diff options
Diffstat (limited to 'pkgs/test/nixpkgs-check-by-name/scripts')
5 files changed, 44 insertions, 46 deletions
diff --git a/pkgs/test/nixpkgs-check-by-name/scripts/README.md b/pkgs/test/nixpkgs-check-by-name/scripts/README.md index cb520f4728d38..ccd4108ea288d 100644 --- a/pkgs/test/nixpkgs-check-by-name/scripts/README.md +++ b/pkgs/test/nixpkgs-check-by-name/scripts/README.md @@ -19,15 +19,20 @@ Arguments: ## `./update-pinned-tool.sh` Updates the pinned CI tool in [`./pinned-tool.json`](./pinned-tool.json) to the -[latest version from the `nixos-unstable` channel](https://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.tests.nixpkgs-check-by-name.x86_64-linux) +[latest version from the `nixos-unstable` channel](https://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.tests.nixpkgs-check-by-name.x86_64-linux). -This script is called manually once the CI tooling needs to be updated. +This script needs to be called manually when the CI tooling needs to be updated. -## `./fetch-pinned-tool.sh OUTPUT_PATH` +The `pinned-tool.json` file gets populated with both: +- The `/nix/store` path for `x86_64-linux`, such that CI doesn't have to evaluate Nixpkgs and can directly fetch it from the cache instead. +- The Nixpkgs revision, such that the `./run-local.sh` script can be used to run the checks locally on any system. -Fetches the pinned tooling specified in [`./pinned-tool.json`](./pinned-tool.json). +To ensure that the tool is always pre-built for `x86_64-linux` in the `nixos-unstable` channel, +it's included in the `tested` jobset description in [`nixos/release-combined.nix`](../../../nixos/release-combined.nix). -This script is used both by [`./run-local.sh`](#run-local-sh-base-branch-repository) and CI. +Why not just build the tooling right from the PRs Nixpkgs version? +- Because it allows CI to check all PRs, even if they would break the CI tooling. +- Because it makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds. +- Because it improves security, since we don't have to build potentially untrusted code from PRs. + The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval). -Arguments: -- `OUTPUT_PATH`: The output symlink path for the tool diff --git a/pkgs/test/nixpkgs-check-by-name/scripts/fetch-pinned-tool.sh b/pkgs/test/nixpkgs-check-by-name/scripts/fetch-pinned-tool.sh deleted file mode 100755 index 2e52275cab874..0000000000000 --- a/pkgs/test/nixpkgs-check-by-name/scripts/fetch-pinned-tool.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/env bash -# Try to not use nix-shell here to avoid fetching Nixpkgs, -# especially since this is used in CI -# The only dependency is `jq`, which in CI is implicitly available -# And when run from ./run-local.sh is provided by that parent script - -set -o pipefail -o errexit -o nounset - -trace() { echo >&2 "$@"; } - -SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) - -pin_file=$SCRIPT_DIR/pinned-tool.json - -if (( $# < 1 )); then - trace "Usage: $0 fetch OUTPUT_PATH" - trace "OUTPUT_PATH: The output symlink path for the tool" - exit 1 -fi -output=$1 - -trace "Reading $pin_file.. " -rev=$(jq -r .rev "$SCRIPT_DIR"/pinned-tool.json) -trace -e "Git revision is \e[34m$rev\e[0m" -path=$(jq -r .path "$SCRIPT_DIR"/pinned-tool.json) -trace "Tooling path is $path" - -trace -n "Fetching the prebuilt version of nixpkgs-check-by-name.. " -nix-store --add-root "$output" -r "$path" >/dev/null -realpath "$output" diff --git a/pkgs/test/nixpkgs-check-by-name/scripts/pinned-tool.json b/pkgs/test/nixpkgs-check-by-name/scripts/pinned-tool.json index bbcbc57e86b28..c4dff2c6554a5 100644 --- a/pkgs/test/nixpkgs-check-by-name/scripts/pinned-tool.json +++ b/pkgs/test/nixpkgs-check-by-name/scripts/pinned-tool.json @@ -1,4 +1,4 @@ { - "rev": "9b19f5e77dd906cb52dade0b7bd280339d2a1f3d", - "path": "/nix/store/qlls5ca8q88qpyygg9ddi60gl1nmvpij-nixpkgs-check-by-name" + "rev": "842d9d80cfd4560648c785f8a4e6f3b096790e19", + "ci-path": "/nix/store/8habk3j25bs2a34zn5q5p17b9dl3fywg-nixpkgs-check-by-name" } diff --git a/pkgs/test/nixpkgs-check-by-name/scripts/run-local.sh b/pkgs/test/nixpkgs-check-by-name/scripts/run-local.sh index b464515b37f6e..1dd52293cc7e6 100755 --- a/pkgs/test/nixpkgs-check-by-name/scripts/run-local.sh +++ b/pkgs/test/nixpkgs-check-by-name/scripts/run-local.sh @@ -1,5 +1,5 @@ #!/usr/bin/env nix-shell -#!nix-shell -i bash -p jq +#!nix-shell -i bash -p jq -I nixpkgs=../../../.. set -o pipefail -o errexit -o nounset @@ -14,6 +14,7 @@ cleanup() { [[ -e "$tmp/base" ]] && git worktree remove --force "$tmp/base" [[ -e "$tmp/merged" ]] && git worktree remove --force "$tmp/merged" + [[ -e "$tmp/tool-nixpkgs" ]] && git worktree remove --force "$tmp/tool-nixpkgs" rm -rf "$tmp" @@ -62,7 +63,20 @@ trace -n "Merging base branch into the HEAD commit in $tmp/merged.. " git -C "$tmp/merged" merge -q --no-edit "$baseSha" trace -e "\e[34m$(git -C "$tmp/merged" rev-parse HEAD)\e[0m" -"$tmp/merged/pkgs/test/nixpkgs-check-by-name/scripts/fetch-pinned-tool.sh" "$tmp/tool" +trace -n "Reading pinned nixpkgs-check-by-name revision from pinned-tool.json.. " +toolSha=$(jq -r .rev "$tmp/merged/pkgs/test/nixpkgs-check-by-name/scripts/pinned-tool.json") +trace -e "\e[34m$toolSha\e[0m" + +trace -n "Creating Git worktree for the nixpkgs-check-by-name revision in $tmp/tool-nixpkgs.. " +git worktree add -q "$tmp/tool-nixpkgs" "$toolSha" +trace "Done" + +trace "Building/fetching nixpkgs-check-by-name.." +nix-build -o "$tmp/tool" "$tmp/tool-nixpkgs" \ + -A tests.nixpkgs-check-by-name \ + --arg config '{}' \ + --arg overlays '[]' \ + -j 0 trace "Running nixpkgs-check-by-name.." "$tmp/tool/bin/nixpkgs-check-by-name" --base "$tmp/base" "$tmp/merged" diff --git a/pkgs/test/nixpkgs-check-by-name/scripts/update-pinned-tool.sh b/pkgs/test/nixpkgs-check-by-name/scripts/update-pinned-tool.sh index 3e44cf35b0d27..b2bc629e86604 100755 --- a/pkgs/test/nixpkgs-check-by-name/scripts/update-pinned-tool.sh +++ b/pkgs/test/nixpkgs-check-by-name/scripts/update-pinned-tool.sh @@ -1,5 +1,5 @@ #!/usr/bin/env nix-shell -#!nix-shell -i bash -p jq +#!nix-shell -i bash -p jq -I nixpkgs=../../../.. set -o pipefail -o errexit -o nounset @@ -7,6 +7,9 @@ trace() { echo >&2 "$@"; } SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +# Determined by `runs-on: ubuntu-latest` in .github/workflows/check-by-name.yml +CI_SYSTEM=x86_64-linux + channel=nixos-unstable pin_file=$SCRIPT_DIR/pinned-tool.json @@ -19,13 +22,19 @@ trace "$nixpkgs" rev=$(<"$nixpkgs/.git-revision") trace -e "Git revision of channel $channel is \e[34m$rev\e[0m" - -trace -n "Fetching the prebuilt version of nixpkgs-check-by-name.. " -path=$(nix-build --no-out-link "$nixpkgs" -A tests.nixpkgs-check-by-name -j 0 | tee /dev/stderr) +trace -n "Fetching the prebuilt version of nixpkgs-check-by-name for $CI_SYSTEM.. " +# This is the architecture used by CI, we want to prefetch the exact path to avoid having to evaluate Nixpkgs +ci_path=$(nix-build --no-out-link "$nixpkgs" \ + -A tests.nixpkgs-check-by-name \ + --arg config '{}' \ + --argstr system "$CI_SYSTEM" \ + --arg overlays '[]' \ + -j 0 \ + | tee /dev/stderr) trace "Updating $pin_file" jq -n \ --arg rev "$rev" \ - --arg path "$path" \ + --arg ci-path "$ci_path" \ '$ARGS.named' \ > "$pin_file" |