review #387999 #219
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: review | |
| run-name: "review #${{ inputs.pr }}" | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| pr: | |
| description: "Pull Request Number" | |
| required: true | |
| type: string | |
| x86_64-linux: | |
| description: "Run on x86_64-linux" | |
| required: true | |
| type: boolean | |
| default: true | |
| aarch64-linux: | |
| description: "Run on aarch64-linux" | |
| required: true | |
| type: boolean | |
| default: true | |
| x86_64-darwin: | |
| description: "Run on x86_64-darwin" | |
| required: true | |
| type: boolean | |
| default: true | |
| aarch64-darwin: | |
| description: "Run on aarch64-darwin" | |
| required: true | |
| type: boolean | |
| default: true | |
| upstream-eval-timeout: | |
| description: "How long to wait for upstream eval (in seconds)" | |
| required: true | |
| type: number | |
| default: 900 | |
| local-eval: | |
| description: "Force local eval" | |
| required: true | |
| type: boolean | |
| default: false | |
| push-to-cache: | |
| description: "Push to cache" | |
| required: true | |
| type: boolean | |
| default: true | |
| upterm: | |
| description: "Start upterm session after nixpkgs-review" | |
| required: true | |
| type: boolean | |
| default: false | |
| post-result: | |
| description: "Post Result" | |
| required: true | |
| type: boolean | |
| default: true | |
| jobs: | |
| review: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| system: | |
| - x86_64-linux | |
| - aarch64-linux | |
| - x86_64-darwin | |
| - aarch64-darwin | |
| exclude: | |
| - system: ${{ !inputs.x86_64-linux && 'x86_64-linux' || '' }} | |
| - system: ${{ !inputs.aarch64-linux && 'aarch64-linux' || '' }} | |
| - system: ${{ !inputs.x86_64-darwin && 'x86_64-darwin' || '' }} | |
| - system: ${{ !inputs.aarch64-darwin && 'aarch64-darwin' || '' }} | |
| runs-on: >- | |
| ${{ (matrix.system == 'x86_64-linux' && 'ubuntu-latest') | |
| || (matrix.system == 'aarch64-linux' && 'ubuntu-24.04-arm') | |
| || (matrix.system == 'x86_64-darwin' && 'macos-13') | |
| || (matrix.system == 'aarch64-darwin' && 'macos-latest') }} | |
| outputs: | |
| report_x86_64-linux: ${{ steps.report.outputs.report_x86_64-linux }} | |
| report_aarch64-linux: ${{ steps.report.outputs.report_aarch64-linux }} | |
| report_x86_64-darwin: ${{ steps.report.outputs.report_x86_64-darwin }} | |
| report_aarch64-darwin: ${{ steps.report.outputs.report_aarch64-darwin }} | |
| fetch_cmd_x86_64-linux: ${{ steps.report.outputs.fetch_cmd_x86_64-linux }} | |
| fetch_cmd_aarch64-linux: ${{ steps.report.outputs.fetch_cmd_aarch64-linux }} | |
| fetch_cmd_x86_64-darwin: ${{ steps.report.outputs.fetch_cmd_x86_64-darwin }} | |
| fetch_cmd_aarch64-darwin: ${{ steps.report.outputs.fetch_cmd_aarch64-darwin }} | |
| steps: | |
| - name: prepare /nix | |
| run: sudo mkdir /mnt/nix && sudo mount -m -o bind /mnt/nix /nix | |
| if: ${{ matrix.system == 'x86_64-linux' || matrix.system == 'aarch64-linux' }} | |
| - name: install nix | |
| uses: DeterminateSystems/nix-installer-action@v16 | |
| - name: install packages | |
| run: | | |
| pkgs=(coreutils nixpkgs-review) | |
| if [[ ${{ inputs.push-to-cache && vars.ATTIC_SERVER != '' && vars.ATTIC_CACHE != '' }} = true ]]; then | |
| pkgs+=(attic-client) | |
| elif [[ ${{ inputs.push-to-cache && vars.CACHIX_CACHE != '' }} = true ]]; then | |
| pkgs+=(cachix) | |
| fi | |
| args=() | |
| for pkg in ${pkgs[@]}; do args+=("github:nixos/nixpkgs/nixos-unstable#$pkg"); done | |
| nix profile install ${args[@]} | |
| - name: clone nixpkgs | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: NixOS/nixpkgs | |
| - name: wait for upstream eval | |
| if: ${{ inputs.upstream-eval-timeout > 0 && !inputs.local-eval }} | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| start=$(date +%s) | |
| timeout=${{ inputs.upstream-eval-timeout }} | |
| timeout=${timeout%.*} | |
| while [[ $(( $(date +%s) - $start )) -lt $timeout ]]; do | |
| status=$(gh pr -R nixos/nixpkgs checks ${{ inputs.pr }} --json 'state,name,workflow' -q '.[]|select(.name=="Process" and (.workflow=="Eval" or .workflow==".github/workflows/eval.yml"))|.state') | |
| if [[ -z "$status" ]]; then echo "Failed to find eval check" | |
| else echo "Eval status: ${status}"; fi | |
| if [[ "$status" = "SUCCESS" ]]; then break; fi | |
| sleep 10 | |
| done | |
| - name: run nixpkgs-review | |
| run: | | |
| nixpkgs-review -- \ | |
| pr ${{ inputs.pr }} \ | |
| --eval ${{ inputs.local-eval && 'local' || 'auto' }} \ | |
| --no-shell \ | |
| --no-headers \ | |
| --print-result \ | |
| --build-args="-L" \ | |
| || true | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| - name: push results to cache | |
| if: ${{ inputs.push-to-cache && ((vars.ATTIC_SERVER != '' && vars.ATTIC_CACHE != '') || vars.CACHIX_CACHE != '') }} | |
| run: | | |
| set -ex | |
| (realpath -qe ~/.cache/nixpkgs-review/pr-${{ inputs.pr }}/results/* || true) > paths | |
| [[ -s paths ]] || exit 0 | |
| if [[ ${{ vars.ATTIC_SERVER != '' && vars.ATTIC_CACHE != '' }} = true ]]; then | |
| attic login default "$ATTIC_SERVER" "$ATTIC_TOKEN" | |
| attic cache info "$ATTIC_CACHE" | |
| attic push --stdin "$ATTIC_CACHE" < paths | |
| info=$(curl -f -H "Authorization: Bearer ${ATTIC_TOKEN}" "${ATTIC_SERVER}_api/v1/cache-config/${ATTIC_CACHE}") | |
| substituter_endpoint=$(jq -r .substituter_endpoint <<< "$info") | |
| public_key=$(jq -r .public_key <<< "$info") | |
| is_public=$(jq -r .is_public <<< "$info") | |
| elif [[ ${{ vars.CACHIX_CACHE != '' }} = true ]]; then | |
| [[ -n "$CACHIX_SIGNING_KEY" ]] || unset CACHIX_SIGNING_KEY | |
| cachix push "$CACHIX_CACHE" < paths | |
| info=$(curl -f -H "Authorization: Bearer ${CACHIX_AUTH_TOKEN}" "https://app.cachix.org/api/v1/cache/${CACHIX_CACHE}") | |
| substituter_endpoint=$(jq -r .uri <<< "$info") | |
| public_key=$(jq -r '.publicSigningKeys[]' <<< "$info") | |
| is_public=$(jq -r .isPublic <<< "$info") | |
| fi | |
| [[ "$is_public" = true ]] || exit 0 | |
| echo "nix-store -r --add-root nixpkgs-pr-${{ inputs.pr }}-${{ matrix.system }} \\" >> fetch_cmd | |
| echo " --option binary-caches 'https://cache.nixos.org/ $substituter_endpoint' \\" >> fetch_cmd | |
| echo " --option trusted-public-keys '" >> fetch_cmd | |
| echo " cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" >> fetch_cmd | |
| echo " $public_key" >> fetch_cmd | |
| echo -n " '" >> fetch_cmd | |
| for p in $(cat paths); do | |
| echo -e " \\" >> fetch_cmd | |
| echo -n " $p" >> fetch_cmd | |
| done | |
| env: | |
| ATTIC_SERVER: ${{ vars.ATTIC_SERVER }} | |
| ATTIC_CACHE: ${{ vars.ATTIC_CACHE }} | |
| ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }} | |
| CACHIX_CACHE: ${{ vars.CACHIX_CACHE }} | |
| CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }} | |
| - name: start upterm session | |
| if: ${{ inputs.upterm }} | |
| uses: owenthereal/action-upterm@v1 | |
| with: | |
| limit-access-to-actor: true | |
| - name: generate report | |
| id: report | |
| run: | | |
| if [[ -s fetch_cmd ]]; then | |
| cat fetch_cmd | |
| echo fetch_cmd_${{ matrix.system }}=$(base64 -w0 fetch_cmd) >> "$GITHUB_OUTPUT" | |
| fi | |
| report=~/.cache/nixpkgs-review/pr-${{ inputs.pr }}/report.md | |
| cat $report | |
| echo report_${{ matrix.system }}=$(base64 -w0 $report) >> "$GITHUB_OUTPUT" | |
| report: | |
| runs-on: ubuntu-latest | |
| needs: [review] | |
| outputs: | |
| report: ${{ steps.report.outputs.report }} | |
| steps: | |
| - name: generate report | |
| id: report | |
| run: | | |
| echo -e "## \`nixpkgs-review\` result\n" >> report.md | |
| echo -e "Generated using [\`nixpkgs-review-gha\`](https://github.com/Defelo/nixpkgs-review-gha)\n" >> report.md | |
| echo -e "Command: \`nixpkgs-review pr ${{ inputs.pr }}\`\n" >> report.md | |
| echo -e "Logs: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}\n" >> report.md | |
| mkdir .tmp | |
| cd .tmp | |
| echo ${{ needs.review.outputs.fetch_cmd_x86_64-linux }} | base64 -d > x86_64-linux | |
| echo ${{ needs.review.outputs.fetch_cmd_aarch64-linux }} | base64 -d > aarch64-linux | |
| echo ${{ needs.review.outputs.fetch_cmd_x86_64-darwin }} | base64 -d > x86_64-darwin | |
| echo ${{ needs.review.outputs.fetch_cmd_aarch64-darwin }} | base64 -d > aarch64-darwin | |
| for system in x86_64-linux aarch64-linux x86_64-darwin aarch64-darwin; do | |
| [[ -s $system ]] || continue | |
| echo -e "<li><details><summary><code>$system</code></summary>\n\n\`\`\`shell" >> ../cache.md | |
| cat $system >> ../cache.md | |
| echo -e "\n\`\`\`\n</details></li>" >> ../cache.md | |
| done | |
| cd .. | |
| if [[ -s cache.md ]]; then | |
| echo -e "<details><summary>Download packages from cache:</summary><ul>" >> report.md | |
| cat cache.md >> report.md | |
| echo -e "</ul></details>\n" >> report.md | |
| fi | |
| echo ${{ needs.review.outputs.report_x86_64-linux }} | base64 -d >> report.md | |
| echo ${{ needs.review.outputs.report_aarch64-linux }} | base64 -d >> report.md | |
| echo ${{ needs.review.outputs.report_x86_64-darwin }} | base64 -d >> report.md | |
| echo ${{ needs.review.outputs.report_aarch64-darwin }} | base64 -d >> report.md | |
| cat report.md | |
| echo report=$(base64 -w0 report.md) >> "$GITHUB_OUTPUT" | |
| post-result: | |
| runs-on: ubuntu-latest | |
| needs: [report] | |
| if: ${{ inputs.post-result }} | |
| environment: post-result | |
| steps: | |
| - name: fetch report | |
| run: echo ${{ needs.report.outputs.report }} | base64 -d > report.md | |
| - name: post comment | |
| run: | | |
| if [[ -n "$GH_TOKEN" ]]; then | |
| gh pr -R NixOS/nixpkgs comment ${{ inputs.pr }} -F report.md | |
| fi | |
| env: | |
| GH_TOKEN: ${{ secrets.GH_TOKEN }} |