nixos/hydroxide: init module #49612
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR | |
| on: | |
| pull_request_target: | |
| workflow_call: | |
| secrets: | |
| CACHIX_AUTH_TOKEN: | |
| required: true | |
| NIXPKGS_CI_APP_PRIVATE_KEY: | |
| required: true | |
| OWNER_APP_PRIVATE_KEY: | |
| # The Test workflow should not actually request reviews from owners. | |
| required: false | |
| OWNER_RO_APP_PRIVATE_KEY: | |
| required: true | |
| concurrency: | |
| group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }} | |
| cancel-in-progress: true | |
| permissions: {} | |
| jobs: | |
| prepare: | |
| runs-on: ubuntu-24.04-arm | |
| permissions: | |
| # wrong branch review comment | |
| pull-requests: write | |
| outputs: | |
| baseBranch: ${{ steps.prepare.outputs.base }} | |
| headBranch: ${{ steps.prepare.outputs.head }} | |
| mergedSha: ${{ steps.prepare.outputs.mergedSha }} | |
| targetSha: ${{ steps.prepare.outputs.targetSha }} | |
| systems: ${{ steps.prepare.outputs.systems }} | |
| touched: ${{ steps.prepare.outputs.touched }} | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| sparse-checkout-cone-mode: true # default, for clarity | |
| sparse-checkout: | | |
| ci/github-script | |
| - id: prepare | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| with: | |
| script: | | |
| require('./ci/github-script/prepare.js')({ | |
| github, | |
| context, | |
| core, | |
| dry: context.eventName == 'pull_request', | |
| }) | |
| check: | |
| name: Check | |
| needs: [prepare] | |
| uses: ./.github/workflows/check.yml | |
| permissions: | |
| # cherry-picks | |
| pull-requests: write | |
| secrets: | |
| CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| OWNER_RO_APP_PRIVATE_KEY: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} | |
| with: | |
| baseBranch: ${{ needs.prepare.outputs.baseBranch }} | |
| headBranch: ${{ needs.prepare.outputs.headBranch }} | |
| mergedSha: ${{ needs.prepare.outputs.mergedSha }} | |
| targetSha: ${{ needs.prepare.outputs.targetSha }} | |
| ownersCanFail: ${{ !contains(fromJSON(needs.prepare.outputs.touched), 'owners') }} | |
| lint: | |
| name: Lint | |
| needs: [prepare] | |
| uses: ./.github/workflows/lint.yml | |
| secrets: | |
| CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| with: | |
| mergedSha: ${{ needs.prepare.outputs.mergedSha }} | |
| targetSha: ${{ needs.prepare.outputs.targetSha }} | |
| eval: | |
| name: Eval | |
| needs: [prepare] | |
| uses: ./.github/workflows/eval.yml | |
| permissions: | |
| # compare | |
| statuses: write | |
| secrets: | |
| CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| with: | |
| mergedSha: ${{ needs.prepare.outputs.mergedSha }} | |
| targetSha: ${{ needs.prepare.outputs.targetSha }} | |
| systems: ${{ needs.prepare.outputs.systems }} | |
| testVersions: ${{ contains(fromJSON(needs.prepare.outputs.touched), 'pinned') && !contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development') }} | |
| labels: | |
| name: Labels | |
| needs: [prepare, eval] | |
| uses: ./.github/workflows/labels.yml | |
| permissions: | |
| issues: write | |
| pull-requests: write | |
| secrets: | |
| NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }} | |
| with: | |
| headBranch: ${{ needs.prepare.outputs.headBranch }} | |
| reviewers: | |
| name: Reviewers | |
| needs: [prepare, eval] | |
| if: | | |
| needs.prepare.outputs.targetSha && | |
| !contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development') | |
| uses: ./.github/workflows/reviewers.yml | |
| secrets: | |
| OWNER_APP_PRIVATE_KEY: ${{ secrets.OWNER_APP_PRIVATE_KEY }} | |
| build: | |
| name: Build | |
| needs: [prepare] | |
| uses: ./.github/workflows/build.yml | |
| secrets: | |
| CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| with: | |
| baseBranch: ${{ needs.prepare.outputs.baseBranch }} | |
| mergedSha: ${{ needs.prepare.outputs.mergedSha }} | |
| # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. | |
| # It "needs" all the jobs that should block merging a PR. | |
| unlock: | |
| if: github.event_name != 'pull_request' && always() | |
| # Modify this list to add or remove jobs from required status checks. | |
| needs: | |
| - check | |
| - lint | |
| - eval | |
| - build | |
| runs-on: ubuntu-24.04-arm | |
| permissions: | |
| statuses: write | |
| steps: | |
| - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| env: | |
| RESULTS: ${{ toJSON(needs.*.result) }} | |
| with: | |
| script: | | |
| const { serverUrl, repo, runId, payload } = context | |
| const target_url = | |
| `${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}?pr=${payload.pull_request.number}` | |
| await github.rest.repos.createCommitStatus({ | |
| ...repo, | |
| sha: payload.pull_request.head.sha, | |
| // WARNING: | |
| // Do NOT change the name of this, otherwise the rule will not catch it anymore. | |
| // This would prevent all PRs from merging. | |
| context: 'no PR failures', | |
| state: JSON.parse(process.env.RESULTS).every(status => status == 'success') ? 'success' : 'error', | |
| target_url, | |
| }) |