Skip to content

Nixpkgs diff for forks #98

Nixpkgs diff for forks

Nixpkgs diff for forks #98

Workflow file for this run

name: CI
on:
# We use pull_request_target such that Nixpkgs diff processing also works,
# because we need repository secrets for that, which pull_request doesn't allow from forks.
# However, it's very important that we don't run code from forks without sandboxing it,
# because that way anybody could potentially extract repository secrets!
pull_request_target:
# pull_request_target makes it very annoying to test updates to the workflow,
# because all such runs use the workflow file from the base branch, not the PR.
# This can be fixed by _also_ running it on `pull_request` events,
# but to not have duplicate runs for every PR, we only do that when any workflows are updated.
pull_request:
paths:
- '.github/workflows/**'
push:
branches:
- master
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
if: github.event_name == 'push'
- uses: actions/checkout@v4
if: github.event_name != 'push'
with:
# To prevent running untrusted code from forks,
# pull_request_target will cause the base branch to be checked out, not the PR branch.
# In our case we check out the PR branch regardless,
# because we're sandboxing all untrusted code with a `nix-build`.
# (and the sandbox is enabled by default at least on Linux)
ref: refs/pull/${{ github.event.pull_request.number }}/merge
- uses: cachix/install-nix-action@v26
- name: checks
run: nix-build -A ci
nixpkgs-diff:
runs-on: ubuntu-latest
if: github.event_name != 'push'
# Ensures that we don't run two comment-posting workflows at the same time
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
cancel-in-progress: true
steps:
- name: Find Comment
uses: peter-evans/find-comment@v3
id: fc
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: Nixpkgs diff
- name: Create or update comment
uses: peter-evans/create-or-update-comment@v4
id: couc
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
edit-mode: replace
body: |
Nixpkgs diff [processing](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})..
Will be available [here](https://github.com/${{ vars.MACHINE_USER }}/nixpkgs/commits/nixfmt-${{ github.event.pull_request.number }})
# To prevent running untrusted code from forks,
# pull_request_target will cause the base branch to be checked out, not the PR branch.
# This is exactly what we want in this case,
# because the sync-pr.sh script cannot be run sandboxed since it needs to have side effects.
# Instead, the script itself fetches the PR, but then runs its code within sandboxed derivations.
- uses: actions/checkout@v4
- uses: cachix/install-nix-action@v26
- run: |
./scripts/sync-pr.sh \
https://github.com/${{ github.repository }} \
${{ github.event.pull_request.number }} \
https://${{ secrets.MACHINE_USER_PAT }}@github.com/${{ vars.MACHINE_USER }}/nixpkgs
- name: Create or update comment
uses: peter-evans/create-or-update-comment@v4
with:
comment-id: ${{ steps.couc.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
edit-mode: replace
body: |
[Nixpkgs diff](https://github.com/${{ vars.MACHINE_USER }}/nixpkgs/commits/nixfmt-${{ github.event.pull_request.number }})