with a simple nixfmt-rfc-style configuration to format all Nix files. This is only practically usable with the following commit that formats all files accordingly.
2025-02-12 19:58:29 +01:00
inherit pkgs fmt;
ci: Add review request scripts Also post a comment in case base branch is wrong This guides newcomers in how to smoothly handle the potentially scary situation of having thousands of commits listed in a PR. While CI shows the same, people might not even look at CI if the PR looks botched.
2024-10-04 01:49:44 +02:00
requestReviews = pkgs.callPackage ./request-reviews { };
ci: Add codeowners validator
2024-10-04 01:50:36 +02:00
codeownersValidator = pkgs.callPackage ./codeowners-validator { };
ci/eval: accept `nix` directly Previously we were taking nixVersions and this made external use from the Lix repo's CI annoying. We should probably also test other nix versions than stable (i.e. also latest and Lix), but this involves writing GitHub Actions about it and maybe not running it on every single PR. Future work.
2025-06-10 11:46:19 -07:00
# FIXME(lf-): it might be useful to test other Nix implementations
# (nixVersions.stable and Lix) here somehow at some point to ensure we don't
# have eval divergence.
eval = pkgs.callPackage ./eval {
workflows/eval: test all available versions With this change, we start running Eval on all available Lix and Nix versions. Because this requires a lot of resources, this complete test is only run when `ci/pinned.json` is updated. The resulting outpaths are checked for consistency with the target branch. A difference will cause the `report` job to fail, thus blocking the merge, ensuring Eval consistency for Nixpkgs across different versions. This implements a kind of "ratchet style" check: Since we originally confirmed that the versions currently in Nixpkgs at the time of this commit match Eval behavior of Nix 2.3, we can ensure consistency with Nix 2.3 down the road, even without testing for it explicitly. There had been one regression in Eval consistency for Nix between 2.18 and 2.24 - two tests in `tests.devShellTools` produce different results between Lix 2.91+ (which was forked from Nix 2.18) and Nix 2.24+. I assume it's unlikely that such a change would be "fixed" by now, thus I added an exception for these. As a bonus, we also present the total time in seconds it takes for Eval to complete for every tested version in a summary table. This allows us to easily see performance improvements for Eval due to version updates. At this stage, this time only includes the "outpaths" step of Eval, but not the generation of attrpaths beforehand.
2025-07-23 13:28:44 +02:00
nix = pkgs.lib.getAttrFromPath (pkgs.lib.splitString "." nixPath) pkgs;
ci/eval: accept `nix` directly Previously we were taking nixVersions and this made external use from the Lix repo's CI annoying. We should probably also test other nix versions than stable (i.e. also latest and Lix), but this involves writing GitHub Actions about it and maybe not running it on every single PR. Future work.
2025-06-10 11:46:19 -07:00
};
ci/lib-tests: init This allows running the lib-tests locally in exactly the same way that they are run in CI: nix-build ci -A lib-tests
2025-05-05 19:26:47 +02:00
# CI jobs
lib-tests = import ../lib/tests/release.nix { inherit pkgs; };
ci/manual-nixos: init The NixOS manual can now be built locally the same way as in CI with: nix-build ci -A manual-nixos
2025-05-05 21:28:41 +02:00
manual-nixos = (import ../nixos/release.nix { }).manual.${system} or null;
workflows: checkout pinned nixpkgs explicitly This is slightly faster than downloading and extracting a tarball and additionally allows a sparse checkout. No need to download docs or nixos for our purpose. The data is quite noisy, but suggests improvements from anywhere between 5-15 seconds for each job using the pinned nixpkgs.
2025-08-10 14:44:39 +02:00
manual-nixpkgs = (import ../doc { inherit pkgs; });
manual-nixpkgs-tests = (import ../doc { inherit pkgs; }).tests;
workflows/nixpkgs-vet: use nixpkgs-vet from pinned nixpkgs We have added nixpkgs-vet as a regular package to nixpkgs a while ago, so we can now use it from pinned nixpkgs. This avoids pulling a platform-specific binary version from upstream. This change also allows to run the tool easily locally, the same way as other tools: nix-build ci -A nixpkgs-vet This will do a full check of the repo with the exception of nixpkgs-vet's "ratchet" checks: Those depend on having two branches to compare, but the default is to only look at the head branch. Those ratchet checks will still be run in CI, though.
2025-05-24 15:01:44 +02:00
nixpkgs-vet = pkgs.callPackage ./nixpkgs-vet.nix { };
ci/parse: init The nix-parse workflow can now be run locally the same way as in CI. To do this, the CI's workflow was slightly adjusted. Instead of testing only the changed files, we're now testing all files in the repository. This is possible in two ways: 1. By calling nix-instantiate once with all files as arguments. This will be rather fast, but only the first error is shown before it errors out. 2. By calling nix-instantiate once for each file. This will be much slower, but has the advantage that we see all errors at once. To avoid running the long variant every time, we first do a quick check with the fast version. If that fails, we run the slower one to report the errors. This gives us the best of both.
2025-05-10 21:55:05 +02:00
parse = pkgs.lib.recurseIntoAttrs {
latest = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.latest; };
ci/parse: test for nix 2.3 and lix This adds the minimum nix version and the latest lix version to the matrix of parse checks. Especially the minimum nix version is relevant, because parsing routinely breaks because of introduction of newer syntax. Adding lix just completes the picture.
2025-05-10 21:56:40 +02:00
lix = pkgs.callPackage ./parse.nix { nix = pkgs.lix; };
nixVersions.minimum: drop The concept of this alias becomes questionable once we move past 2.18, where Lix was forked. We should probably move to a feature-detection based approach for lib/minver.nix eventually, too.
2025-07-24 19:08:08 +02:00
nix_2_24 = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.nix_2_24; };
ci/parse: init The nix-parse workflow can now be run locally the same way as in CI. To do this, the CI's workflow was slightly adjusted. Instead of testing only the changed files, we're now testing all files in the repository. This is possible in two ways: 1. By calling nix-instantiate once with all files as arguments. This will be rather fast, but only the first error is shown before it errors out. 2. By calling nix-instantiate once for each file. This will be much slower, but has the advantage that we see all errors at once. To avoid running the long variant every time, we first do a quick check with the fast version. If that fails, we run the slower one to report the errors. This gives us the best of both.
2025-05-10 21:55:05 +02:00
};
ci/shell: init The dev shell can now be built locally the same way as in CI with: nix-build ci -A shell
2025-05-06 21:39:59 +02:00
shell = import ../shell.nix { inherit nixpkgs system; };
workflows/build: build nixpkgs tarball This adds a build job for the tarball, which might help uncover eval issues on attributes not normally touched by Eval, aka those added in `pkgs/top-level/packages-config.nix`.
2025-07-22 14:12:49 +02:00
tarball = import ../pkgs/top-level/make-tarball.nix {
# Mirrored from top-level release.nix:
nixpkgs = {
outPath = pkgs.lib.cleanSource ../.;
revCount = 1234;
shortRev = "abcdef";
revision = "0000000000000000000000000000000000000000";
};
officialRelease = false;
inherit pkgs lib-tests;
ci/tarball: build with Nix 2.30 We had to avoid 2.28 / 2.29 due to performance regressions, but this should work well again with Nix 2.30.
2025-08-05 11:16:37 +02:00
nix = pkgs.nixVersions.latest;
workflows/build: build nixpkgs tarball This adds a build job for the tarball, which might help uncover eval issues on attributes not normally touched by Eval, aka those added in `pkgs/top-level/packages-config.nix`.
2025-07-22 14:12:49 +02:00
};
ci: Add default.nix with exposed pkgs Allows reusing it in more places
2024-10-01 05:59:38 +02:00
}
Reference in New Issue Copy Permalink