nixos/security/ca: enable support for compatibility bundles #62210
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Checks pkgs/by-name (see pkgs/by-name/README.md) | |
# using the nixpkgs-check-by-name tool (see pkgs/test/nixpkgs-check-by-name) | |
# | |
# When you make changes to this workflow, also update pkgs/test/nixpkgs-check-by-name/scripts/run-local.sh adequately | |
name: Check pkgs/by-name | |
# The tool is pinned to a pre-built version on Hydra, | |
# see pkgs/test/nixpkgs-check-by-name/scripts/README.md | |
on: | |
# Using pull_request_target instead of pull_request avoids having to approve first time contributors | |
pull_request_target: | |
# This workflow depends on the base branch of the PR, | |
# but changing the base branch is not included in the default trigger events, | |
# which would be `opened`, `synchronize` or `reopened`. | |
# Instead it causes an `edited` event, so we need to add it explicitly here | |
# While `edited` is also triggered when the PR title/body is changed, | |
# this PR action is fairly quick, and PR's don't get edited that often, | |
# so it shouldn't be a problem | |
types: [opened, synchronize, reopened, edited] | |
permissions: | |
# We need this permission to cancel the workflow run if there's a merge conflict | |
actions: write | |
jobs: | |
check: | |
# This is x86_64-linux, for which the tool is always prebuilt on the nixos-* channels, | |
# as specified in nixos/release-combined.nix | |
runs-on: ubuntu-latest | |
# This should take 1 minute at most, but let's be generous. | |
# The default of 6 hours is definitely too long | |
timeout-minutes: 10 | |
steps: | |
# This step has to be in this file, | |
# because it's needed to determine which revision of the repository to fetch, | |
# and we can only use other files from the repository once it's fetched. | |
- name: Resolving the merge commit | |
env: | |
GH_TOKEN: ${{ github.token }} | |
run: | | |
# This checks for mergeability of a pull request as recommended in | |
# https://docs.github.com/en/rest/guides/using-the-rest-api-to-interact-with-your-git-database?apiVersion=2022-11-28#checking-mergeability-of-pull-requests | |
# Retry the API query this many times | |
retryCount=3 | |
# Start with 5 seconds, but double every retry | |
retryInterval=5 | |
while true; do | |
echo "Checking whether the pull request can be merged" | |
prInfo=$(gh api \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
/repos/"$GITHUB_REPOSITORY"/pulls/${{ github.event.pull_request.number }}) | |
mergeable=$(jq -r .mergeable <<< "$prInfo") | |
mergedSha=$(jq -r .merge_commit_sha <<< "$prInfo") | |
if [[ "$mergeable" == "null" ]]; then | |
if (( retryCount == 0 )); then | |
echo "Not retrying anymore, probably GitHub is having internal issues" | |
exit 1 | |
else | |
(( retryCount -= 1 )) || true | |
# null indicates that GitHub is still computing whether it's mergeable | |
# Wait a couple seconds before trying again | |
echo "GitHub is still computing whether this PR can be merged, waiting $retryInterval seconds before trying again ($retryCount retries left)" | |
sleep "$retryInterval" | |
(( retryInterval *= 2 )) || true | |
fi | |
else | |
break | |
fi | |
done | |
if [[ "$mergeable" == "true" ]]; then | |
echo "The PR can be merged, checking the merge commit $mergedSha" | |
else | |
echo "The PR cannot be merged, it has a merge conflict, cancelling the workflow.." | |
gh api \ | |
--method POST \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
/repos/"$GITHUB_REPOSITORY"/actions/runs/"$GITHUB_RUN_ID"/cancel | |
sleep 60 | |
# If it's still not canceled after a minute, something probably went wrong, just exit | |
exit 1 | |
fi | |
echo "mergedSha=$mergedSha" >> "$GITHUB_ENV" | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
# pull_request_target checks out the base branch by default | |
ref: ${{ env.mergedSha }} | |
# Fetches the merge commit and its parents | |
fetch-depth: 2 | |
- name: Checking out base branch | |
run: | | |
base=$(mktemp -d) | |
git worktree add "$base" "$(git rev-parse HEAD^1)" | |
echo "base=$base" >> "$GITHUB_ENV" | |
- uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25 | |
- name: Fetching the pinned tool | |
# Update the pinned version using pkgs/test/nixpkgs-check-by-name/scripts/update-pinned-tool.sh | |
run: | | |
# Get the direct /nix/store path from the pin to avoid having to evaluate Nixpkgs | |
toolPath=$(jq -r '."ci-path"' pkgs/test/nixpkgs-check-by-name/scripts/pinned-tool.json) | |
# This asks the substituter for the path, which should be there because Hydra will have pre-built and pushed it | |
nix-store --realise "$toolPath" --add-root result | |
- name: Running nixpkgs-check-by-name | |
run: | | |
if result/bin/nixpkgs-check-by-name --base "$base" .; then | |
exit 0 | |
else | |
exitCode=$? | |
echo "To run locally: ./maintainers/scripts/check-by-name.sh $GITHUB_BASE_REF https://github.com/$GITHUB_REPOSITORY.git" | |
exit "$exitCode" | |
fi |