From 13f5aa304ef68e02a35d0a26812217bb32d73be2 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Sun, 25 May 2025 17:34:38 +0200 Subject: [PATCH] workflows/eval: run trusted code in process step We don't really need to run the combine and comparison steps from the untrusted merge commit. By switching to the trusted target commit, we can avoid adding another worktree - and lay the foundation to later do those steps in the tag job, which has access to secrets. --- .github/workflows/eval.yml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml index 1432aec3b0d1..0f5a3e90eea9 100644 --- a/.github/workflows/eval.yml +++ b/.github/workflows/eval.yml @@ -98,11 +98,11 @@ jobs: path: merged merge-multiple: true - - name: Check out the PR at the test merge commit + - name: Check out the PR at the target commit uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - ref: ${{ needs.prepare.outputs.mergedSha }} - path: untrusted + ref: ${{ needs.prepare.outputs.targetSha }} + path: trusted - name: Install Nix uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31 @@ -111,7 +111,7 @@ jobs: - name: Combine all output paths and eval stats run: | - nix-build untrusted/ci -A eval.combine \ + nix-build trusted/ci -A eval.combine \ --arg evalDir ./merged \ --out-link combined @@ -168,9 +168,8 @@ jobs: env: AUTHOR_ID: ${{ github.event.pull_request.user.id }} run: | - git -C untrusted fetch --depth 1 origin ${{ needs.prepare.outputs.targetSha }} - git -C untrusted worktree add ../trusted ${{ needs.prepare.outputs.targetSha }} - git -C untrusted diff --name-only ${{ needs.prepare.outputs.targetSha }} \ + git -C trusted fetch --depth 1 origin ${{ needs.prepare.outputs.mergedSha }} + git -C trusted diff --name-only ${{ needs.prepare.outputs.mergedSha }} \ | jq --raw-input --slurp 'split("\n")[:-1]' > touched-files.json # Use the target branch to get accurate maintainer info