From b942fb47dc604f25e4bb710a1072f30e675c973a Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Mon, 19 May 2025 20:14:13 +0200 Subject: [PATCH] workflows/eval: drop process job Since process doesn't need to run on push events anymore, we can just as well remove it entirely. The little bit of combine and comparison can be done in the tag job, even with elevated privileges. That's because those parts can be done entirely from the target commit, which is trusted. This saves startup, installing nix, downloading tools and artifacts for one job. It saves about 1 minute per run, start to finish. --- .github/workflows/eval.yml | 59 +++++++++++--------------------------- 1 file changed, 17 insertions(+), 42 deletions(-) diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml index 2d22270c4874..b9a9c7e9dcbe 100644 --- a/.github/workflows/eval.yml +++ b/.github/workflows/eval.yml @@ -153,11 +153,14 @@ jobs: name: diff-${{ matrix.system }} path: diff/* - process: - name: Process + tag: + name: Tag runs-on: ubuntu-24.04-arm needs: [ prepare, outpaths ] if: needs.prepare.outputs.targetSha + permissions: + pull-requests: write + statuses: write steps: - name: Download output paths and eval stats for all systems uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 @@ -206,46 +209,6 @@ jobs: name: comparison path: comparison/* - # Separate job to have a very tightly scoped PR write token - tag: - name: Tag - runs-on: ubuntu-24.04-arm - needs: [ prepare, process ] - if: needs.prepare.outputs.targetSha - permissions: - pull-requests: write - statuses: write - steps: - # See ./codeowners-v2.yml, reuse the same App because we need the same permissions - # Can't use the token received from permissions above, because it can't get enough permissions - - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 - if: vars.OWNER_APP_ID - id: app-token - with: - app-id: ${{ vars.OWNER_APP_ID }} - private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} - permission-administration: read - permission-members: read - permission-pull-requests: write - - - name: Download comparison result - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: comparison - path: comparison - - - name: Install Nix - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31 - - # Important: This workflow job runs with extra permissions, - # so we need to make sure to not run untrusted code from PRs - - name: Check out Nixpkgs at the target commit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - ref: ${{ needs.prepare.outputs.targetSha }} - path: trusted - sparse-checkout: ci - - name: Build the requestReviews derivation run: nix-build trusted/ci -A requestReviews @@ -303,6 +266,18 @@ jobs: "/repos/$GITHUB_REPOSITORY/statuses/$PR_HEAD_SHA" \ -f "context=Eval / Summary" -f "state=success" -f "description=$description" -f "target_url=$target_url" + # See ./codeowners-v2.yml, reuse the same App because we need the same permissions + # Can't use the token received from permissions above, because it can't get enough permissions + - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 + if: vars.OWNER_APP_ID + id: app-token + with: + app-id: ${{ vars.OWNER_APP_ID }} + private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} + permission-administration: read + permission-members: read + permission-pull-requests: write + - name: Requesting maintainer reviews if: ${{ steps.app-token.outputs.token && github.repository_owner == 'NixOS' }} env: