movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-09 19:13:26 +03:00
Code Issues Projects Releases Packages Wiki Activity

ci: update pinned nixpkgs & treefmt-nix and manage via npins (#412758)

Browse source
This commit is contained in:
Philip Taron 2025-06-02 08:54:36 -07:00 committed by GitHub
commit 200cca18f1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
9 changed files with 46 additions and 75 deletions
Download patch file Download diff file Expand all files Collapse all files

24
ci/README.md
View file

@ -7,9 +7,9 @@ This is in contrast with [`maintainers/scripts`](../maintainers/scripts) which i
CI may need certain packages from Nixpkgs. CI may need certain packages from Nixpkgs.
In order to ensure that the needed packages are generally available without building, In order to ensure that the needed packages are generally available without building,
[`pinned-nixpkgs.json`](./pinned-nixpkgs.json) contains a pinned Nixpkgs version tested by Hydra. [`pinned.json`](./pinned.json) contains a pinned Nixpkgs version tested by Hydra.
Run [`update-pinned-nixpkgs.sh`](./update-pinned-nixpkgs.sh) to update it. Run [`update-pinned.sh`](./update-pinned.sh) to update it.
## `ci/nixpkgs-vet.sh BASE_BRANCH [REPOSITORY]` ## `ci/nixpkgs-vet.sh BASE_BRANCH [REPOSITORY]`
@ -20,23 +20,3 @@ Arguments:
- `BASE_BRANCH`: The base branch to use, e.g. master or release-24.05 - `BASE_BRANCH`: The base branch to use, e.g. master or release-24.05
- `REPOSITORY`: The repository from which to fetch the base branch. Defaults to <https://github.com/NixOS/nixpkgs.git>. - `REPOSITORY`: The repository from which to fetch the base branch. Defaults to <https://github.com/NixOS/nixpkgs.git>.
## `ci/nixpkgs-vet`
This directory contains scripts and files used and related to [`nixpkgs-vet`](https://github.com/NixOS/nixpkgs-vet/), which the CI uses to implement `pkgs/by-name` checks, along with many other Nixpkgs architecture rules.
See also the [CI GitHub Action](../.github/workflows/nixpkgs-vet.yml).
## `ci/nixpkgs-vet/update-pinned-tool.sh`
Updates the pinned [`nixpkgs-vet` tool](https://github.com/NixOS/nixpkgs-vet) in [`ci/nixpkgs-vet/pinned-version.txt`](./nixpkgs-vet/pinned-version.txt) to the latest [release](https://github.com/NixOS/nixpkgs-vet/releases).
Each release contains a pre-built `x86_64-linux` version of the tool which is used by CI.
This script currently needs to be called manually when the CI tooling needs to be updated.
Why not just build the tooling right from the PRs Nixpkgs version?
- Because it allows CI to check all PRs, even if they would break the CI tooling.
- Because it makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds.
- Because it improves security, since we don't have to build potentially untrusted code from PRs.
The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval).

11
ci/default.nix
View file

@ -1,5 +1,5 @@
let let
pinnedNixpkgs = builtins.fromJSON (builtins.readFile ./pinned-nixpkgs.json); pinned = (builtins.fromJSON (builtins.readFile ./pinned.json)).pins;
in in
{ {
system ? builtins.currentSystem, system ? builtins.currentSystem,
@ -10,8 +10,8 @@ let
nixpkgs' = nixpkgs' =
if nixpkgs == null then if nixpkgs == null then
fetchTarball { fetchTarball {
url = "https://github.com/NixOS/nixpkgs/archive/${pinnedNixpkgs.rev}.tar.gz"; inherit (pinned.nixpkgs) url;
sha256 = pinnedNixpkgs.sha256; sha256 = pinned.nixpkgs.hash;
} }
else else
nixpkgs; nixpkgs;
@ -25,9 +25,8 @@ let
fmt = fmt =
let let
treefmtNixSrc = fetchTarball { treefmtNixSrc = fetchTarball {
# Master at 2025-02-12 inherit (pinned.treefmt-nix) url;
url = "https://github.com/numtide/treefmt-nix/archive/4f09b473c936d41582dd744e19f34ec27592c5fd.tar.gz"; sha256 = pinned.treefmt-nix.hash;
sha256 = "051vh6raskrxw5k6jncm8zbk9fhbzgm1gxpq9gm5xw1b6wgbgcna";
}; };
treefmtEval = (import treefmtNixSrc).evalModule pkgs { treefmtEval = (import treefmtNixSrc).evalModule pkgs {
# Important: The auto-rebase script uses `git filter-branch --tree-filter`, # Important: The auto-rebase script uses `git filter-branch --tree-filter`,

3
ci/nixpkgs-vet.sh
View file

@ -61,9 +61,6 @@ trace "Done"
trace -n "Merging base branch into the HEAD commit in $tmp/merged.. " trace -n "Merging base branch into the HEAD commit in $tmp/merged.. "
git -C "$tmp/merged" merge -q --no-edit "$baseSha" git -C "$tmp/merged" merge -q --no-edit "$baseSha"
trace -e "\e[34m$(git -C "$tmp/merged" rev-parse HEAD)\e[0m" trace -e "\e[34m$(git -C "$tmp/merged" rev-parse HEAD)\e[0m"
trace -n "Reading pinned nixpkgs-vet version from pinned-version.txt.. "
toolVersion=$(<"$tmp/merged/ci/nixpkgs-vet/pinned-version.txt")
trace -e "\e[34m$toolVersion\e[0m"
trace "Running nixpkgs-vet.." trace "Running nixpkgs-vet.."
nix-build ci -A nixpkgs-vet --argstr base "$tmp/base" --argstr head "$tmp/merged" nix-build ci -A nixpkgs-vet --argstr base "$tmp/base" --argstr head "$tmp/merged"

1
ci/nixpkgs-vet/pinned-version.txt
View file

@ -1 +0,0 @@
0.1.4

22
ci/nixpkgs-vet/update-pinned-tool.sh
View file

@ -1,22 +0,0 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p jq curl
set -o pipefail -o errexit -o nounset
trace() { echo >&2 "$@"; }
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
repository=NixOS/nixpkgs-vet
pin_file=$SCRIPT_DIR/pinned-version.txt
trace -n "Fetching latest release of $repository.. "
latestRelease=$(curl -sSfL \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/"$repository"/releases/latest)
latestVersion=$(jq .tag_name -r <<< "$latestRelease")
trace "$latestVersion"
trace "Updating $pin_file"
echo "$latestVersion" > "$pin_file"

4
ci/pinned-nixpkgs.json
View file

@ -1,4 +0,0 @@
{
"rev": "3d1f29646e4b57ed468d60f9d286cde23a8d1707",
"sha256": "1wzvc9h9a6l9wyhzh892xb5x88kxmbzxb1k8s7fizyyw2q4nqw07"
}

31
ci/pinned.json Normal file
View file

@ -0,0 +1,31 @@
{
"pins": {
"nixpkgs": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "NixOS",
"repo": "nixpkgs"
},
"branch": "nixpkgs-unstable",
"submodules": false,
"revision": "8ca7ec685bbee55d6dcb326abe23945c0806c39e",
"url": "https://github.com/NixOS/nixpkgs/archive/8ca7ec685bbee55d6dcb326abe23945c0806c39e.tar.gz",
"hash": "1hkxm871m66mjsc4acdki32qqnpgk3n6vi3zrzns2bwlwp6ivcjx"
},
"treefmt-nix": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "numtide",
"repo": "treefmt-nix"
},
"branch": "main",
"submodules": false,
"revision": "1f3f7b784643d488ba4bf315638b2b0a4c5fb007",
"url": "https://github.com/numtide/treefmt-nix/archive/1f3f7b784643d488ba4bf315638b2b0a4c5fb007.tar.gz",
"hash": "13qisjalw9qvd6lkd9g8225r46j5wdjrp3zw6jrs81q2vxwdz37m"
}
},
"version": 5
}

17
ci/update-pinned-nixpkgs.sh
View file

@ -1,17 +0,0 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p jq
set -euo pipefail
# https://stackoverflow.com/a/246128
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
repo=https://github.com/nixos/nixpkgs
branch=nixpkgs-unstable
file=$SCRIPT_DIR/pinned-nixpkgs.json
defaultRev=$(git ls-remote "$repo" refs/heads/"$branch" | cut -f1)
rev=${1:-$defaultRev}
sha256=$(nix-prefetch-url --unpack "$repo/archive/$rev.tar.gz" --name source)
jq -n --arg rev "$rev" --arg sha256 "$sha256" '$ARGS.named' | tee /dev/stderr > $file

8
ci/update-pinned.sh Executable file
View file

@ -0,0 +1,8 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p npins
set -euo pipefail
cd "$(dirname "${BASH_SOURCE[0]}")"
npins --lock-file pinned.json update