workflows: checkout nixpkgs in get-merge-commit action

This makes checking out the nixpkgs repo even more consistent and almost forces us to use the trusted/untrusted path pattern.
2025-06-09 19:13:26 +03:00 · 2025-05-24 16:13:22 +02:00 · 2025-05-24 16:13:22 +02:00 · 0e1c284b13
commit 0e1c284b13
parent 942c377476
10 changed files with 48 additions and 74 deletions
--- a/.github/actions/get-merge-commit/action.yml
+++ b/.github/actions/get-merge-commit/action.yml
@ -1,19 +1,27 @@
 name: Get merge commit
-description: 'Checks whether the Pull Request is mergeable and returns two commit hashes: The result of a temporary merge of the head branch into the target branch ("merged"), and the parent of that commit on the target branch ("target"). Handles push events and merge conflicts gracefully.'
+description: 'Checks whether the Pull Request is mergeable and checks out the repo at up to two commits: The result of a temporary merge of the head branch into the target branch ("merged"), and the parent of that commit on the target branch ("target"). Handles push events and merge conflicts gracefully.'
 inputs:
  merged-as-untrusted:
    description: "Whether to checkout the merge commit in the ./untrusted folder."
    type: boolean
  target-as-trusted:
    description: "Whether to checkout the target commit in the ./trusted folder."
    type: boolean
 outputs:
  mergedSha:
    description: "The merge commit SHA"
-    value: ${{ steps.merged.outputs.mergedSha }}
+    value: ${{ steps.commits.outputs.mergedSha }}
  targetSha:
    description: "The target commit SHA"
-    value: ${{ steps.merged.outputs.targetSha }}
+    value: ${{ steps.commits.outputs.targetSha }}
 runs:
  using: composite
  steps:
-    - id: merged
+    - id: commits
      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
      with:
        script: |
@ -63,3 +71,18 @@ runs:
            return
          }
          throw new Error("Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com.")
      # Would be great to do the checkouts in git worktrees of the existing spare checkout instead,
      # but Nix is broken with them:
      # https://github.com/NixOS/nix/issues/6073
    - if: inputs.merged-as-untrusted && steps.commits.outputs.mergedSha
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        ref: ${{ steps.commits.outputs.mergedSha }}
        path: untrusted
    - if: inputs.target-as-trusted && steps.commits.outputs.targetSha
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        ref: ${{ steps.commits.outputs.targetSha }}
        path: trusted
--- a/.github/workflows/check-format.yml
+++ b/.github/workflows/check-format.yml
@ -16,14 +16,10 @@ jobs:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and get the test merge commit
+      - name: Check if the PR can be merged and checkout the merge commit
        uses: ./.github/actions/get-merge-commit
        id: get-merge-commit
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
+          merged-as-untrusted: true
          path: untrusted
      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
        with:
--- a/.github/workflows/check-shell.yml
+++ b/.github/workflows/check-shell.yml
@ -33,14 +33,10 @@ jobs:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and get the test merge commit
+      - name: Check if the PR can be merged and checkout the merge commit
        uses: ./.github/actions/get-merge-commit
        id: get-merge-commit
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
+          merged-as-untrusted: true
          path: untrusted
      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
--- a/.github/workflows/codeowners-v2.yml
+++ b/.github/workflows/codeowners-v2.yml
@ -46,9 +46,11 @@ jobs:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and get the test merge commit
+      - name: Check if the PR can be merged and checkout the merge and target commits
        uses: ./.github/actions/get-merge-commit
-        id: get-merge-commit
+        with:
          merged-as-untrusted: true
          target-as-trusted: true
      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
@ -58,14 +60,6 @@ jobs:
          name: nixpkgs-ci
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
      # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
      # We later build and run code from the base branch with access to secrets,
      # so it's important this is not the PRs code.
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ steps.get-merge-commit.outputs.targetSha }}
          path: trusted
      - name: Build codeowners validator
        run: nix-build trusted/ci -A codeownersValidator
@ -78,11 +72,6 @@ jobs:
          permission-administration: read
          permission-members: read
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
          path: untrusted
      - name: Validate codeowners
        if: steps.app-token.outputs.token
        env:
--- a/.github/workflows/eval-aliases.yml
+++ b/.github/workflows/eval-aliases.yml
@ -16,15 +16,10 @@ jobs:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and get the test merge commit
+      - name: Check if the PR can be merged and checkout the merge commit
        uses: ./.github/actions/get-merge-commit
        id: get-merge-commit
      - name: Check out the PR at the test merge commit
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
+          merged-as-untrusted: true
          path: untrusted
      - name: Install Nix
        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
--- a/.github/workflows/lib-tests.yml
+++ b/.github/workflows/lib-tests.yml
@ -19,14 +19,10 @@ jobs:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and get the test merge commit
+      - name: Check if the PR can be merged and checkout the merge commit
        uses: ./.github/actions/get-merge-commit
        id: get-merge-commit
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
+          merged-as-untrusted: true
          path: untrusted
      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
        with:
--- a/.github/workflows/manual-nixos-v2.yml
+++ b/.github/workflows/manual-nixos-v2.yml
@ -35,14 +35,10 @@ jobs:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and get the test merge commit
+      - name: Check if the PR can be merged and checkout the merge commit
        uses: ./.github/actions/get-merge-commit
        id: get-merge-commit
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
+          merged-as-untrusted: true
          path: untrusted
      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
        with:
--- a/.github/workflows/manual-nixpkgs-v2.yml
+++ b/.github/workflows/manual-nixpkgs-v2.yml
@ -22,14 +22,10 @@ jobs:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and get the test merge commit
+      - name: Check if the PR can be merged and checkout the merge commit
        uses: ./.github/actions/get-merge-commit
        id: get-merge-commit
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
+          merged-as-untrusted: true
          path: untrusted
      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
        with:
--- a/.github/workflows/nix-parse-v2.yml
+++ b/.github/workflows/nix-parse-v2.yml
@ -17,14 +17,10 @@ jobs:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and get the test merge commit
+      - name: Check if the PR can be merged and checkout the merge commit
        uses: ./.github/actions/get-merge-commit
        id: get-merge-commit
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
+          merged-as-untrusted: true
          path: untrusted
      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
        with:
--- a/.github/workflows/nixpkgs-vet.yml
+++ b/.github/workflows/nixpkgs-vet.yml
@ -26,20 +26,11 @@ jobs:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and get the test merge commit
+      - name: Check if the PR can be merged and checkout merged and target commits
        uses: ./.github/actions/get-merge-commit
        id: get-merge-commit
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
+          merged-as-untrusted: true
-          # Fetches the merge commit and its parents
+          target-as-trusted: true
          fetch-depth: 2
          path: untrusted
      - name: Checking out target branch
        run: |
          git -C untrusted worktree add ../trusted ${{ steps.get-merge-commit.outputs.targetSha }}
      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31