Merge pull request #63 from tweag/channel-pin.yml

Test channel pinning

.github/CODEOWNERS

@@ -17,6 +17,7 @@
 # GitHub actions
 /.github/workflows @NixOS/Security @Mic92 @zowoq
 /.github/workflows/merge-staging @FRidh
+/.github/workflows/channel-pin.yml @infinisil
 
 # EditorConfig
 /.editorconfig @Mic92 @zowoq
@@ -29,6 +30,7 @@
 /lib/debug.nix              @edolstra @Profpatsch
 /lib/asserts.nix            @edolstra @Profpatsch
 /lib/path.*                 @infinisil @fricklerhandwerk
+/lib/channel.*              @infinisil
 
 # Nixpkgs Internals
 /default.nix                                     @Ericson2314

.github/workflows/channel-pin.yml

@@ -0,0 +1,118 @@
+name: Update channel pins
+
+on:
+  push:
+    branches:
+      - nixos-unstable
+      # Any release branches like nixos-23.05
+      - 'nixos-[0-9][0-9].[0-9][0-9]'
+
+# cancel any other workflows in progress
+concurrency:
+  group: ${{ github.ref }}
+  cancel-in-progress: true
+
+# Needed to create PRs
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update_pin:
+    name: Update channel pin
+    runs-on: ubuntu-latest
+    steps:
+      - uses: cachix/install-nix-action@v22
+      - name: Compute development branch
+        id: dev-branch
+        run: |
+          if [[ "$GITHUB_REF_NAME" == nixos-unstable ]]; then
+            branch=master
+          else
+            # Removes the "nixos" prefix and replaces it with "release"
+            branch=release${GITHUB_REF_NAME#nixos}
+          fi
+          echo "branch=$branch" >> "$GITHUB_OUTPUT"
+      - name: Check out development branch
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ steps.dev-branch.outputs.branch }}
+      - name: Update pin
+        id: update
+        run: |
+          newRev=$GITHUB_SHA
+          pinFile=lib/channel/pin.json
+
+          echo "Fetching new revision $newRev"
+          stdout=$(nix-prefetch-url \
+              "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/tarball/$newRev" \
+              --type sha256 --unpack --print-path --name nixpkgs)
+          mapfile -t newInfo <<<"$stdout"
+          newHash=${newInfo[0]}
+          newPath=${newInfo[1]}
+          newPinFileContents=$(jq -n \
+              --arg rev "$newRev" \
+              --arg sha256 "$newHash" \
+              '$ARGS.named')
+
+          echo -e "File $pinFile would be updated to:\n$newPinFileContents"
+
+          echo "Comparing this with the revision of the existing file"
+          if ! oldRev=$(jq -r '.rev' "$pinFile"); then
+            echo "There is no existing file, make sure to initialize it properly, possibly using the above value"
+            exit 1
+          else
+            echo "The existing file has revision $oldRev, now fetching that too"
+            stdout=$(nix-prefetch-url \
+                "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/tarball/$oldRev" \
+                --type sha256 --unpack --print-path --name nixpkgs)
+            mapfile -t newInfo <<<"$stdout"
+            oldHash=${oldInfo[0]}
+            oldPath=${oldInfo[1]}
+
+            change_url="$GITHUB_SERVER_URL"/"$GITHUB_REPOSITORY"/compare/"$oldRev".."$newRev"
+
+            echo "Checking if anything other than $pinFile changed between $oldRev and $newRev"
+            # Only don't make a PR if only the pin file changed, not if it was added/removed
+            if [[ -f "$oldPath"/"$pinFile" ]] \
+              && [[ -f "$newPath"/"$pinFile" ]] \
+              && diff --recursive --exclude "$pinFile" "$oldPath" "$newPath"; then
+              echo "Nothing changed, no PR to update the pin necessary"
+              create_pr=
+            else
+              echo "The channel changed, PR to update the pin is necessary"
+              create_pr=1
+            fi
+          fi
+          echo "create_pr=$create_pr" >> "$GITHUB_OUTPUT"
+
+          if [[ -n "$create_pr" ]]; then
+            echo "Updating $pinFile"
+            printf "%s\n" "$newPinFileContents" > "$pinFile"
+
+            echo "Assembling PR title and body"
+            if [[ "$GITHUB_REF_NAME" != nixos-unstable ]]; then
+              pr_title="[${GITHUB_REF_NAME#nixos-}] "
+            fi
+            pr_title="${pr_title}Update pinned channel commit"
+
+            pr_body_path=$(mktemp)
+            {
+              echo "Automated PR to update the pin of the $GITHUB_REF_NAME channel in the ${{ steps.dev_branch.outputs.branch }} branch to the latest commit $GITHUB_SHA."
+              echo ""
+              echo "[Channel changes]($change_url)"
+            } > "$pr_body_path"
+
+            echo "pr_title=$pr_title" >> "$GITHUB_OUTPUT"
+            echo "pr_body_path=$pr_body_path" >> "$GITHUB_OUTPUT"
+          fi
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v5
+        if: ${{ steps.update.outputs.create_pr != '' }}
+        with:
+          branch: "update-channel-pin/${{ steps.dev-branch.outputs.branch }}"
+          commit-message: "Update pinned channel commit"
+          title: "${{ steps.update.outputs.pr_title }}"
+          author: "GitHub <[email protected]>"
+          body-path: "${{ steps.update.outputs.pr_body_path }}"
+

lib/channel/default.nix

@@ -0,0 +1,9 @@
+{ lib }:
+{
+  latestKnownNixOSChannelInfo = lib.importJSON ./pin.json;
+
+  latestKnownNixOSChannel = fetchTarball {
+    url = "https://github.com/NixOS/nixpkgs/tarball/${lib.channel.latestKnownNixOSChannelInfo.rev}";
+    sha256 = lib.channel.latestKnownNixOSChannelInfo.sha256;
+  };
+}

lib/channel/pin.json

@@ -0,0 +1,4 @@
+{
+  "rev": "fbd622ff29c52a591f9f7c110f2694b18c5590b3",
+  "sha256": "1f3f0y0lvndmxqna0dbvdfdwy4czfc7bw0s0sfwcq9w9m2bc0jc2"
+}

lib/default.nix

@@ -63,6 +63,8 @@ let
     # linux kernel configuration
     kernel = callLibs ./kernel.nix;
 
+    channel = callLibs ./channel;
+
     inherit (builtins) add addErrorContext attrNames concatLists
       deepSeq elem elemAt filter genericClosure genList getAttr
       hasAttr head isAttrs isBool isInt isList isPath isString length