# WARNING: # When extending this action, be aware that $GITHUB_TOKEN allows some write # access to the GitHub API. This means that it should not evaluate user input in # a way that allows code injection. name: Labels on: schedule: - cron: '07,17,27,37,47,57 * * * *' workflow_call: inputs: headBranch: required: true type: string secrets: NIXPKGS_CI_APP_PRIVATE_KEY: required: true workflow_dispatch: concurrency: # This explicitly avoids using `run_id` for the concurrency key to make sure that only # *one* scheduled run can run at a time. group: labels-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number }} # PR-triggered runs will be cancelled, but scheduled runs will be queued. cancel-in-progress: ${{ github.event_name != 'schedule' }} # This is used as fallback without app only. # This happens when testing in forks without setting up that app. permissions: issues: write pull-requests: write defaults: run: shell: bash jobs: update: runs-on: ubuntu-24.04-arm if: github.event_name != 'schedule' || github.repository_owner == 'NixOS' steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: sparse-checkout: | ci/github-script - name: Install dependencies run: npm install @actions/artifact bottleneck # Use a GitHub App, because it has much higher rate limits: 12,500 instead of 5,000 req / hour. - uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0 if: vars.NIXPKGS_CI_APP_ID id: app-token with: app-id: ${{ vars.NIXPKGS_CI_APP_ID }} private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }} permission-issues: write permission-pull-requests: write - name: Log current API rate limits env: GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} run: gh api /rate_limit | jq - name: Labels from API data and Eval results uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: github-token: ${{ steps.app-token.outputs.token || github.token }} retries: 3 script: | require('./ci/github-script/labels.js')({ github, context, core, dry: context.eventName == 'pull_request' }) - name: Log current API rate limits env: GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} run: gh api /rate_limit | jq - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 name: Labels from touched files if: | github.event_name == 'pull_request_target' && !contains(fromJSON(inputs.headBranch).type, 'development') with: repo-token: ${{ steps.app-token.outputs.token }} configuration-path: .github/labeler.yml # default sync-labels: true - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 name: Labels from touched files (no sync) if: | github.event_name == 'pull_request_target' && !contains(fromJSON(inputs.headBranch).type, 'development') with: repo-token: ${{ steps.app-token.outputs.token }} configuration-path: .github/labeler-no-sync.yml sync-labels: false - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 name: Labels from touched files (development branches) # Development branches like staging-next, haskell-updates and python-updates get special labels. # This is to avoid the mass of labels there, which is mostly useless - and really annoying for # the backport labels. if: | github.event_name == 'pull_request_target' && contains(fromJSON(inputs.headBranch).type, 'development') with: repo-token: ${{ steps.app-token.outputs.token }} configuration-path: .github/labeler-development-branches.yml sync-labels: true - name: Log current API rate limits env: GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }} run: gh api /rate_limit | jq