diff --git a/ci/README.md b/ci/README.md index 7fcda96e3480..67f55d15e548 100644 --- a/ci/README.md +++ b/ci/README.md @@ -20,23 +20,3 @@ Arguments: - `BASE_BRANCH`: The base branch to use, e.g. master or release-24.05 - `REPOSITORY`: The repository from which to fetch the base branch. Defaults to . - -## `ci/nixpkgs-vet` - -This directory contains scripts and files used and related to [`nixpkgs-vet`](https://github.com/NixOS/nixpkgs-vet/), which the CI uses to implement `pkgs/by-name` checks, along with many other Nixpkgs architecture rules. -See also the [CI GitHub Action](../.github/workflows/nixpkgs-vet.yml). - -## `ci/nixpkgs-vet/update-pinned-tool.sh` - -Updates the pinned [`nixpkgs-vet` tool](https://github.com/NixOS/nixpkgs-vet) in [`ci/nixpkgs-vet/pinned-version.txt`](./nixpkgs-vet/pinned-version.txt) to the latest [release](https://github.com/NixOS/nixpkgs-vet/releases). - -Each release contains a pre-built `x86_64-linux` version of the tool which is used by CI. - -This script currently needs to be called manually when the CI tooling needs to be updated. - -Why not just build the tooling right from the PRs Nixpkgs version? - -- Because it allows CI to check all PRs, even if they would break the CI tooling. -- Because it makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds. -- Because it improves security, since we don't have to build potentially untrusted code from PRs. - The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval). diff --git a/ci/nixpkgs-vet.sh b/ci/nixpkgs-vet.sh index b62e04fe0177..8ad2a35adfa0 100755 --- a/ci/nixpkgs-vet.sh +++ b/ci/nixpkgs-vet.sh @@ -61,9 +61,6 @@ trace "Done" trace -n "Merging base branch into the HEAD commit in $tmp/merged.. " git -C "$tmp/merged" merge -q --no-edit "$baseSha" trace -e "\e[34m$(git -C "$tmp/merged" rev-parse HEAD)\e[0m" -trace -n "Reading pinned nixpkgs-vet version from pinned-version.txt.. " -toolVersion=$(<"$tmp/merged/ci/nixpkgs-vet/pinned-version.txt") -trace -e "\e[34m$toolVersion\e[0m" trace "Running nixpkgs-vet.." nix-build ci -A nixpkgs-vet --argstr base "$tmp/base" --argstr head "$tmp/merged" diff --git a/ci/nixpkgs-vet/pinned-version.txt b/ci/nixpkgs-vet/pinned-version.txt deleted file mode 100644 index 845639eef26c..000000000000 --- a/ci/nixpkgs-vet/pinned-version.txt +++ /dev/null @@ -1 +0,0 @@ -0.1.4 diff --git a/ci/nixpkgs-vet/update-pinned-tool.sh b/ci/nixpkgs-vet/update-pinned-tool.sh deleted file mode 100755 index 78a9ae2411b8..000000000000 --- a/ci/nixpkgs-vet/update-pinned-tool.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env nix-shell -#!nix-shell -i bash -p jq curl - -set -o pipefail -o errexit -o nounset - -trace() { echo >&2 "$@"; } - -SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) - -repository=NixOS/nixpkgs-vet -pin_file=$SCRIPT_DIR/pinned-version.txt - -trace -n "Fetching latest release of $repository.. " -latestRelease=$(curl -sSfL \ - -H "Accept: application/vnd.github+json" \ - -H "X-GitHub-Api-Version: 2022-11-28" \ - https://api.github.com/repos/"$repository"/releases/latest) -latestVersion=$(jq .tag_name -r <<< "$latestRelease") -trace "$latestVersion" - -trace "Updating $pin_file" -echo "$latestVersion" > "$pin_file"