Skip to content

Comments

workflows: Fix pkgs/by-name checks not running for non-committers#254371

Merged
infinisil merged 1 commit intomasterfrom
yu-re-ka-patch-1
Sep 11, 2023
Merged

workflows: Fix pkgs/by-name checks not running for non-committers#254371
infinisil merged 1 commit intomasterfrom
yu-re-ka-patch-1

Conversation

@yu-re-ka
Copy link
Contributor

@yu-re-ka yu-re-ka commented Sep 10, 2023
edited
Loading

Description of changes

While reviewing #254368 I noticed I had to approve the workflow.
Copied the permissions definition from another workflow.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.11 Release Notes (or backporting 23.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@yu-re-ka yu-re-ka requested review from a team, Mic92 and zowoq as code owners September 10, 2023 10:23
@yu-re-ka yu-re-ka requested a review from infinisil September 10, 2023 10:23
@github-actions github-actions bot added the 6.topic: policy discussion Discuss policies to work in and around Nixpkgs label Sep 10, 2023
@zowoq
Copy link
Contributor

zowoq commented Sep 10, 2023

It's likely that it isn't related to permissions, should be using pull_request_target.

nixpkgs/.github/workflows/editorconfig.yml

Lines 5 to 7 in 78058d8

on:
# avoids approving first time contributors
pull_request_target:

Checkout would need to be updated as well.

nixpkgs/.github/workflows/editorconfig.yml

Lines 27 to 30 in 78058d8

- uses: actions/checkout@v3
with:
# pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge

@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux. labels Sep 10, 2023
@yu-re-ka
Copy link
Contributor Author

yu-re-ka commented Sep 10, 2023

@zowoq can you make the appropriate change?
I'm not 100% sure which parts are now needed, and I'm not an expert in GH Actions

@zowoq
Copy link
Contributor

zowoq commented Sep 11, 2023

This should be all that is needed but would still need to verify that it works, it might make other assumptions about the env it runs in that could be different for pull_request_target.

diff --git a/.github/workflows/check-by-name.yml b/.github/workflows/check-by-name.yml
index 9622634fcffd..07e881b1f05d 100644
--- a/.github/workflows/check-by-name.yml
+++ b/.github/workflows/check-by-name.yml
@@ -4,7 +4,10 @@ name: Check pkgs/by-name
 
 # The pre-built tool is fetched from a channel,
 # making it work predictable on all PRs
-on: pull_request
+
+on:
+  # avoids approving first time contributors
+  pull_request_target
 
 # The tool doesn't need any permissions, it only outputs success or not based on the checkout
 permissions: {}
@@ -16,6 +19,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+        with:
+          # pull_request_target checks out the base branch by default
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
       - uses: cachix/install-nix-action@v22
       - name: Determining channel to use for dependencies
         run: |

@yu-re-ka yu-re-ka force-pushed the yu-re-ka-patch-1 branch 2 times, most recently from 927e264 to 6b8e029 Compare September 11, 2023 06:31
@infinisil
Copy link
Member

infinisil commented Sep 11, 2023

Thanks for the report/fix! I'm going to test this in a nixpkgs fork when I get the chance

@infinisil
Copy link
Member

infinisil commented Sep 11, 2023

I just tried this out and can confirm that it works. I took the liberty to push the fix to this branch directly.

@infinisil infinisil mentioned this pull request Sep 11, 2023
Merged
2 tasks
@infinisil infinisil merged commit d0a5c47 into master Sep 11, 2023
@infinisil infinisil deleted the yu-re-ka-patch-1 branch September 11, 2023 23:16
@infinisil
Copy link
Member

infinisil commented Sep 11, 2023

Merged to avoid amassing more workflows that need to be approved.

I now also went through all the ones that were waiting for approval and approved them. So this should be fully addressed now.

@infinisil infinisil added this to the RFC 140 milestone Sep 11, 2023
@infinisil infinisil mentioned this pull request Nov 15, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mic92 Mic92 Awaiting requested review from Mic92

@zowoq zowoq Awaiting requested review from zowoq

@infinisil infinisil Awaiting requested review from infinisil

Assignees

No one assigned

Labels

6.topic: policy discussion Discuss policies to work in and around Nixpkgs 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux.

Projects

None yet

Milestone

RFC 140

Development

Successfully merging this pull request may close these issues.

3 participants

@yu-re-ka @zowoq @infinisil