ci: reusable Nix format Nixpkgs pin
This is needed such that in the next commit, we can re-use the same version from a shell.nix, allowing people to have a guaranteed matching nixfmt version.
This commit is contained in:
parent
13599930cb
commit
b33ac05d04
11
.github/workflows/check-nix-format.yml
vendored
11
.github/workflows/check-nix-format.yml
vendored
@ -19,13 +19,18 @@ jobs:
|
||||
with:
|
||||
# pull_request_target checks out the base branch by default
|
||||
ref: refs/pull/${{ github.event.pull_request.number }}/merge
|
||||
- name: Get Nixpkgs revision for nixfmt
|
||||
run: |
|
||||
# pin to a commit from nixpkgs-unstable to avoid e.g. building nixfmt
|
||||
# from staging
|
||||
# This should not be a URL, because it would allow PRs to run arbitrary code in CI!
|
||||
rev=$(jq -r .rev ci/pinned-nixpkgs.json)
|
||||
echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
|
||||
- uses: cachix/install-nix-action@8887e596b4ee1134dae06b98d573bd674693f47c # v26
|
||||
with:
|
||||
# explicitly enable sandbox
|
||||
extra_nix_config: sandbox = true
|
||||
# fix a commit from nixpkgs-unstable to avoid e.g. building nixfmt
|
||||
# from staging
|
||||
nix_path: nixpkgs=https://github.com/NixOS/nixpkgs/archive/4b455dc2048f73a79eb3713f342369ff58f93e0b.tar.gz
|
||||
nix_path: nixpkgs=${{ env.url }}
|
||||
- name: Install nixfmt
|
||||
run: "nix-env -f '<nixpkgs>' -iAP nixfmt-rfc-style"
|
||||
- name: Check that Nix files are formatted according to the RFC style
|
||||
|
@ -2,3 +2,11 @@
|
||||
|
||||
This directory contains files to support CI, such as [GitHub Actions](https://github.com/NixOS/nixpkgs/tree/master/.github/workflows) and [Ofborg](https://github.com/nixos/ofborg).
|
||||
This is in contrast with [`maintainers/scripts`](`../maintainers/scripts`) which is for human use instead.
|
||||
|
||||
## Pinned Nixpkgs
|
||||
|
||||
CI may need certain packages from Nixpkgs.
|
||||
In order to ensure that the needed packages are generally available without building,
|
||||
[`pinned-nixpkgs.json`](./pinned-nixpkgs.json) contains a pinned Nixpkgs version tested by Hydra.
|
||||
|
||||
Run [`update-pinned-nixpkgs.sh`](./update-pinned-nixpkgs.sh) to update it.
|
||||
|
4
ci/pinned-nixpkgs.json
Normal file
4
ci/pinned-nixpkgs.json
Normal file
@ -0,0 +1,4 @@
|
||||
{
|
||||
"rev": "cfb89a95f19bea461fc37228dc4d07b22fe617c2",
|
||||
"sha256": "1yhsacvry6j8r02lk70p9dphjpi8lpzgq2qay8hiy4nqlys0mrch"
|
||||
}
|
16
ci/update-pinned-nixpkgs.sh
Executable file
16
ci/update-pinned-nixpkgs.sh
Executable file
@ -0,0 +1,16 @@
|
||||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p jq
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
# https://stackoverflow.com/a/246128
|
||||
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
|
||||
|
||||
repo=https://github.com/nixos/nixpkgs
|
||||
branch=nixpkgs-unstable
|
||||
file=$SCRIPT_DIR/pinned-nixpkgs.json
|
||||
|
||||
rev=$(git ls-remote "$repo" refs/heads/"$branch" | cut -f1)
|
||||
sha256=$(nix-prefetch-url --unpack "$repo/archive/$rev.tar.gz" --name source)
|
||||
|
||||
jq -n --arg rev "$rev" --arg sha256 "$sha256" '$ARGS.named' | tee /dev/stderr > $file
|
Loading…
Reference in New Issue
Block a user