From 5301ce6d1c28f473f920f51c8c5102092096bd8e Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Tue, 29 Aug 2023 01:34:02 +0200 Subject: [PATCH] Pin channel --- .github/CODEOWNERS | 2 + .github/workflows/channel-pin.yml | 118 ++++++++++++++++++++++++++++++ lib/channel/default.nix | 9 +++ lib/channel/pin.json | 4 + lib/default.nix | 2 + 5 files changed, 135 insertions(+) create mode 100644 .github/workflows/channel-pin.yml create mode 100644 lib/channel/default.nix create mode 100644 lib/channel/pin.json diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index ba5bf4eef25d1..999c31e2f68ca 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -17,6 +17,7 @@ # GitHub actions /.github/workflows @NixOS/Security @Mic92 @zowoq /.github/workflows/merge-staging @FRidh +/.github/workflows/channel-pin.yml @infinisil # EditorConfig /.editorconfig @Mic92 @zowoq @@ -29,6 +30,7 @@ /lib/debug.nix @edolstra @Profpatsch /lib/asserts.nix @edolstra @Profpatsch /lib/path.* @infinisil @fricklerhandwerk +/lib/channel.* @infinisil # Nixpkgs Internals /default.nix @Ericson2314 diff --git a/.github/workflows/channel-pin.yml b/.github/workflows/channel-pin.yml new file mode 100644 index 0000000000000..bd610d25ab8d8 --- /dev/null +++ b/.github/workflows/channel-pin.yml @@ -0,0 +1,118 @@ +name: Update channel pins + +on: + push: + branches: + - nixos-unstable + # Any release branches like nixos-23.05 + - 'nixos-[0-9][0-9].[0-9][0-9]' + +# cancel any other workflows in progress +concurrency: + group: ${{ github.ref }} + cancel-in-progress: true + +# Needed to create PRs +permissions: + contents: write + pull-requests: write + +jobs: + update_pin: + name: Update channel pin + runs-on: ubuntu-latest + steps: + - uses: cachix/install-nix-action@v22 + - name: Compute development branch + id: dev-branch + run: | + if [[ "$GITHUB_REF_NAME" == nixos-unstable ]]; then + branch=master + else + # Removes the "nixos" prefix and replaces it with "release" + branch=release${GITHUB_REF_NAME#nixos} + fi + echo "branch=$branch" >> "$GITHUB_OUTPUT" + - name: Check out development branch + uses: actions/checkout@v3 + with: + ref: ${{ steps.dev-branch.outputs.branch }} + - name: Update pin + id: update + run: | + newRev=$GITHUB_SHA + pinFile=lib/channel/pin.json + + echo "Fetching new revision $newRev" + stdout=$(nix-prefetch-url \ + "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/tarball/$newRev" \ + --type sha256 --unpack --print-path --name nixpkgs) + mapfile -t newInfo <<<"$stdout" + newHash=${newInfo[0]} + newPath=${newInfo[1]} + newPinFileContents=$(jq -n \ + --arg rev "$newRev" \ + --arg sha256 "$newHash" \ + '$ARGS.named') + + echo -e "File $pinFile would be updated to:\n$newPinFileContents" + + echo "Comparing this with the revision of the existing file" + if ! oldRev=$(jq -r '.rev' "$pinFile"); then + echo "There is no existing file, make sure to initialize it properly, possibly using the above value" + exit 1 + else + echo "The existing file has revision $oldRev, now fetching that too" + stdout=$(nix-prefetch-url \ + "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/tarball/$oldRev" \ + --type sha256 --unpack --print-path --name nixpkgs) + mapfile -t newInfo <<<"$stdout" + oldHash=${oldInfo[0]} + oldPath=${oldInfo[1]} + + change_url="$GITHUB_SERVER_URL"/"$GITHUB_REPOSITORY"/compare/"$oldRev".."$newRev" + + echo "Checking if anything other than $pinFile changed between $oldRev and $newRev" + # Only don't make a PR if only the pin file changed, not if it was added/removed + if [[ -f "$oldPath"/"$pinFile" ]] \ + && [[ -f "$newPath"/"$pinFile" ]] \ + && diff --recursive --exclude "$pinFile" "$oldPath" "$newPath"; then + echo "Nothing changed, no PR to update the pin necessary" + create_pr= + else + echo "The channel changed, PR to update the pin is necessary" + create_pr=1 + fi + fi + echo "create_pr=$create_pr" >> "$GITHUB_OUTPUT" + + if [[ -n "$create_pr" ]]; then + echo "Updating $pinFile" + printf "%s\n" "$newPinFileContents" > "$pinFile" + + echo "Assembling PR title and body" + if [[ "$GITHUB_REF_NAME" != nixos-unstable ]]; then + pr_title="[${GITHUB_REF_NAME#nixos-}] " + fi + pr_title="${pr_title}Update pinned channel commit" + + pr_body_path=$(mktemp) + { + echo "Automated PR to update the pin of the $GITHUB_REF_NAME channel in the ${{ steps.dev_branch.outputs.branch }} branch to the latest commit $GITHUB_SHA." + echo "" + echo "[Channel changes]($change_url)" + } > "$pr_body_path" + + echo "pr_title=$pr_title" >> "$GITHUB_OUTPUT" + echo "pr_body_path=$pr_body_path" >> "$GITHUB_OUTPUT" + fi + - name: Create Pull Request + uses: peter-evans/create-pull-request@v5 + if: ${{ steps.update.outputs.create_pr != '' }} + with: + branch: "update-channel-pin/${{ steps.dev-branch.outputs.branch }}" + commit-message: "Update pinned channel commit" + title: "${{ steps.update.outputs.pr_title }}" + author: "GitHub " + body-path: "${{ steps.update.outputs.pr_body_path }}" + diff --git a/lib/channel/default.nix b/lib/channel/default.nix new file mode 100644 index 0000000000000..8c2a7294499db --- /dev/null +++ b/lib/channel/default.nix @@ -0,0 +1,9 @@ +{ lib }: +{ + latestKnownNixOSChannelInfo = lib.importJSON ./pin.json; + + latestKnownNixOSChannel = fetchTarball { + url = "https://github.com/NixOS/nixpkgs/tarball/${lib.channel.latestKnownNixOSChannelInfo.rev}"; + sha256 = lib.channel.latestKnownNixOSChannelInfo.sha256; + }; +} diff --git a/lib/channel/pin.json b/lib/channel/pin.json new file mode 100644 index 0000000000000..54d82182f72bb --- /dev/null +++ b/lib/channel/pin.json @@ -0,0 +1,4 @@ +{ + "rev": "fbd622ff29c52a591f9f7c110f2694b18c5590b3", + "sha256": "1f3f0y0lvndmxqna0dbvdfdwy4czfc7bw0s0sfwcq9w9m2bc0jc2" +} diff --git a/lib/default.nix b/lib/default.nix index 509636452b2b5..70a38a1322cc4 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -63,6 +63,8 @@ let # linux kernel configuration kernel = callLibs ./kernel.nix; + channel = callLibs ./channel; + inherit (builtins) add addErrorContext attrNames concatLists deepSeq elem elemAt filter genericClosure genList getAttr hasAttr head isAttrs isBool isInt isList isPath isString length