From 0605d8f0bb09322ff03cb925fe9cda9f98e3abb3 Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Thu, 18 Apr 2024 01:08:36 +0200 Subject: [PATCH 1/5] Only release after a successful CI step This prevents releasing if a merge commit doesn't pass CI. This can happen as such: - Two PRs get opened, CI runs successfully against the current base branch for both - Both get merged, both of them combined would fail CI though --- .github/workflows/main.yml | 55 ++++++++++++++++++++++++++++++ .github/workflows/release.yml | 63 ----------------------------------- 2 files changed, 55 insertions(+), 63 deletions(-) delete mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 36d9200..37d7d65 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -3,6 +3,9 @@ on: pull_request: branches: - main + push: + branches: + - main jobs: build: @@ -15,6 +18,12 @@ jobs: - name: build run: nix-build -A ci + - name: release + if: ${{ github.event_name == 'push' }} + run: scripts/release.sh + env: + GH_TOKEN: ${{ github.token }} + test-update: runs-on: ubuntu-latest steps: @@ -34,3 +43,49 @@ jobs: } > $GITHUB_STEP_SUMMARY env: GH_TOKEN: ${{ github.token }} + + nixpkgs-pr: + runs-on: ubuntu-latest + if: ${{ github.event_name == 'push' }} + needs: build + steps: + - uses: actions/checkout@v4 + with: + repository: NixOS/nixpkgs + + - name: Get the Nixpkgs rev + run: echo "rev=$(git rev-parse HEAD)" >> $GITHUB_ENV + + - name: Get version before + run: echo "before=$(> $GITHUB_ENV + + - name: Update the version + # We run bash explicitly instead of using the files shebang, + # because the shebang is using nix-shell with dependencies we already have by default + run: bash pkgs/test/check-by-name/update-pinned-tool.sh + + - name: Get version after + run: echo "after=$(> $GITHUB_ENV + + - name: Create Pull Request + uses: peter-evans/create-pull-request@v6 + with: + # To trigger CI for automated PRs, we use a separate machine account + # See https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#workarounds-to-trigger-further-workflow-runs + # and https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#push-pull-request-branches-to-a-fork + token: ${{ secrets.MACHINE_USER_PAT }} + push-to-fork: infinixbot/nixpkgs + committer: infinixbot + author: infinixbot + branch: update/nixpkgs-check-by-name + commit-message: | + nixpkgs-check-by-name: ${{ env.before }} -> ${{ env.after }} + + https://github.com/NixOS/nixpkgs-check-by-name/releases/tag/${{ env.after }} + title: "nixpkgs-check-by-name: ${{ env.before }} -> ${{ env.after }}" + body: > + This is an automated PR to update the version of [nixpkgs-check-by-name](https://github.com/NixOS/nixpkgs-check-by-name), + which is used by CI to [check the `pkgs/by-name`](https://github.com/NixOS/nixpkgs/tree/${{ env.rev }}/pkgs/by-name#validation) directory. + The update was performed by running [`pkgs/test/check-by-name/update-pinned-tool.sh`](https://github.com/NixOS/nixpkgs/tree/${{ env.rev }}/pkgs/test/check-by-name#update-pinned-toolsh). + + This PR updates the tool to [version ${{ env.after }}](https://github.com/NixOS/nixpkgs-check-by-name/releases/tag/${{ env.after }}). diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index 6b78354..0000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,63 +0,0 @@ -name: CD -on: - push: - branches: - - main - -jobs: - release: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - uses: cachix/install-nix-action@v26 - - - name: release - run: scripts/release.sh - env: - GH_TOKEN: ${{ github.token }} - - nixpkgs-pr: - runs-on: ubuntu-latest - needs: release - steps: - - uses: actions/checkout@v4 - with: - repository: NixOS/nixpkgs - - - name: Get the Nixpkgs rev - run: echo "rev=$(git rev-parse HEAD)" >> $GITHUB_ENV - - - name: Get version before - run: echo "before=$(> $GITHUB_ENV - - - name: Update the version - # We run bash explicitly instead of using the files shebang, - # because the shebang is using nix-shell with dependencies we already have by default - run: bash pkgs/test/check-by-name/update-pinned-tool.sh - - - name: Get version after - run: echo "after=$(> $GITHUB_ENV - - - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 - with: - # To trigger CI for automated PRs, we use a separate machine account - # See https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#workarounds-to-trigger-further-workflow-runs - # and https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#push-pull-request-branches-to-a-fork - token: ${{ secrets.MACHINE_USER_PAT }} - push-to-fork: infinixbot/nixpkgs - committer: infinixbot - author: infinixbot - branch: update/nixpkgs-check-by-name - commit-message: | - nixpkgs-check-by-name: ${{ env.before }} -> ${{ env.after }} - - https://github.com/NixOS/nixpkgs-check-by-name/releases/tag/${{ env.after }} - title: "nixpkgs-check-by-name: ${{ env.before }} -> ${{ env.after }}" - body: > - This is an automated PR to update the version of [nixpkgs-check-by-name](https://github.com/NixOS/nixpkgs-check-by-name), - which is used by CI to [check the `pkgs/by-name`](https://github.com/NixOS/nixpkgs/tree/${{ env.rev }}/pkgs/by-name#validation) directory. - The update was performed by running [`pkgs/test/check-by-name/update-pinned-tool.sh`](https://github.com/NixOS/nixpkgs/tree/${{ env.rev }}/pkgs/test/check-by-name#update-pinned-toolsh). - - This PR updates the tool to [version ${{ env.after }}](https://github.com/NixOS/nixpkgs-check-by-name/releases/tag/${{ env.after }}). From c62c738819a6a9994a8f93c5621068b972e1e8b3 Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Thu, 18 Apr 2024 01:30:36 +0200 Subject: [PATCH 2/5] Ensure the release script isn't run in parallel --- .github/workflows/main.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 37d7d65..b0da4b9 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -7,6 +7,20 @@ on: branches: - main +# This makes sure to only run one instance of this workflow per individual PR and pushes. +# We need this especially for the release step, because it has side effects. +# But it's also good in general, there's no need to finish action runs for commits +# when you push another one right after. +# Assumption: We push less frequently than it takes for this workflow to finish +concurrency: + # For a push to the main branch, github.ref is refs/heads/ + # For a pull request, github.ref is refs/pull//merge + group: ${{ github.ref }} + # We don't want to cancel in progress workflows for pushes to the main branch, + # because it could be in the process of doing a release. + # Better wait until it's done + cancel-in-progress: ${{ github.event_name != 'pull' }} + jobs: build: runs-on: ubuntu-latest From 9aec1c42a200204f6e5324e1fb9efd7789df3ed1 Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Thu, 18 Apr 2024 01:31:17 +0200 Subject: [PATCH 3/5] Ensure we release the commit we expect By default the target_commitish would be the _latest_ commit on the default branch, which could change underneath us --- scripts/release.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/release.sh b/scripts/release.sh index b512e07..47cf528 100755 --- a/scripts/release.sh +++ b/scripts/release.sh @@ -13,6 +13,7 @@ nixeval() { # The system to pre-build the release for and distribute artifacts for system=x86_64-linux root=$(git rev-parse --show-toplevel) +rev=$(git -C "$root" rev-parse HEAD) repository=${GITHUB_REPOSITORY:-NixOS/nixpkgs-check-by-name} # Get the version from the Cargo.toml file @@ -55,6 +56,7 @@ if ! release=$(gh api \ -H "X-GitHub-Api-Version: 2022-11-28" \ /repos/"$repository"/releases \ -f tag_name="$version" \ + -f target_commitish="$rev" \ -f name="Version $version" \ -f body="$body" \ -F draft=true); then From 8cb18f79ac3d862ab71f4b875862c7c262391ac6 Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Thu, 18 Apr 2024 01:33:51 +0200 Subject: [PATCH 4/5] Simplify Nixpkgs PR action steps No need to have this many steps --- .github/workflows/main.yml | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b0da4b9..707626f 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -67,19 +67,16 @@ jobs: with: repository: NixOS/nixpkgs - - name: Get the Nixpkgs rev - run: echo "rev=$(git rev-parse HEAD)" >> $GITHUB_ENV - - - name: Get version before - run: echo "before=$(> $GITHUB_ENV + - name: Update nixpkgs-check-by-name in Nixpkgs + run: | + echo "rev=$(git rev-parse HEAD)" >> $GITHUB_ENV + echo "before=$(> $GITHUB_ENV - - name: Update the version - # We run bash explicitly instead of using the files shebang, - # because the shebang is using nix-shell with dependencies we already have by default - run: bash pkgs/test/check-by-name/update-pinned-tool.sh + # We run bash explicitly instead of using the files shebang, + # because the shebang is using nix-shell with dependencies we already have by default + bash pkgs/test/check-by-name/update-pinned-tool.sh - - name: Get version after - run: echo "after=$(> $GITHUB_ENV + echo "after=$(> $GITHUB_ENV - name: Create Pull Request uses: peter-evans/create-pull-request@v6 From 9801aa7357083d789aa01cf3ef3ce62dab09448d Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Thu, 18 Apr 2024 06:58:59 +0200 Subject: [PATCH 5/5] Create Nixpkgs PRs with a separate workflow I didn't like how it would print for all PRs unnecessarily Furthermore it's cleaner if we trigger it based on when a release is published, instead of depending the build job --- .github/workflows/main.yml | 43 --------------------------------- .github/workflows/release.yml | 45 +++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 43 deletions(-) create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 707626f..d2db5ef 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -57,46 +57,3 @@ jobs: } > $GITHUB_STEP_SUMMARY env: GH_TOKEN: ${{ github.token }} - - nixpkgs-pr: - runs-on: ubuntu-latest - if: ${{ github.event_name == 'push' }} - needs: build - steps: - - uses: actions/checkout@v4 - with: - repository: NixOS/nixpkgs - - - name: Update nixpkgs-check-by-name in Nixpkgs - run: | - echo "rev=$(git rev-parse HEAD)" >> $GITHUB_ENV - echo "before=$(> $GITHUB_ENV - - # We run bash explicitly instead of using the files shebang, - # because the shebang is using nix-shell with dependencies we already have by default - bash pkgs/test/check-by-name/update-pinned-tool.sh - - echo "after=$(> $GITHUB_ENV - - - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 - with: - # To trigger CI for automated PRs, we use a separate machine account - # See https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#workarounds-to-trigger-further-workflow-runs - # and https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#push-pull-request-branches-to-a-fork - token: ${{ secrets.MACHINE_USER_PAT }} - push-to-fork: infinixbot/nixpkgs - committer: infinixbot - author: infinixbot - branch: update/nixpkgs-check-by-name - commit-message: | - nixpkgs-check-by-name: ${{ env.before }} -> ${{ env.after }} - - https://github.com/NixOS/nixpkgs-check-by-name/releases/tag/${{ env.after }} - title: "nixpkgs-check-by-name: ${{ env.before }} -> ${{ env.after }}" - body: > - This is an automated PR to update the version of [nixpkgs-check-by-name](https://github.com/NixOS/nixpkgs-check-by-name), - which is used by CI to [check the `pkgs/by-name`](https://github.com/NixOS/nixpkgs/tree/${{ env.rev }}/pkgs/by-name#validation) directory. - The update was performed by running [`pkgs/test/check-by-name/update-pinned-tool.sh`](https://github.com/NixOS/nixpkgs/tree/${{ env.rev }}/pkgs/test/check-by-name#update-pinned-toolsh). - - This PR updates the tool to [version ${{ env.after }}](https://github.com/NixOS/nixpkgs-check-by-name/releases/tag/${{ env.after }}). diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..0104a85 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,45 @@ +on: + release: + types: [published] + +jobs: + create-pr: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + repository: NixOS/nixpkgs + + - name: Update nixpkgs-check-by-name in Nixpkgs + run: | + echo "rev=$(git rev-parse HEAD)" >> $GITHUB_ENV + echo "before=$(> $GITHUB_ENV + + # We run bash explicitly instead of using the files shebang, + # because the shebang is using nix-shell with dependencies we already have by default + bash pkgs/test/check-by-name/update-pinned-tool.sh + + echo "after=$(> $GITHUB_ENV + + - name: Create Pull Request + uses: peter-evans/create-pull-request@v6 + with: + # To trigger CI for automated PRs, we use a separate machine account + # See https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#workarounds-to-trigger-further-workflow-runs + # and https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#push-pull-request-branches-to-a-fork + token: ${{ secrets.MACHINE_USER_PAT }} + push-to-fork: infinixbot/nixpkgs + committer: infinixbot + author: infinixbot + branch: update/nixpkgs-check-by-name + commit-message: | + nixpkgs-check-by-name: ${{ env.before }} -> ${{ env.after }} + + https://github.com/NixOS/nixpkgs-check-by-name/releases/tag/${{ env.after }} + title: "nixpkgs-check-by-name: ${{ env.before }} -> ${{ env.after }}" + body: > + This is an automated PR to update the version of [nixpkgs-check-by-name](https://github.com/NixOS/nixpkgs-check-by-name), + which is used by CI to [check the `pkgs/by-name`](https://github.com/NixOS/nixpkgs/tree/${{ env.rev }}/pkgs/by-name#validation) directory. + The update was performed by running [`pkgs/test/check-by-name/update-pinned-tool.sh`](https://github.com/NixOS/nixpkgs/tree/${{ env.rev }}/pkgs/test/check-by-name#update-pinned-toolsh). + + This PR updates the tool to [version ${{ env.after }}](https://github.com/NixOS/nixpkgs-check-by-name/releases/tag/${{ env.after }}).