archives/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2026-03-08 04:04:06 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

actions/checkout: handle ci/pinned.json bump commits

Browse source
This commit is contained in:
Matt Sturgeon 2026-01-16 16:49:07 +00:00 committed by Dyego Aurélio
parent de3f7ce15a
commit 4787f35ede
1 changed files with 38 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

46
.github/actions/checkout/action.yml vendored
View file

@ -7,6 +7,8 @@ inputs:
description: "Whether and which SHA to checkout for the merge commit in the ./nixpkgs/untrusted folder."
target-as-trusted-at:
description: "Whether and which SHA to checkout for the target commit in the ./nixpkgs/trusted folder."
untrusted-pin-bump:
description: "Commit that bumps ci/pinned.json; when set, ./nixpkgs/untrusted and ./nixpkgs/untrusted-pinned are derived from this commit."
runs:
using: composite
@ -15,6 +17,7 @@ runs:
env:
MERGED_SHA: ${{ inputs.merged-as-untrusted-at }}
TARGET_SHA: ${{ inputs.target-as-trusted-at }}
PIN_BUMP_SHA: ${{ inputs.untrusted-pin-bump }}
with:
script: |
const { spawn } = require('node:child_process')
@ -52,13 +55,18 @@ runs:
return pinned.pins.nixpkgs.revision
}
const pin_bump_sha = process.env.PIN_BUMP_SHA
// When dealing with a pin bump commit, we need `--depth=2` to view & apply its diff
const depth = pin_bump_sha ? 2 : 1
const commits = [
{
sha: process.env.MERGED_SHA,
path: 'untrusted',
},
{
sha: await getPinnedSha(process.env.MERGED_SHA),
sha: await getPinnedSha(pin_bump_sha || process.env.MERGED_SHA),
path: 'untrusted-pinned'
},
{
@ -68,14 +76,17 @@ runs:
{
sha: await getPinnedSha(process.env.TARGET_SHA),
path: 'trusted-pinned'
},
{
sha: pin_bump_sha
}
].filter(({ sha }) => Boolean(sha))
console.log('Checking out the following commits:', commits)
console.log('Fetching the following commits:', commits)
// Fetching all commits at once is much faster than doing multiple checkouts.
// This would fail without --refetch, because the we had a partial clone before, but changed it above.
await run('git', 'fetch', '--depth=1', '--refetch', 'origin', ...(commits.map(({ sha }) => sha)))
await run('git', 'fetch', `--depth=${depth}`, '--refetch', 'origin', ...(commits.map(({ sha }) => sha)))
// Checking out onto tmpfs takes 1s and is faster by at least factor 10x.
await run('mkdir', 'nixpkgs')
@ -89,8 +100,27 @@ runs:
}
// Create all worktrees in parallel.
await Promise.all(commits.map(async ({ sha, path }) => {
await run('git', 'worktree', 'add', join('nixpkgs', path), sha, '--no-checkout')
await run('git', '-C', join('nixpkgs', path), 'sparse-checkout', 'disable')
await run('git', '-C', join('nixpkgs', path), 'checkout', '--progress')
}))
await Promise.all(
commits
.filter(({ path }) => Boolean(path))
.map(async ({ sha, path }) => {
await run('git', 'worktree', 'add', join('nixpkgs', path), sha, '--no-checkout')
await run('git', '-C', join('nixpkgs', path), 'sparse-checkout', 'disable')
await run('git', '-C', join('nixpkgs', path), 'checkout', '--progress')
})
)
// Apply pin bump to untrusted worktree
if (pin_bump_sha) {
console.log('Applying untrusted ci/pinned.json bump:', pin_bump_sha)
try {
await run('git', '-C', join('nixpkgs', 'untrusted'), 'cherry-pick', '--no-commit', pin_bump_sha)
} catch {
core.setFailed([
`Failed to apply ci/pinned.json bump commit ${pin_bump_sha}.`,
`This commit does not apply cleanly onto the untrusted base ${process.env.MERGED_SHA}.`,
`Please rebase the PR or ensure the pin bump is standalone.`
].join(' '))
return
}
}