Merge pull request #402 #571
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| # We use pull_request_target such that Nixpkgs diff processing also works, | |
| # because we need repository secrets for that, which pull_request doesn't allow from forks. | |
| # However, it's very important that we don't run code from forks without sandboxing it, | |
| # because that way anybody could potentially extract repository secrets! | |
| # We must ensure that no secrets are in any environment variables when running untrusted code, and that no secrets are persisted to disk and accessible to `readFile` | |
| # when evaluating Nix code | |
| pull_request_target: # zizmor: ignore[dangerous-triggers] | |
| push: | |
| branches: | |
| - master | |
| permissions: | |
| contents: read | |
| jobs: | |
| check: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| if: github.event_name != 'pull_request_target' | |
| with: | |
| persist-credentials: false | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| if: github.event_name == 'pull_request_target' | |
| with: | |
| # To prevent running untrusted code from forks, | |
| # pull_request_target will cause the base branch to be checked out, not the PR branch. | |
| # In our case we check out the PR branch regardless, | |
| # as we do not expose secrets when calling untrusted code | |
| ref: refs/pull/${{ github.event.pull_request.number }}/merge | |
| persist-credentials: false | |
| - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6 | |
| - uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17 | |
| with: | |
| name: nixos-nixfmt | |
| authToken: ${{ github.event_name == 'push' && secrets.CACHIX_AUTH_TOKEN || '' }} | |
| skipPush: ${{ github.event_name != 'push' }} | |
| - name: checks | |
| run: nix-build -A ci | |
| nixpkgs-diff: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request_target' | |
| # Ensures that we don't run two comment-posting workflows at the same time | |
| concurrency: | |
| group: ${{ github.workflow_ref }}-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - name: Find Comment | |
| uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0 | |
| id: fc | |
| with: | |
| issue-number: ${{ github.event.pull_request.number }} | |
| comment-author: 'github-actions[bot]' | |
| body-includes: Nixpkgs diff | |
| - name: Create or update comment | |
| uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 | |
| id: couc | |
| with: | |
| comment-id: ${{ steps.fc.outputs.comment-id }} | |
| issue-number: ${{ github.event.pull_request.number }} | |
| edit-mode: replace | |
| body: | | |
| Nixpkgs diff [processing](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}).. | |
| Will be available [here](https://github.com/${{ vars.MACHINE_USER }}/nixpkgs/commits/nixfmt-${{ github.event.pull_request.number }}) | |
| # To prevent running untrusted code from forks, | |
| # pull_request_target will cause the base branch to be checked out, not the PR branch. | |
| # This is exactly what we want in this case, | |
| # because the sync-pr.sh script cannot be run sandboxed since it needs to have side effects. | |
| # Make sure you do not expose secrets in the environment or persist them to disk | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6 | |
| - uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17 | |
| with: | |
| name: nixos-nixfmt | |
| authToken: ${{ github.event_name == 'push' && secrets.CACHIX_AUTH_TOKEN || '' }} | |
| skipPush: ${{ github.event_name != 'push' }} | |
| - run: | | |
| ./scripts/sync-pr.sh \ | |
| https://github.com/${{ github.repository }} \ | |
| ${{ github.event.pull_request.number }} \ | |
| "https://${{ secrets.MACHINE_USER_PAT }}@github.com/${MACHINE_USER}/nixpkgs" | |
| env: | |
| MACHINE_USER: ${{ vars.MACHINE_USER }} | |
| - name: Create or update comment | |
| uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 | |
| with: | |
| comment-id: ${{ steps.couc.outputs.comment-id }} | |
| issue-number: ${{ github.event.pull_request.number }} | |
| edit-mode: replace | |
| body: | | |
| [Nixpkgs diff](https://github.com/${{ vars.MACHINE_USER }}/nixpkgs/commits/nixfmt-${{ github.event.pull_request.number }}) |