Merge pull request #270 from piegamesde/let-in-comments #298
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
# We use pull_request_target such that Nixpkgs diff processing also works, | |
# because we need repository secrets for that, which pull_request doesn't allow from forks. | |
# However, it's very important that we don't run code from forks without sandboxing it, | |
# because that way anybody could potentially extract repository secrets! | |
pull_request_target: | |
push: | |
branches: | |
- master | |
jobs: | |
check: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
if: github.event_name != 'pull_request_target' | |
- uses: actions/checkout@v4 | |
if: github.event_name == 'pull_request_target' | |
with: | |
# To prevent running untrusted code from forks, | |
# pull_request_target will cause the base branch to be checked out, not the PR branch. | |
# In our case we check out the PR branch regardless, | |
# because we're sandboxing all untrusted code with a `nix-build`. | |
# (and the sandbox is enabled by default at least on Linux) | |
ref: refs/pull/${{ github.event.pull_request.number }}/merge | |
- uses: cachix/install-nix-action@v26 | |
- uses: cachix/cachix-action@v14 | |
with: | |
name: nixos-nixfmt | |
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
- name: checks | |
run: nix-build -A ci | |
nixpkgs-diff: | |
runs-on: ubuntu-latest | |
if: github.event_name == 'pull_request_target' | |
# Ensures that we don't run two comment-posting workflows at the same time | |
concurrency: | |
group: ${{ github.workflow_ref }}-${{ github.event.pull_request.number }} | |
cancel-in-progress: true | |
steps: | |
- name: Find Comment | |
uses: peter-evans/find-comment@v3 | |
id: fc | |
with: | |
issue-number: ${{ github.event.pull_request.number }} | |
comment-author: 'github-actions[bot]' | |
body-includes: Nixpkgs diff | |
- name: Create or update comment | |
uses: peter-evans/create-or-update-comment@v4 | |
id: couc | |
with: | |
comment-id: ${{ steps.fc.outputs.comment-id }} | |
issue-number: ${{ github.event.pull_request.number }} | |
edit-mode: replace | |
body: | | |
Nixpkgs diff [processing](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}).. | |
Will be available [here](https://github.com/${{ vars.MACHINE_USER }}/nixpkgs/commits/nixfmt-${{ github.event.pull_request.number }}) | |
# To prevent running untrusted code from forks, | |
# pull_request_target will cause the base branch to be checked out, not the PR branch. | |
# This is exactly what we want in this case, | |
# because the sync-pr.sh script cannot be run sandboxed since it needs to have side effects. | |
# Instead, the script itself fetches the PR, but then runs its code within sandboxed derivations. | |
- uses: actions/checkout@v4 | |
- uses: cachix/install-nix-action@v26 | |
- uses: cachix/cachix-action@v14 | |
with: | |
name: nixos-nixfmt | |
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
- run: | | |
./scripts/sync-pr.sh \ | |
https://github.com/${{ github.repository }} \ | |
${{ github.event.pull_request.number }} \ | |
https://${{ secrets.MACHINE_USER_PAT }}@github.com/${{ vars.MACHINE_USER }}/nixpkgs | |
- name: Create or update comment | |
uses: peter-evans/create-or-update-comment@v4 | |
with: | |
comment-id: ${{ steps.couc.outputs.comment-id }} | |
issue-number: ${{ github.event.pull_request.number }} | |
edit-mode: replace | |
body: | | |
[Nixpkgs diff](https://github.com/${{ vars.MACHINE_USER }}/nixpkgs/commits/nixfmt-${{ github.event.pull_request.number }}) |