-
-
Notifications
You must be signed in to change notification settings - Fork 43
94 lines (81 loc) · 3.65 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
name: CI
on:
# We use pull_request_target such that Nixpkgs diff processing also works,
# because we need repository secrets for that, which pull_request doesn't allow from forks.
# However, it's very important that we don't run code from forks without sandboxing it,
# because that way anybody could potentially extract repository secrets!
pull_request_target:
push:
branches:
- master
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
if: github.event_name != 'pull_request_target'
- uses: actions/checkout@v4
if: github.event_name == 'pull_request_target'
with:
# To prevent running untrusted code from forks,
# pull_request_target will cause the base branch to be checked out, not the PR branch.
# In our case we check out the PR branch regardless,
# because we're sandboxing all untrusted code with a `nix-build`.
# (and the sandbox is enabled by default at least on Linux)
ref: refs/pull/${{ github.event.pull_request.number }}/merge
- uses: cachix/install-nix-action@v26
- uses: cachix/cachix-action@v14
with:
name: nixos-nixfmt
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: checks
run: nix-build -A ci
nixpkgs-diff:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request_target'
# Ensures that we don't run two comment-posting workflows at the same time
concurrency:
group: ${{ github.workflow_ref }}-${{ github.event.pull_request.number }}
cancel-in-progress: true
steps:
- name: Find Comment
uses: peter-evans/find-comment@v3
id: fc
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: Nixpkgs diff
- name: Create or update comment
uses: peter-evans/create-or-update-comment@v4
id: couc
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
edit-mode: replace
body: |
Nixpkgs diff [processing](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})..
Will be available [here](https://github.com/${{ vars.MACHINE_USER }}/nixpkgs/commits/nixfmt-${{ github.event.pull_request.number }})
# To prevent running untrusted code from forks,
# pull_request_target will cause the base branch to be checked out, not the PR branch.
# This is exactly what we want in this case,
# because the sync-pr.sh script cannot be run sandboxed since it needs to have side effects.
# Instead, the script itself fetches the PR, but then runs its code within sandboxed derivations.
- uses: actions/checkout@v4
- uses: cachix/install-nix-action@v26
- uses: cachix/cachix-action@v14
with:
name: nixos-nixfmt
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- run: |
./scripts/sync-pr.sh \
https://github.com/${{ github.repository }} \
${{ github.event.pull_request.number }} \
https://${{ secrets.MACHINE_USER_PAT }}@github.com/${{ vars.MACHINE_USER }}/nixpkgs
- name: Create or update comment
uses: peter-evans/create-or-update-comment@v4
with:
comment-id: ${{ steps.couc.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
edit-mode: replace
body: |
[Nixpkgs diff](https://github.com/${{ vars.MACHINE_USER }}/nixpkgs/commits/nixfmt-${{ github.event.pull_request.number }})