.github/workflows/pr.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150

name: PR

on:
  pull_request:
    paths:
      - .github/actions/get-merge-commit/action.yml
      - .github/workflows/build.yml
      - .github/workflows/check.yml
      - .github/workflows/eval.yml
      - .github/workflows/lint.yml
      - .github/workflows/pr.yml
      - .github/workflows/labels.yml
      - .github/workflows/reviewers.yml # needs eval results from the same event type
  pull_request_target:

concurrency:
  group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
  cancel-in-progress: true

permissions: {}

jobs:
  prepare:
    runs-on: ubuntu-24.04-arm
    outputs:
      baseBranch: ${{ steps.branches.outputs.base }}
      headBranch: ${{ steps.branches.outputs.head }}
      mergedSha: ${{ steps.get-merge-commit.outputs.mergedSha }}
      targetSha: ${{ steps.get-merge-commit.outputs.targetSha }}
      systems: ${{ steps.systems.outputs.systems }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          sparse-checkout: |
            .github/actions
            ci/supportedBranches.js
            ci/supportedSystems.json
      - name: Check if the PR can be merged and get the test merge commit
        uses: ./.github/actions/get-merge-commit
        id: get-merge-commit

      - name: Load supported systems
        id: systems
        run: |
          echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"

      - name: Determine branch type
        id: branches
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            const { classify } = require('./ci/supportedBranches.js')
            const { base, head } = context.payload.pull_request

            const baseClassification = classify(base.ref)
            core.setOutput('base', baseClassification)
            core.info('base classification:', baseClassification)

            const headClassification =
              (base.repo.full_name == head.repo.full_name) ?
              classify(head.ref) :
              // PRs from forks are always considered WIP.
              { type: ['wip'] }
            core.setOutput('head', headClassification)
            core.info('head classification:', headClassification)

  check:
    name: Check
    needs: [prepare]
    uses: ./.github/workflows/check.yml
    permissions:
      # cherry-picks
      pull-requests: write
    with:
      baseBranch: ${{ needs.prepare.outputs.baseBranch }}
      headBranch: ${{ needs.prepare.outputs.headBranch }}

  lint:
    name: Lint
    needs: [prepare]
    uses: ./.github/workflows/lint.yml
    with:
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
      targetSha: ${{ needs.prepare.outputs.targetSha }}

  eval:
    name: Eval
    needs: [prepare]
    uses: ./.github/workflows/eval.yml
    permissions:
      # compare
      statuses: write
    secrets:
      OWNER_APP_PRIVATE_KEY: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
    with:
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
      targetSha: ${{ needs.prepare.outputs.targetSha }}
      systems: ${{ needs.prepare.outputs.systems }}

  labels:
    name: Labels
    needs: [prepare, eval]
    uses: ./.github/workflows/labels.yml
    permissions:
      issues: write
      pull-requests: write
    secrets:
      NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
    with:
      headBranch: ${{ needs.prepare.outputs.headBranch }}

  reviewers:
    name: Reviewers
    needs: [prepare, eval]
    if: |
      needs.prepare.outputs.targetSha &&
      !contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development')
    uses: ./.github/workflows/reviewers.yml
    secrets:
      OWNER_APP_PRIVATE_KEY: ${{ secrets.OWNER_APP_PRIVATE_KEY }}

  build:
    name: Build
    needs: [prepare]
    uses: ./.github/workflows/build.yml
    secrets:
      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
    with:
      baseBranch: ${{ needs.prepare.outputs.baseBranch }}
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}

  # This job's only purpose is to serve as a target for the "Required Status Checks" branch ruleset.
  # It "needs" all the jobs that should block merging a PR.
  # If they pass, it is skipped — which counts as "success" for purposes of the branch ruleset.
  # However, if any of them fail, this job will also fail — thus blocking the branch ruleset.
  no-pr-failures:
    # Modify this list to add or remove jobs from required status checks.
    needs:
      - check
      - lint
      - eval
      - build
    # WARNING:
    # Do NOT change the name of this job, otherwise the rule will not catch it anymore.
    # This would prevent all PRs from merging.
    name: no PR failures
    if: ${{ failure() }}
    runs-on: ubuntu-24.04-arm
    steps:
      - run: exit 1