workflows: move eval from push to queue

Running eval in the merge queue prevents eval failures after merging multiple PRs with semantic merge conflicts. It's also the base for allowing more sophisticated checks about rebuild counts in the merge queue later. When branches are directly pushed to, such as for periodic merges, this will not run Eval immediately. However, the next PR will run it as part of its Eval step and will cache the results. Any further PR will then benefit from the same caching again. This also avoids running Eval twice when pushing to staging-next or haskell-updates, where a PR is open at the same time. Here, the PR's Eval still runs on the push, of course.
2025-11-09 16:18:34 +01:00 · 2025-10-14 12:15:05 +02:00 · 2025-10-14 12:15:05 +02:00 · 17eb6dcb27
parent 1506cdec76
commit 17eb6dcb27
4 changed files with 33 additions and 70 deletions
--- a/.github/workflows/eval.yml
+++ b/.github/workflows/eval.yml
@ -139,7 +139,7 @@ jobs:
        if: inputs.targetSha
        env:
          MATRIX_SYSTEM: ${{ matrix.system }}
-        # This should be very quick, because it pulls the eval results from Cachix.
+        # This is very quick, because it pulls the eval results from Cachix.
        run: |
          nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A eval.singleSystem \
            --argstr evalSystem "$MATRIX_SYSTEM" \
--- a/.github/workflows/merge-group.yml
+++ b/.github/workflows/merge-group.yml
@ -17,6 +17,21 @@ on:
 permissions: {}

 jobs:
+  prepare:
+    runs-on: ubuntu-24.04-arm
+    outputs:
+      systems: ${{ steps.systems.outputs.systems }}
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          sparse-checkout: |
+            ci/supportedSystems.json
+
+      - name: Load supported systems
+        id: systems
+        run: |
+          echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"
+
  lint:
    name: Lint
    uses: ./.github/workflows/lint.yml
@ -26,6 +41,21 @@ jobs:
      mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }}
      targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }}

+  eval:
+    name: Eval
+    needs: [prepare]
+    uses: ./.github/workflows/eval.yml
+    # The eval workflow requests these permissions so we must explicitly allow them,
+    # even though they are unused when working with the merge queue.
+    permissions:
+      # compare
+      statuses: write
+    secrets:
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
+    with:
+      mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }}
+      systems: ${{ needs.prepare.outputs.systems }}
+
  # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset.
  # It "needs" all the jobs that should block the Merge Queue.
  unlock:
@ -33,6 +63,7 @@ jobs:
    # Modify this list to add or remove jobs from required status checks.
    needs:
      - lint
+      - eval
    runs-on: ubuntu-24.04-arm
    permissions:
      statuses: write
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@ -1,50 +0,0 @@
-name: Push
-
-on:
-  push:
-    branches:
-      - master
-      - staging
-      - release-*
-      - staging-*
-      - haskell-updates
-  workflow_call:
-    inputs:
-      mergedSha:
-        required: true
-        type: string
-    secrets:
-      CACHIX_AUTH_TOKEN:
-        required: true
-
-permissions: {}
-
-jobs:
-  prepare:
-    runs-on: ubuntu-24.04-arm
-    outputs:
-      systems: ${{ steps.systems.outputs.systems }}
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          sparse-checkout: |
-            ci/supportedSystems.json
-
-      - name: Load supported systems
-        id: systems
-        run: |
-          echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"
-
-  eval:
-    name: Eval
-    needs: [prepare]
-    uses: ./.github/workflows/eval.yml
-    # Those are not actually used on push, but will throw an error if not set.
-    permissions:
-      # compare
-      statuses: write
-    secrets:
-      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-    with:
-      mergedSha: ${{ inputs.mergedSha || github.sha }}
-      systems: ${{ needs.prepare.outputs.systems }}
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -48,6 +48,7 @@ jobs:
            })).map(file => file.filename)

            if (files.some(file => [
+              '.github/workflows/eval.yml',
              '.github/workflows/lint.yml',
              '.github/workflows/merge-group.yml',
              '.github/workflows/test.yml',
@ -65,12 +66,6 @@ jobs:
              '.github/workflows/test.yml',
            ].includes(file))) core.setOutput('pr', true)

-            if (files.some(file => [
-              '.github/workflows/eval.yml',
-              '.github/workflows/push.yml',
-              '.github/workflows/test.yml',
-            ].includes(file))) core.setOutput('push', true)
-
  merge-group:
    if: needs.prepare.outputs.merge-group
    name: Merge Group
@ -98,16 +93,3 @@ jobs:
    secrets:
      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
      NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
-
-  push:
-    if: needs.prepare.outputs.push
-    name: Push
-    needs: [prepare]
-    uses: ./.github/workflows/push.yml
-    # Those are not actually used on the push or pull_request events, but will throw an error if not set.
-    permissions:
-      statuses: write
-    secrets:
-      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-    with:
-      mergedSha: ${{ needs.prepare.outputs.mergedSha }}