From 438a931a5b6a3373d6c1c7e9c6160215dc724302 Mon Sep 17 00:00:00 2001 From: Alice Huston Date: Sun, 17 Mar 2024 18:58:55 -0400 Subject: [PATCH] Feature/actions (#114) * Add some basic actions/repo settings Signed-off-by: ahuston-0 * Add issues/milestones to .github.yml Signed-off-by: ahuston-0 * Finalize settings Signed-off-by: ahuston-0 * Add checks Signed-off-by: ahuston-0 * lock action update Signed-off-by: ahuston-0 * checkout for lock check Signed-off-by: ahuston-0 * make lock fail on check Signed-off-by: ahuston-0 * fix flake update action Signed-off-by: ahuston-0 * Update contrib Signed-off-by: ahuston-0 * add formatting check Signed-off-by: ahuston-0 * add nixfmt-rfc-style Signed-off-by: ahuston-0 * update lock Signed-off-by: ahuston-0 * initial format Signed-off-by: ahuston-0 * minor change to trigger actions builds This should be reverted before merging the PR Signed-off-by: ahuston-0 * fix format hook Signed-off-by: ahuston-0 * flakes update on PR now :) Signed-off-by: ahuston-0 * create PR for update Signed-off-by: ahuston-0 * allow PR on actions branch Signed-off-by: ahuston-0 * PR Signed-off-by: ahuston-0 * restore flake update to normal Signed-off-by: ahuston-0 * revert flake-update-service changes Signed-off-by: ahuston-0 --------- Signed-off-by: ahuston-0 --- .github/settings.yml | 198 ++++++++++++++++++++++ .github/workflows/flake-health-checks.yml | 22 +++ .github/workflows/flake-update.yml | 25 +++ .github/workflows/lock-health-checks.yml | 19 +++ .github/workflows/nix-fmt.yml | 19 +++ flake.lock | 6 +- 6 files changed, 286 insertions(+), 3 deletions(-) create mode 100644 .github/settings.yml create mode 100644 .github/workflows/flake-health-checks.yml create mode 100644 .github/workflows/flake-update.yml create mode 100644 .github/workflows/lock-health-checks.yml create mode 100644 .github/workflows/nix-fmt.yml diff --git a/.github/settings.yml b/.github/settings.yml new file mode 100644 index 0000000..ddcea3c --- /dev/null +++ b/.github/settings.yml @@ -0,0 +1,198 @@ +# Have borrowed this config from nix-community/infra +repository: + # See https://developer.github.com/v3/repos/#edit for all available settings. + + # The name of the repository. Changing this will rename the repository + name: nix-dotfiles + + # A short description of the repository that will show up on GitHub + description: RAD-Dev Infra + + # A URL with more information about the repository + # homepage: "https://nix-community.org" + + # A comma-separated list of topics to set on the repository + topics: "nixos" + + # Either `true` to make the repository private, or `false` to make it public. + private: false + + # Either `true` to enable issues for this repository, `false` to disable them. + has_issues: true + + # Either `true` to enable projects for this repository, or `false` to disable them. + # If projects are disabled for the organization, passing `true` will cause an API error. + has_projects: true + + # Either `true` to enable the wiki for this repository, `false` to disable it. + has_wiki: false + + # Either `true` to enable downloads for this repository, `false` to disable them. + has_downloads: false + + # Updates the default branch for this repository. + default_branch: main + + # Either `true` to allow squash-merging pull requests, or `false` to prevent + # squash-merging. + allow_squash_merge: true + + # Either `true` to allow merging pull requests with a merge commit, or `false` + # to prevent merging pull requests with merge commits. + allow_merge_commit: false + + # Either `true` to allow rebase-merging pull requests, or `false` to prevent + # rebase-merging. + allow_rebase_merge: true + + # Either `true` to enable automatic deletion of branches on merge, or `false` to disable + delete_branch_on_merge: true + + # Either `true` to enable automated security fixes, or `false` to disable + # automated security fixes. + enable_automated_security_fixes: true + + # Either `true` to enable vulnerability alerts, or `false` to disable + # vulnerability alerts. + enable_vulnerability_alerts: true + + allow_auto_merge: true + +# Labels: define labels for Issues and Pull Requests +# +labels: + - name: bug + color: '#d73a4a' + description: Something isn't working + - name: CI/CD + # If including a `#`, make sure to wrap it with quotes! + color: '#0e8a16' + description: Related to GH Actions or Hydra + - name: documentation + color: '#0075ca' + description: Improvements or additions to documentation + - name: duplicate + color: '#cfd3d7' + description: This issue or pull request already exists + - name: enhancement + color: '#a2eeef' + description: New feature or request + - name: good first issue + color: '#7057ff' + description: Good for newcomers + - name: help wanted + color: '#008672' + description: Extra attention is needed + - name: high priority + color: '#BF480A' + description: A major vurnability was detected + - name: invalid + color: '#e4e669' + description: This doesn't seem right + - name: new user + color: '#C302A1' + description: A new user was added to the Flake + - name: question + color: '#d876e3' + description: Further information is requested + - name: wontfix + color: '#ffffff' + description: This will not be worked on + +# Milestones: define milestones for Issues and Pull Requests +milestones: + - title: Go-Live + description: >- + All requirements for official go-live: + - Automated testing via Hydra/Actions + - Automated deployments via Hydra/Actions + - 90+% testing coverage + - Functional formatter with custom rules + - palatine-hill is fully stable, enough so that jeeves can be migrated + # The state of the milestone. Either `open` or `closed` + state: open + - title: Jeeves Migration + description: >- + Test common use-cases for Jeeves + - Quadro GPU support + - Multi-GPU support + - Plex support + - Docker support + - ZFS support + + +# Collaborators: give specific users access to this repository. +# See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options +collaborators: + # - username: numtide-bot + # Note: `permission` is only valid on organization-owned repositories. + # The permission to grant the collaborator. Can be one of: + # * `pull` - can pull, but not push to or administer this repository. + # * `push` - can pull and push, but not administer this repository. + # * `admin` - can pull, push and administer this repository. + # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions. + # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access. + # permission: push + +# See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options +teams: + # - name: admin + # The permission to grant the team. Can be one of: + # * `pull` - can pull, but not push to or administer this repository. + # * `push` - can pull and push, but not administer this repository. + # * `admin` - can pull, push and administer this repository. + # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions. + # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access. + # permission: admin + +branches: + # gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection + + # not available in the api yet + # `Require merge queue`: true + # `Merge method`: Rebase and merge + # `Maximum pull requests to build`: 1 + # `Maximum pull requests to merge`: 1 + # defaults: + # `Maximum pull requests to build`: 5 + # `Minimum pull requests to merge`: 1 or 5 minutes + # `Maximum pull requests to merge`: 5 + # `Only merge non-failing pull requests`: true + # `Consider check failed after`: 60 minutes + + - name: main + # https://docs.github.com/en/rest/reference/repos#update-branch-protection + # Branch Protection settings. Set to null to disable + protection: + # Required. Require at least one approving review on a pull request, before merging. Set to null to disable. + + # these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions + required_pull_request_reviews: + # # The number of approvals required. (1-6) + required_approving_review_count: 1 + # # Dismiss approved reviews automatically when a new commit is pushed. + dismiss_stale_reviews: true + # # Blocks merge until code owners have reviewed. + require_code_owner_reviews: false + # # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories. + # dismissal_restrictions: + # users: [] + # teams: [] + require_last_push_approval: false + # Required. Require status checks to pass before merging. Set to null to disable + # required_status_checks: + # Required. Require branches to be up to date before merging. + # strict: false + # Required. The list of status checks to require in order to merge into this branch + # contexts: + # - buildbot/nix-eval + # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable. + enforce_admins: true + # Disabled for bors to work + required_linear_history: true + # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable. + restrictions: + apps: [] + # TODO: make a buildbot instance + # users: ["nix-infra-bot"] + teams: [] diff --git a/.github/workflows/flake-health-checks.yml b/.github/workflows/flake-health-checks.yml new file mode 100644 index 0000000..fd12d99 --- /dev/null +++ b/.github/workflows/flake-health-checks.yml @@ -0,0 +1,22 @@ +name: "Check Nix flake" +on: + push: + branches: ["main"] + paths: + - '**.nix' + pull_request: + branches: ["main"] + paths: + - '**.nix' +jobs: + health-check: + name: "Perform Nix flake checks" + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [ubuntu-latest, macOS-latest] + steps: + - uses: DeterminateSystems/nix-installer-action@main + - uses: DeterminateSystems/magic-nix-cache-action@main + - uses: actions/checkout@v4 + - run: nix flake check diff --git a/.github/workflows/flake-update.yml b/.github/workflows/flake-update.yml new file mode 100644 index 0000000..f3b0cfa --- /dev/null +++ b/.github/workflows/flake-update.yml @@ -0,0 +1,25 @@ +name: "Update flakes" +on: + repository_dispatch: + workflow_dispatch: + schedule: + - cron: "51 2 * * 1,4" +jobs: + createPullRequest: + runs-on: ubuntu-latest + if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main + steps: + - uses: actions/checkout@v4 + - name: Install Nix + uses: cachix/install-nix-action@v24 + with: + extra_nix_config: | + experimental-features = nix-command flakes + - name: Update flake.lock + id: update + uses: DeterminateSystems/update-flake-lock@main + with: + pr-title: "Update flake.lock" # Title of PR to be created + pr-labels: | # Labels to be set on the PR + dependencies + automated diff --git a/.github/workflows/lock-health-checks.yml b/.github/workflows/lock-health-checks.yml new file mode 100644 index 0000000..655ddb3 --- /dev/null +++ b/.github/workflows/lock-health-checks.yml @@ -0,0 +1,19 @@ +name: "Check flake.lock" +on: + push: + branches: ["main"] + paths: + - '**.nix' + pull_request: + branches: ["main"] + paths: + - '**.nix' +jobs: + health-check: + name: "Check health of `flake.lock`" + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: DeterminateSystems/flake-checker-action@main + with: + fail-mode: true diff --git a/.github/workflows/nix-fmt.yml b/.github/workflows/nix-fmt.yml new file mode 100644 index 0000000..13de60f --- /dev/null +++ b/.github/workflows/nix-fmt.yml @@ -0,0 +1,19 @@ +name: "Check Nix formatting" +on: + push: + branches: ["main"] + paths: + - '**.nix' + pull_request: + branches: ["main"] + paths: + - '**.nix' +jobs: + health-check: + name: "Perform Nix format checks" + runs-on: ubuntu-latest + steps: + - uses: DeterminateSystems/nix-installer-action@main + - uses: DeterminateSystems/magic-nix-cache-action@main + - uses: actions/checkout@v4 + - run: nix fmt -- --check . diff --git a/flake.lock b/flake.lock index 5107cb9..831608d 100644 --- a/flake.lock +++ b/flake.lock @@ -64,11 +64,11 @@ ] }, "locked": { - "lastModified": 1709445365, - "narHash": "sha256-DVv6nd9FQBbMWbOmhq0KVqmlc3y3FMSYl49UXmMcO+0=", + "lastModified": 1709485962, + "narHash": "sha256-rmFB4uE10+LJbcVE4ePgiuHOBlUIjQOeZt4VQVJTU8M=", "owner": "nix-community", "repo": "home-manager", - "rev": "4de84265d7ec7634a69ba75028696d74de9a44a7", + "rev": "d579633ff9915a8f4058d5c439281097e92380a8", "type": "github" }, "original": {