workflows/eval: evaluate ci/pinned.json changes at their commit#480395
Conversation
406bf44 to
6fb2107
Compare
MattSturgeon
left a comment
There was a problem hiding this comment.
SGTM overall. Minor thoughts:
6fb2107 to
5ad5407
Compare
5ad5407 to
0f119a9
Compare
|
Can you give us a sense of the performance differential, @dyegoaurelio and @MattSturgeon? |
|
edit: I didn't realize how slow @philiptaron I don't expect much performance changes. The goal of this PR is to simplify ci/pinned.json bumps, such as #480141 |
The I'm not sure what metrics you're interested in. You can see it running "for real" in #480436 The checkout will be slower as it fetches history (I assume there's no way to fetch only history since the base commit?). IIUC, the actual eval report should have the same perf cost as before; it does one eval per system per nix version, in addition to the usual "compare" eval done on all PRs. |
|
OK, my "run" of the GHA in my head thought it changed every one. Thanks for the clarification. |
24c7917 to
3686fd6
Compare
This comment was marked as resolved.
This comment was marked as resolved.
Looking at https://github.com/NixOS/nixpkgs/actions/runs/21041282212/job/60503570981?pr=480436#step:3:416 (which timed out while fetching all of Nixpkgs)1, this may be worth doing. Footnotes
|
3686fd6 to
2cf3078
Compare
2cf3078 to
eb2db1e
Compare
66b34ba to
2ff0858
Compare
MattSturgeon
left a comment
There was a problem hiding this comment.
Diff LGTM overall. A couple questions and minor nits, but I think we've got this to a good functional state over the last few iterations!
Testing in https://github.com/NixOS/nixpkgs/actions/runs/21102528097?pr=480436#summary-60689633319 seems to show everything working correctly.
@philiptaron it'd be great to have your thoughts on the diff too, especially as I'm a co-author and don't want to sign this off entirely on my own.
| console.log('Applying untrusted ci/pinned.json bump:', pin_bump_sha) | ||
| try { | ||
| await run('git', '-C', join('nixpkgs', 'untrusted'), 'cherry-pick', '--no-commit', pin_bump_sha) | ||
| } catch { |
There was a problem hiding this comment.
Note: For simplicity I chose to catch any error. If we know the exit code for "cannot apply" we could check it if preferred.
| // Compare the two commits to get the list of commits in between | ||
| const comparison = await github.rest.repos.compareCommitsWithBasehead({ | ||
| ...context.repo, | ||
| basehead: `${targetSha}...${headSha}`, |
There was a problem hiding this comment.
I'm a little rusty on my .. vs ... and also unsure whether this API supports ^ syntax (or if that even works for the 2nd parent of mergedSha)
I'm wondering if we can avoid needing to know headSha by using something like target..merged or target...merged^?
There was a problem hiding this comment.
Security review complete. This PR properly isolates ci/pinned.json bump commits for versioned evaluations through cherry-picking onto the target branch.
Security aspects reviewed:
- Trust boundary maintained: cherry-pick only modifies
nixpkgs/untrusted, preserving the trusted/untrusted separation - Commit isolation prevents unrelated PR changes from affecting version matrix evaluation
- Multi-commit detection fails fast if >1 commit touches
ci/pinned.json - Cherry-pick failure handling calls
core.setFailed()with clear error messaging - No command injection, path traversal, or secret exposure risks
- Proper
permissions: {}restrictions maintained
Minor notes:
- Typo on line 85 of
action.yml: "Fetching out" → "Fetching" - Rate limit logging before/after the commit API calls wasn't implemented per the review discussion, but the 50-commit cap provides reasonable protection
LGTM from a security perspective.
ed5713a to
db63d2f
Compare
db63d2f to
7533fff
Compare
7533fff to
31ae7e6
Compare
31ae7e6 to
2a754fe
Compare
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/formatting-team-meeting-2026-01-20/74520/1 |
When testVersions is enabled, the version matrix check now identifies the specific commit that modified ci/pinned.json, rather than evaluating the full PR. This allows formatting changes and other modifications to coexist in the same PR without affecting the hash consistency check. The workflow now: - Adds headSha input to compare PR commits against target - Finds the single commit that touched ci/pinned.json - Errors if multiple commits modify it (to ensure clear attribution) - Passes the bump commit to the checkout action for isolated evaluation - Reports which commit was evaluated in the summary The actual cherry-pick and pinned checkout handling is delegated to the checkout action via the new `untrusted-pin-bump` input. Co-Authored-By: Matt Sturgeon <matt@sturgeon.me.uk>
2a754fe to
8c4f3d3
Compare
|
Successfully created backport PR for |
When testVersions is enabled, the version matrix check now evaluates the specific commit that modified ci/pinned.json, rather than the PR head. This allows formatting changes and other modifications to be in the same PR without affecting the hash consistency ratchet check.
The workflow now:
Things done
passthru.tests.nixpkgs-reviewon this PR. See nixpkgs-review usage../result/bin/.Add a 👍 reaction to pull requests you find important.