lyrathorpe/nixfiles
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1cb83717757586163ca2df47a8bc037d1a05ec62
nixfiles/.gitea/workflows/ci.yaml
T
Emma Thorpe 8c3b101a14
CI / flake (pull_request) Successful in 3m24s
Details
ci: always run the workflow on PRs, guard the heavy steps 
This job is a required status check on main. The workflow was path-filtered
to **.nix/flake.lock/ci.yaml, so a PR touching none of those (e.g. a
.renovaterc.json-only change) skipped the workflow entirely, leaving the
required check pending forever and making the PR unmergeable.

Run the workflow on every PR so the check is always reported, but keep a
'detect' step that diffs the PR against its base and runs nix flake check
and the per-host evals only when a .nix file, flake.lock, or this workflow
changed. When nothing Nix-relevant changed the heavy steps skip and the job
still passes, so the required check stays green-reportable without burning a
full evaluation on unrelated changes. Checkout uses fetch-depth: 0 so the
diff has the base history.
2026-06-16 11:51:18 +01:00

103 lines
4.6 KiB
YAML
Raw Blame History

# Flake CI: full `nix flake check` (formatting + deadnix + statix + pre-commit)
# plus an explicit per-host evaluation pass for granular output.
name: CI
# Deliberately no `paths:` filter. This job is a required status check on main,
# and a path-filtered workflow is *skipped* (never runs) for PRs that touch no
# matching file -- which leaves the required check pending forever and blocks the
# merge (e.g. a .renovaterc.json-only change). So the workflow always runs and
# always reports. To avoid burning a full Nix evaluation on changes that can't
# affect it, the "detect" step below diffs the PR and the heavy steps run only
# when a .nix file, flake.lock, or this workflow changed; otherwise they skip and
# the job still passes. The required check is therefore always green-reportable.
on:
push:
branches: [main]
pull_request:
jobs:
flake:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
# Full history so the detect step can diff the PR against its base.
fetch-depth: 0
# Decide whether the Nix steps need to run. On a pull_request, diff the PR
# against its base and look for files that can affect the flake: any .nix,
# the lockfile, or this workflow. On any other event (push to main) always
# run. The job itself always succeeds, so the required status check is
# reported even when the heavy steps are skipped.
- name: Detect Nix-relevant changes
id: detect
run: |
set -euo pipefail
if [ "${{ github.event_name }}" != "pull_request" ]; then
echo "Event ${{ github.event_name }}: running full checks."
echo "run=true" >> "$GITHUB_OUTPUT"
exit 0
fi
base='${{ github.event.pull_request.base.sha }}'
head='${{ github.event.pull_request.head.sha }}'
changed=$(git diff --name-only "$base...$head")
echo "Changed files:"
echo "$changed"
if echo "$changed" | grep -Eq '(\.nix$|^flake\.lock$|^\.gitea/workflows/ci\.yaml$)'; then
echo "Nix-relevant changes found: running checks."
echo "run=true" >> "$GITHUB_OUTPUT"
else
echo "No Nix-relevant changes: skipping checks (job still passes)."
echo "run=false" >> "$GITHUB_OUTPUT"
fi
- name: Install Nix
if: steps.detect.outputs.run == 'true'
uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31
with:
extra_nix_config: |
experimental-features = nix-command flakes
accept-flake-config = true
substituters = https://cache.nixos.org https://nix-community.cachix.org
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=
# Runs every flake check: treefmt formatting, deadnix, statix, and the
# pre-commit hooks (so a --no-verify commit can't ship unlinted).
- name: Flake check
if: steps.detect.outputs.run == 'true'
run: nix flake check --print-build-logs
# Evaluate (not build) each host's toplevel so eval errors fail CI cheaply.
# aarch64 / darwin hosts evaluate fine on an x86_64 runner; only building
# would need emulation, which we deliberately avoid here.
#
# Host lists are discovered from the flake (attrNames of
# nixos/darwinConfigurations) rather than hard-coded, so adding or removing
# a host needs no change to this workflow.
- name: Evaluate NixOS host configurations
if: steps.detect.outputs.run == 'true'
run: |
set -euo pipefail
hosts=$(nix eval --raw '.#nixosConfigurations' \
--apply 'cfgs: builtins.concatStringsSep "\n" (builtins.attrNames cfgs)')
for host in $hosts; do
echo "::group::eval $host"
nix eval --raw ".#nixosConfigurations.$host.config.system.build.toplevel.drvPath"
echo
echo "::endgroup::"
done
- name: Evaluate Darwin host configurations
if: steps.detect.outputs.run == 'true'
run: |
set -euo pipefail
hosts=$(nix eval --raw '.#darwinConfigurations' \
--apply 'cfgs: builtins.concatStringsSep "\n" (builtins.attrNames cfgs)')
for host in $hosts; do
echo "::group::eval $host"
nix eval --raw ".#darwinConfigurations.$host.config.system.build.toplevel.drvPath"
echo
echo "::endgroup::"
done
Reference in New Issue View Git Blame Copy Permalink