mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-11-09 16:18:34 +01:00
eea09eb9d3
Running the nixpkgs-merge-bot in GitHub Actions instead of a separate workflow has multiple advantages: - A much better development workflow, with improved testability. - The ability to label PRs with a "merge-bot eligible" label from the same codebase. - Using more data for merge strategy decisions, for example the number of rebuilds. This commits re-implements most of the features from the current nxipkgs-merge-bot directly in the bot workflow. Instead of reacting to webhook events, this now runs on the regular 10 minute schedule. Some merges might be delayed a few minutes, but that should not be a problem in practice. To give the user early feedback, there are additional workflows running when a comment or review is posted. These react with "eyes" to make the user aware that the comment has been recognized. The only feature not taken over was the size check for files in the PR. This kind of check is not really relevant for maintainer merges only - if we want to prevent bigger files from making it into the tree, then we need a generic CI check, which is out of scope for the merge-bot. Other than that, everything should be implemented - any omissions are by accident.
127 lines
4.6 KiB
YAML
127 lines
4.6 KiB
YAML
# WARNING:
|
|
# When extending this action, be aware that $GITHUB_TOKEN allows some write
|
|
# access to the GitHub API. This means that it should not evaluate user input in
|
|
# a way that allows code injection.
|
|
|
|
name: Bot
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '07,17,27,37,47,57 * * * *'
|
|
workflow_call:
|
|
inputs:
|
|
headBranch:
|
|
required: true
|
|
type: string
|
|
secrets:
|
|
NIXPKGS_CI_APP_PRIVATE_KEY:
|
|
required: true
|
|
workflow_dispatch:
|
|
|
|
concurrency:
|
|
# This explicitly avoids using `run_id` for the concurrency key to make sure that only
|
|
# *one* scheduled run can run at a time.
|
|
group: bot-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number }}
|
|
# PR-triggered runs will be cancelled, but scheduled runs will be queued.
|
|
cancel-in-progress: ${{ github.event_name != 'schedule' }}
|
|
|
|
# This is used as fallback without app only.
|
|
# This happens when testing in forks without setting up that app.
|
|
permissions:
|
|
issues: write
|
|
pull-requests: write
|
|
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
|
|
jobs:
|
|
run:
|
|
runs-on: ubuntu-24.04-arm
|
|
if: github.event_name != 'schedule' || github.repository_owner == 'NixOS'
|
|
env:
|
|
# TODO: Remove after 2026-03-04, when Node 24 becomes the default.
|
|
# https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
|
|
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
|
|
steps:
|
|
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
with:
|
|
persist-credentials: false
|
|
sparse-checkout: |
|
|
ci/github-script
|
|
|
|
- name: Install dependencies
|
|
run: npm install @actions/artifact bottleneck
|
|
|
|
# Use a GitHub App, because it has much higher rate limits: 12,500 instead of 5,000 req / hour.
|
|
- uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
|
|
if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_APP_ID
|
|
id: app-token
|
|
with:
|
|
app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
|
|
private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
|
|
permission-contents: write
|
|
permission-issues: write
|
|
permission-pull-requests: write
|
|
|
|
- name: Log current API rate limits
|
|
env:
|
|
GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
|
|
run: gh api /rate_limit | jq
|
|
|
|
- name: Run bot
|
|
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
|
|
with:
|
|
github-token: ${{ steps.app-token.outputs.token || github.token }}
|
|
retries: 3
|
|
script: |
|
|
require('./ci/github-script/bot.js')({
|
|
github,
|
|
context,
|
|
core,
|
|
dry: context.eventName == 'pull_request'
|
|
})
|
|
|
|
- name: Log current API rate limits
|
|
env:
|
|
GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
|
|
run: gh api /rate_limit | jq
|
|
|
|
- uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
|
|
name: Labels from touched files
|
|
if: |
|
|
github.event_name == 'pull_request_target' &&
|
|
!contains(fromJSON(inputs.headBranch).type, 'development')
|
|
with:
|
|
repo-token: ${{ steps.app-token.outputs.token }}
|
|
configuration-path: .github/labeler.yml # default
|
|
sync-labels: true
|
|
|
|
- uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
|
|
name: Labels from touched files (no sync)
|
|
if: |
|
|
github.event_name == 'pull_request_target' &&
|
|
!contains(fromJSON(inputs.headBranch).type, 'development')
|
|
with:
|
|
repo-token: ${{ steps.app-token.outputs.token }}
|
|
configuration-path: .github/labeler-no-sync.yml
|
|
sync-labels: false
|
|
|
|
- uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
|
|
name: Labels from touched files (development branches)
|
|
# Development branches like staging-next, haskell-updates and python-updates get special labels.
|
|
# This is to avoid the mass of labels there, which is mostly useless - and really annoying for
|
|
# the backport labels.
|
|
if: |
|
|
github.event_name == 'pull_request_target' &&
|
|
contains(fromJSON(inputs.headBranch).type, 'development')
|
|
with:
|
|
repo-token: ${{ steps.app-token.outputs.token }}
|
|
configuration-path: .github/labeler-development-branches.yml
|
|
sync-labels: true
|
|
|
|
- name: Log current API rate limits
|
|
env:
|
|
GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
|
|
run: gh api /rate_limit | jq
|