Wolfgang Walther
f87dac4be3
workflows/{check-shell,lib-tests}: use nixpks CI cachix cache
...
Any change to shell.nix or ci/ currently needs to rebuild treefmt on 4
systems from scratch. We can avoid that by using the existing cachix
cache.
Adding the cache to lib-tests won't do much on it's own, yet, but it
will with the next commit.
2025-06-02 09:12:16 +02:00
Wolfgang Walther
6d4b1f8e30
workflows: cancel running jobs on pull request updates
...
We can avoid running old jobs to completion, when pushing changes to a
pull request. This is done via concurrency groups. We set them on the
workflow level, with the following keys in the group name:
- `github.workflow` to only cancel / block the same workflow.
- `github.event_name` to avoid blocking between pull_request and
pull_request_target.
- `github.head_ref` which is unique for a PR, but the same when changing
it. This will cause PRs to cancel in progress jobs. Unset on pushes to
master & co.
- `github.run_id` as fallback for push events. In this case, the run_id
is unique for every push, thus *no* cancelling happens on the dev
branches.
2025-06-01 12:44:44 +02:00
Wolfgang Walther
0e1c284b13
workflows: checkout nixpkgs in get-merge-commit action
...
This makes checking out the nixpkgs repo even more consistent and almost
forces us to use the trusted/untrusted path pattern.
2025-05-25 15:14:23 +02:00
Wolfgang Walther
6720d25429
workflows: checkout nixpkgs into trusted/untrusted directories
...
By consistently checking out nixpkgs into the same location in every
workflow, it's easier to reason about the different workflows at once.
We also use crystal-clear names to make clear, which checkouts are
considered trusted, because they only contain target-branch-code and
which checkouts are untrusted, because they contain code from the head
branch. By naming the checkout directories trusted/untrusted, it's
obvious at the call-site.
One example of where we likely did the wrong thing is the nixpkgs-vet
workflow: Fetching the toolVersion from the untrusted checkout opens the
door for an injection into the download URL, thus code could be
downloaded from anywhere. This is not a problem, because this workflow
does not run with elevated privileges, but it's a scary oversight
nonetheless.
2025-05-25 14:33:06 +02:00
Wolfgang Walther
039a954892
workflows/{check-shell,manual-nixos,manual-nixpkgs}: use get-mege-commit action
...
This makes a difference for the case of a merge conflict: In that case,
the magic `.../merge` branch actually points to the *last test merge
commit* that was successful, which might not contain the latest head
commit in any way. Running the tests on that commit is heavily
misleading. By using the get-merge-commit action, we run on the PR's
head commit in this case, which is much better.
2025-05-23 23:43:42 +02:00
Wolfgang Walther
65315e5400
workflows: self-test on change
...
All workflows where it's remotely useful now trigger on a pull_request
event when the workflow file itself is changed. This gives us basic
sanity testing of changes to workflow files itself and reduces the need
for manual tests in forks.
2025-05-14 08:18:38 +02:00
Jörg Thalheim
5a1b4e070b
workflows: Use ARM runners ( #405943 )
2025-05-11 12:34:21 +02:00
Wolfgang Walther
a56fa7a4a2
workflows/check-shell: test aarch64-linux and x86_64-darwin as well
...
GitHub has all the different runners, so we can just as well check that
shell.nix works.
2025-05-11 12:11:14 +02:00
Wolfgang Walther
7c16d15d7f
ci/shell: init
...
The dev shell can now be built locally the same way as in CI with:
nix-build ci -A shell
2025-05-10 22:14:16 +02:00
dependabot[bot]
f068c68b2e
build(deps): bump cachix/install-nix-action from 31.2.0 to 31.3.0
...
Bumps [cachix/install-nix-action](https://github.com/cachix/install-nix-action ) from 31.2.0 to 31.3.0.
- [Release notes](https://github.com/cachix/install-nix-action/releases )
- [Changelog](https://github.com/cachix/install-nix-action/blob/master/RELEASE.md )
- [Commits](754537aaed...5261181216
2025-05-05 11:37:17 +00:00
dependabot[bot]
1de4a06154
build(deps): bump cachix/install-nix-action from 31.1.0 to 31.2.0
...
Bumps [cachix/install-nix-action](https://github.com/cachix/install-nix-action ) from 31.1.0 to 31.2.0.
- [Release notes](https://github.com/cachix/install-nix-action/releases )
- [Changelog](https://github.com/cachix/install-nix-action/blob/master/RELEASE.md )
- [Commits](d1ca217b38...754537aaed
2025-04-21 12:30:12 +00:00
dependabot[bot]
0e553a831e
build(deps): bump cachix/install-nix-action from {30,31} to 31.1.0 ( #394893 )
2025-04-01 19:43:48 +00:00
Wolfgang Walther
3fa48f3377
Reapply "build(deps): bump cachix/install-nix-action from 30 to 31"
...
This reverts commit 281875261d
2025-03-19 20:38:45 +01:00
Philip Taron
281875261d
Revert "build(deps): bump cachix/install-nix-action from 30 to 31"
2025-03-17 08:05:43 -07:00
dependabot[bot]
8cad67f2a3
build(deps): bump cachix/install-nix-action from 30 to 31
...
Bumps [cachix/install-nix-action](https://github.com/cachix/install-nix-action ) from 30 to 31.
- [Release notes](https://github.com/cachix/install-nix-action/releases )
- [Commits](08dcb3a5e6...02a151ada4
2025-03-17 11:39:46 +00:00
Wolfgang Walther
9ea74225cc
workflows: add README
...
This introduces some basic concepts used in these workflows and a common
terminology.
At the same time we remove some of the comments from various workflow
files, because they are assumed to be "general knowledge" through the
README.
2025-01-10 18:36:22 +01:00
Wolfgang Walther
88afad8833
workflows: basic consistency in formatting workflows
...
Same top-level ordering of keys / empty lines and same indentation for
yaml lists. One blank line between each step.
Makes it easier to read and compare the workflows.
2025-01-09 21:29:41 +01:00
Wolfgang Walther
4d00c68aa4
workflows/check-shell: use job matrix
2025-01-09 21:29:41 +01:00
NAHO
dbd20ce0eb
workflows: lock macOS runner to macos-14
2025-01-05 00:18:58 +01:00
NAHO
fcfbe6fff4
workflows: update Ubuntu runner to ubuntu-24.04
...
Link: https://github.com/actions/runner-images/issues/10636
2025-01-05 00:18:58 +01:00
NAHO
2660dd1e71
workflows: lock Ubuntu runner to ubuntu-22.04
...
Lock the Ubuntu runner to ubuntu-22.04 to avoid accidental updates [1]
and increase reproducibility.
[1]: https://github.com/actions/runner-images/issues/10636
2025-01-05 00:18:57 +01:00
Zhong Jianxin
c318085efa
ci/check-shell: fix ci/** path
2024-11-30 10:32:54 +08:00
Jörg Thalheim
cb016f116b
ci/check-shell: only run if shell.nix or ./ci/** is changed
...
saves a bit of CI time
2024-11-29 23:34:33 +01:00
dependabot[bot]
6baeff261f
build(deps): bump actions/checkout from 4.2.1 to 4.2.2
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.2.1 to 4.2.2.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](eef61447b9...11bd71901b
2024-10-28 11:50:56 +00:00
dependabot[bot]
f3143a7eda
build(deps): bump actions/checkout from 4.2.0 to 4.2.1
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.2.0 to 4.2.1.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](d632683dd7...eef61447b9
2024-10-14 11:35:32 +00:00
dependabot[bot]
557d69a3d0
build(deps): bump cachix/install-nix-action from 29 to 30
...
Bumps [cachix/install-nix-action](https://github.com/cachix/install-nix-action ) from 29 to 30.
- [Release notes](https://github.com/cachix/install-nix-action/releases )
- [Commits](9f70348d77...08dcb3a5e6
2024-10-07 11:17:58 +00:00
dependabot[bot]
b93144cbc0
build(deps): bump actions/checkout from 4.1.7 to 4.2.0
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.1.7 to 4.2.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](692973e3d9...d632683dd7
2024-09-30 12:02:46 +00:00
dependabot[bot]
7816a35ee7
build(deps): bump cachix/install-nix-action from 27 to 29
...
Bumps [cachix/install-nix-action](https://github.com/cachix/install-nix-action ) from 27 to 29.
- [Release notes](https://github.com/cachix/install-nix-action/releases )
- [Commits](ba0dd844c9...9f70348d77
2024-09-30 11:58:38 +00:00
Adam Stephens
15e9fcd961
workflows/*: ensure jobs have names
2024-07-31 23:28:40 -04:00
dependabot[bot]
ab7becf047
build(deps): bump cachix/install-nix-action from 26 to 27
...
Bumps [cachix/install-nix-action](https://github.com/cachix/install-nix-action ) from 26 to 27.
- [Release notes](https://github.com/cachix/install-nix-action/releases )
- [Commits](8887e596b4...ba0dd844c9
2024-07-22 20:04:12 +00:00
dependabot[bot]
d14441cfe1
build(deps): bump actions/checkout from 4.1.5 to 4.1.7
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.1.5 to 4.1.7.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](44c2b7a8a4...692973e3d9
2024-06-29 22:01:52 +00:00
Silvan Mosberger
a70ab58960
root: shell.nix for nixfmt
...
This uses the reusable pinned Nixpkgs from the parent commit to create a
shell.nix file for an environment with a pinned nixfmt version.
2024-06-26 16:16:44 +02:00
