mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-06-09 19:13:26 +03:00
ci: update pinned nixpkgs & treefmt-nix and manage via npins (#412758)
This commit is contained in:
Philip Taron
GitHub
commit
200cca18f1
9 changed files with 46 additions and 75 deletions
24
ci/README.md
24
ci/README.md
|
|
@ -7,9 +7,9 @@ This is in contrast with [`maintainers/scripts`](../maintainers/scripts) which i
|
|||
|
||||
CI may need certain packages from Nixpkgs.
|
||||
In order to ensure that the needed packages are generally available without building,
|
||||
[`pinned-nixpkgs.json`](./pinned-nixpkgs.json) contains a pinned Nixpkgs version tested by Hydra.
|
||||
[`pinned.json`](./pinned.json) contains a pinned Nixpkgs version tested by Hydra.
|
||||
|
||||
Run [`update-pinned-nixpkgs.sh`](./update-pinned-nixpkgs.sh) to update it.
|
||||
Run [`update-pinned.sh`](./update-pinned.sh) to update it.
|
||||
|
||||
## `ci/nixpkgs-vet.sh BASE_BRANCH [REPOSITORY]`
|
||||
|
||||
|
|
@ -20,23 +20,3 @@ Arguments:
|
|||
|
||||
- `BASE_BRANCH`: The base branch to use, e.g. master or release-24.05
|
||||
- `REPOSITORY`: The repository from which to fetch the base branch. Defaults to <https://github.com/NixOS/nixpkgs.git>.
|
||||
|
||||
## `ci/nixpkgs-vet`
|
||||
|
||||
This directory contains scripts and files used and related to [`nixpkgs-vet`](https://github.com/NixOS/nixpkgs-vet/), which the CI uses to implement `pkgs/by-name` checks, along with many other Nixpkgs architecture rules.
|
||||
See also the [CI GitHub Action](../.github/workflows/nixpkgs-vet.yml).
|
||||
|
||||
## `ci/nixpkgs-vet/update-pinned-tool.sh`
|
||||
|
||||
Updates the pinned [`nixpkgs-vet` tool](https://github.com/NixOS/nixpkgs-vet) in [`ci/nixpkgs-vet/pinned-version.txt`](./nixpkgs-vet/pinned-version.txt) to the latest [release](https://github.com/NixOS/nixpkgs-vet/releases).
|
||||
|
||||
Each release contains a pre-built `x86_64-linux` version of the tool which is used by CI.
|
||||
|
||||
This script currently needs to be called manually when the CI tooling needs to be updated.
|
||||
|
||||
Why not just build the tooling right from the PRs Nixpkgs version?
|
||||
|
||||
- Because it allows CI to check all PRs, even if they would break the CI tooling.
|
||||
- Because it makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds.
|
||||
- Because it improves security, since we don't have to build potentially untrusted code from PRs.
|
||||
The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval).
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
let
|
||||
pinnedNixpkgs = builtins.fromJSON (builtins.readFile ./pinned-nixpkgs.json);
|
||||
pinned = (builtins.fromJSON (builtins.readFile ./pinned.json)).pins;
|
||||
in
|
||||
{
|
||||
system ? builtins.currentSystem,
|
||||
|
|
@ -10,8 +10,8 @@ let
|
|||
nixpkgs' =
|
||||
if nixpkgs == null then
|
||||
fetchTarball {
|
||||
url = "https://github.com/NixOS/nixpkgs/archive/${pinnedNixpkgs.rev}.tar.gz";
|
||||
sha256 = pinnedNixpkgs.sha256;
|
||||
inherit (pinned.nixpkgs) url;
|
||||
sha256 = pinned.nixpkgs.hash;
|
||||
}
|
||||
else
|
||||
nixpkgs;
|
||||
|
|
@ -25,9 +25,8 @@ let
|
|||
fmt =
|
||||
let
|
||||
treefmtNixSrc = fetchTarball {
|
||||
# Master at 2025-02-12
|
||||
url = "https://github.com/numtide/treefmt-nix/archive/4f09b473c936d41582dd744e19f34ec27592c5fd.tar.gz";
|
||||
sha256 = "051vh6raskrxw5k6jncm8zbk9fhbzgm1gxpq9gm5xw1b6wgbgcna";
|
||||
inherit (pinned.treefmt-nix) url;
|
||||
sha256 = pinned.treefmt-nix.hash;
|
||||
};
|
||||
treefmtEval = (import treefmtNixSrc).evalModule pkgs {
|
||||
# Important: The auto-rebase script uses `git filter-branch --tree-filter`,
|
||||
|
|
|
|||
|
|
@ -61,9 +61,6 @@ trace "Done"
|
|||
trace -n "Merging base branch into the HEAD commit in $tmp/merged.. "
|
||||
git -C "$tmp/merged" merge -q --no-edit "$baseSha"
|
||||
trace -e "\e[34m$(git -C "$tmp/merged" rev-parse HEAD)\e[0m"
|
||||
trace -n "Reading pinned nixpkgs-vet version from pinned-version.txt.. "
|
||||
toolVersion=$(<"$tmp/merged/ci/nixpkgs-vet/pinned-version.txt")
|
||||
trace -e "\e[34m$toolVersion\e[0m"
|
||||
|
||||
trace "Running nixpkgs-vet.."
|
||||
nix-build ci -A nixpkgs-vet --argstr base "$tmp/base" --argstr head "$tmp/merged"
|
||||
|
|
|
|||
|
|
@ -1 +0,0 @@
|
|||
0.1.4
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p jq curl
|
||||
|
||||
set -o pipefail -o errexit -o nounset
|
||||
|
||||
trace() { echo >&2 "$@"; }
|
||||
|
||||
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
|
||||
|
||||
repository=NixOS/nixpkgs-vet
|
||||
pin_file=$SCRIPT_DIR/pinned-version.txt
|
||||
|
||||
trace -n "Fetching latest release of $repository.. "
|
||||
latestRelease=$(curl -sSfL \
|
||||
-H "Accept: application/vnd.github+json" \
|
||||
-H "X-GitHub-Api-Version: 2022-11-28" \
|
||||
https://api.github.com/repos/"$repository"/releases/latest)
|
||||
latestVersion=$(jq .tag_name -r <<< "$latestRelease")
|
||||
trace "$latestVersion"
|
||||
|
||||
trace "Updating $pin_file"
|
||||
echo "$latestVersion" > "$pin_file"
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"rev": "3d1f29646e4b57ed468d60f9d286cde23a8d1707",
|
||||
"sha256": "1wzvc9h9a6l9wyhzh892xb5x88kxmbzxb1k8s7fizyyw2q4nqw07"
|
||||
}
|
||||
31
ci/pinned.json
Normal file
31
ci/pinned.json
Normal file
|
|
@ -0,0 +1,31 @@
|
|||
{
|
||||
"pins": {
|
||||
"nixpkgs": {
|
||||
"type": "Git",
|
||||
"repository": {
|
||||
"type": "GitHub",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs"
|
||||
},
|
||||
"branch": "nixpkgs-unstable",
|
||||
"submodules": false,
|
||||
"revision": "8ca7ec685bbee55d6dcb326abe23945c0806c39e",
|
||||
"url": "https://github.com/NixOS/nixpkgs/archive/8ca7ec685bbee55d6dcb326abe23945c0806c39e.tar.gz",
|
||||
"hash": "1hkxm871m66mjsc4acdki32qqnpgk3n6vi3zrzns2bwlwp6ivcjx"
|
||||
},
|
||||
"treefmt-nix": {
|
||||
"type": "Git",
|
||||
"repository": {
|
||||
"type": "GitHub",
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix"
|
||||
},
|
||||
"branch": "main",
|
||||
"submodules": false,
|
||||
"revision": "1f3f7b784643d488ba4bf315638b2b0a4c5fb007",
|
||||
"url": "https://github.com/numtide/treefmt-nix/archive/1f3f7b784643d488ba4bf315638b2b0a4c5fb007.tar.gz",
|
||||
"hash": "13qisjalw9qvd6lkd9g8225r46j5wdjrp3zw6jrs81q2vxwdz37m"
|
||||
}
|
||||
},
|
||||
"version": 5
|
||||
}
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p jq
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
# https://stackoverflow.com/a/246128
|
||||
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
|
||||
|
||||
repo=https://github.com/nixos/nixpkgs
|
||||
branch=nixpkgs-unstable
|
||||
file=$SCRIPT_DIR/pinned-nixpkgs.json
|
||||
|
||||
defaultRev=$(git ls-remote "$repo" refs/heads/"$branch" | cut -f1)
|
||||
rev=${1:-$defaultRev}
|
||||
sha256=$(nix-prefetch-url --unpack "$repo/archive/$rev.tar.gz" --name source)
|
||||
|
||||
jq -n --arg rev "$rev" --arg sha256 "$sha256" '$ARGS.named' | tee /dev/stderr > $file
|
||||
8
ci/update-pinned.sh
Executable file
8
ci/update-pinned.sh
Executable file
|
|
@ -0,0 +1,8 @@
|
|||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p npins
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
cd "$(dirname "${BASH_SOURCE[0]}")"
|
||||
|
||||
npins --lock-file pinned.json update
|
||||
Loading…
Add table
Add a link
Reference in a new issue