From 7e4a4cfd11f8cea50e131e64730eac784786f855 Mon Sep 17 00:00:00 2001 From: Seth Flynn Date: Sun, 21 Sep 2025 16:22:38 -0400 Subject: [PATCH 1/4] ci(nix): flakehub -> magic-nix-cache & gha cache This will help us avoid `pull_request_target`, etc. Signed-off-by: Seth Flynn --- .github/workflows/nix.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml index ca3803139..09bc6ca6e 100644 --- a/.github/workflows/nix.yml +++ b/.github/workflows/nix.yml @@ -91,9 +91,6 @@ jobs: runs-on: ${{ matrix.os }} - permissions: - id-token: write - steps: - name: Get merge commit if: ${{ github.event_name == 'pull_request_target' }} @@ -116,8 +113,11 @@ jobs: # For PRs - name: Setup Nix Magic Cache - if: ${{ env.USE_DETERMINATE == 'true' }} - uses: DeterminateSystems/flakehub-cache-action@v2 + if: ${{ github.event_name == 'pull_request_target' }} + uses: DeterminateSystems/magic-nix-cache-action@v13 + with: + diagnostic-endpoint: "" + use-flakehub: false # For in-tree builds - name: Setup Cachix From 90855a7cc029ed9e9bd3601f9c465e1319c50c01 Mon Sep 17 00:00:00 2001 From: Seth Flynn Date: Sun, 21 Sep 2025 16:25:09 -0400 Subject: [PATCH 2/4] ci(nix): pull_request_target -> pull_request Signed-off-by: Seth Flynn --- .github/workflows/nix.yml | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml index 09bc6ca6e..4349da448 100644 --- a/.github/workflows/nix.yml +++ b/.github/workflows/nix.yml @@ -33,7 +33,7 @@ on: # Workflows - ".github/workflows/nix.yml" - pull_request_target: + pull_request: paths: # File types - "**.cpp" @@ -92,19 +92,8 @@ jobs: runs-on: ${{ matrix.os }} steps: - - name: Get merge commit - if: ${{ github.event_name == 'pull_request_target' }} - id: merge-commit - uses: PrismLauncher/PrismLauncher/.github/actions/get-merge-commit@develop - with: - pull-request-id: ${{ github.event.number }} - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Checkout repository uses: actions/checkout@v5 - with: - ref: ${{ steps.merge-commit.outputs.merge-commit-sha || github.sha }} - name: Install Nix uses: DeterminateSystems/nix-installer-action@v19 @@ -113,7 +102,7 @@ jobs: # For PRs - name: Setup Nix Magic Cache - if: ${{ github.event_name == 'pull_request_target' }} + if: ${{ github.event_name == 'pull_request' }} uses: DeterminateSystems/magic-nix-cache-action@v13 with: diagnostic-endpoint: "" From 87174a0d5a2de92f8df5b34c12c9a5a3d2c9a0e9 Mon Sep 17 00:00:00 2001 From: Seth Flynn Date: Sun, 21 Sep 2025 16:27:42 -0400 Subject: [PATCH 3/4] ci(get-merge-commit): drop No longer used after `pull_request_target` was NUKED Signed-off-by: Seth Flynn --- .github/actions/get-merge-commit/action.yml | 103 -------------------- 1 file changed, 103 deletions(-) delete mode 100644 .github/actions/get-merge-commit/action.yml diff --git a/.github/actions/get-merge-commit/action.yml b/.github/actions/get-merge-commit/action.yml deleted file mode 100644 index 534d138e1..000000000 --- a/.github/actions/get-merge-commit/action.yml +++ /dev/null @@ -1,103 +0,0 @@ -# This file incorporates work covered by the following copyright and -# permission notice -# -# Copyright (c) 2003-2025 Eelco Dolstra and the Nixpkgs/NixOS contributors -# -# Permission is hereby granted, free of charge, to any person obtaining -# a copy of this software and associated documentation files (the -# "Software"), to deal in the Software without restriction, including -# without limitation the rights to use, copy, modify, merge, publish, -# distribute, sublicense, and/or sell copies of the Software, and to -# permit persons to whom the Software is furnished to do so, subject to -# the following conditions: -# -# The above copyright notice and this permission notice shall be -# included in all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE -# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -name: Get merge commit -description: Get a merge commit of a given pull request - -inputs: - repository: - description: Repository containing the pull request - required: false - pull-request-id: - description: ID of a pull request - required: true - -outputs: - merge-commit-sha: - description: Git SHA of a merge commit - value: ${{ steps.query.outputs.merge-commit-sha }} - -runs: - using: composite - - steps: - - name: Wait for GitHub to report merge commit - id: query - shell: bash - env: - GITHUB_REPO: ${{ inputs.repository || github.repository }} - PR_ID: ${{ inputs.pull-request-id }} - # https://github.com/NixOS/nixpkgs/blob/8f77f3600f1ee775b85dc2c72fd842768e486ec9/ci/get-merge-commit.sh - run: | - set -euo pipefail - - log() { - echo "$@" >&2 - } - - # Retry the API query this many times - retryCount=5 - # Start with 5 seconds, but double every retry - retryInterval=5 - - while true; do - log "Checking whether the pull request can be merged" - prInfo=$(gh api \ - -H "Accept: application/vnd.github+json" \ - -H "X-GitHub-Api-Version: 2022-11-28" \ - "/repos/$GITHUB_REPO/pulls/$PR_ID") - - # Non-open PRs won't have their mergeability computed no matter what - state=$(jq -r .state <<<"$prInfo") - if [[ "$state" != open ]]; then - log "PR is not open anymore" - exit 1 - fi - - mergeable=$(jq -r .mergeable <<<"$prInfo") - if [[ "$mergeable" == "null" ]]; then - if ((retryCount == 0)); then - log "Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com/" - exit 3 - else - ((retryCount -= 1)) || true - - # null indicates that GitHub is still computing whether it's mergeable - # Wait a couple seconds before trying again - log "GitHub is still computing whether this PR can be merged, waiting $retryInterval seconds before trying again ($retryCount retries left)" - sleep "$retryInterval" - - ((retryInterval *= 2)) || true - fi - else - break - fi - done - - if [[ "$mergeable" == "true" ]]; then - echo "merge-commit-sha=$(jq -r .merge_commit_sha <<<"$prInfo")" >> "$GITHUB_OUTPUT" - else - echo "# 🚨 The PR has a merge conflict!" >> "$GITHUB_STEP_SUMMARY" - exit 2 - fi From 7ba91ca488e9dc451e935ddf963c3d6ee3c18753 Mon Sep 17 00:00:00 2001 From: Seth Flynn Date: Sun, 21 Sep 2025 16:25:55 -0400 Subject: [PATCH 4/4] ci(nix): always use upstream nix This ensures evaluation is consistent between out-of-tree and in-tree runs It also probably won't be possible to install upstream Nix with the Determinate installer action soon so..... Signed-off-by: Seth Flynn --- .github/workflows/nix.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml index 4349da448..3a1800ff9 100644 --- a/.github/workflows/nix.yml +++ b/.github/workflows/nix.yml @@ -67,7 +67,6 @@ permissions: env: DEBUG: ${{ github.ref_type != 'tag' }} - USE_DETERMINATE: ${{ github.event_name == 'pull_request' }} jobs: build: @@ -96,9 +95,7 @@ jobs: uses: actions/checkout@v5 - name: Install Nix - uses: DeterminateSystems/nix-installer-action@v19 - with: - determinate: ${{ env.USE_DETERMINATE }} + uses: cachix/install-nix-action@v31 # For PRs - name: Setup Nix Magic Cache