106 lines
3.6 KiB
YAML
106 lines
3.6 KiB
YAML
name: Lint
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
mergedSha:
|
|
required: true
|
|
type: string
|
|
targetSha:
|
|
required: true
|
|
type: string
|
|
|
|
permissions: {}
|
|
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
|
|
jobs:
|
|
treefmt:
|
|
runs-on: ubuntu-24.04-arm
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
sparse-checkout: .github/actions
|
|
- name: Check if the PR can be merged and checkout the merge commit
|
|
uses: ./.github/actions/get-merge-commit
|
|
with:
|
|
mergedSha: ${{ inputs.mergedSha }}
|
|
merged-as-untrusted: true
|
|
|
|
- uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
|
|
with:
|
|
extra_nix_config: sandbox = true
|
|
|
|
- name: Check that files are formatted
|
|
run: |
|
|
# Note that it's fine to run this on untrusted code because:
|
|
# - There's no secrets accessible here
|
|
# - The build is sandboxed
|
|
if ! nix-build untrusted/ci -A fmt.check; then
|
|
echo "Some files are not properly formatted"
|
|
echo "Please format them by going to the Nixpkgs root directory and running one of:"
|
|
echo " nix-shell --run treefmt"
|
|
echo " nix develop --command treefmt"
|
|
echo " nix fmt"
|
|
echo "Make sure your branch is up to date with master; rebase if not."
|
|
echo "If you're having trouble, please ping @NixOS/nix-formatting"
|
|
exit 1
|
|
fi
|
|
|
|
parse:
|
|
runs-on: ubuntu-24.04-arm
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
sparse-checkout: .github/actions
|
|
- name: Check if the PR can be merged and checkout the merge commit
|
|
uses: ./.github/actions/get-merge-commit
|
|
with:
|
|
mergedSha: ${{ inputs.mergedSha }}
|
|
merged-as-untrusted: true
|
|
|
|
- uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
|
|
with:
|
|
extra_nix_config: sandbox = true
|
|
|
|
- name: Parse all nix files
|
|
run: |
|
|
# Tests multiple versions at once, let's make sure all of them run, so keep-going.
|
|
nix-build untrusted/ci -A parse --keep-going
|
|
|
|
nixpkgs-vet:
|
|
runs-on: ubuntu-24.04-arm
|
|
# This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long.
|
|
timeout-minutes: 10
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
sparse-checkout: .github/actions
|
|
- name: Check if the PR can be merged and checkout merged and target commits
|
|
uses: ./.github/actions/get-merge-commit
|
|
with:
|
|
mergedSha: ${{ inputs.mergedSha }}
|
|
merged-as-untrusted: true
|
|
targetSha: ${{ inputs.targetSha }}
|
|
target-as-trusted: true
|
|
|
|
- uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
|
|
with:
|
|
extra_nix_config: sandbox = true
|
|
|
|
- name: Running nixpkgs-vet
|
|
env:
|
|
# Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
|
|
CLICOLOR_FORCE: 1
|
|
run: |
|
|
if nix-build untrusted/ci -A nixpkgs-vet --arg base "./trusted" --arg head "./untrusted"; then
|
|
exit 0
|
|
else
|
|
exitCode=$?
|
|
echo "To run locally: ./ci/nixpkgs-vet.sh $GITHUB_BASE_REF https://github.com/$GITHUB_REPOSITORY.git"
|
|
echo "If you're having trouble, ping @NixOS/nixpkgs-vet"
|
|
exit "$exitCode"
|
|
fi
|