feat: automatically merge on successful review

This commit is contained in:
Defelo 2025-07-22 21:46:30 +02:00
commit b04abd83bf
No known key found for this signature in database
GPG key ID: 2A05272471204DD3
3 changed files with 52 additions and 14 deletions

View file

@ -62,11 +62,15 @@ on:
required: true
type: boolean
default: true
approve-on-success:
description: "Approve PR on review success"
on-success:
description: "What to do on review success"
required: true
type: boolean
default: false
type: choice
default: nothing
options:
- nothing
- approve
- merge
jobs:
prepare:
@ -75,6 +79,7 @@ jobs:
pr: ${{ steps.pr.outputs.pr }}
head: ${{ steps.pr.outputs.head }}
merge: ${{ steps.pr.outputs.merge }}
author_id: ${{ steps.pr.outputs.author_id }}
steps:
- name: get pr
@ -94,6 +99,7 @@ jobs:
echo "pr=$pr" >> "$GITHUB_OUTPUT"
echo "head=$(jq -r '.head.sha' <<< "$pr")" >> "$GITHUB_OUTPUT"
echo "merge=$(jq -r '.merge_commit_sha' <<< "$pr")" >> "$GITHUB_OUTPUT"
echo "author_id=$(jq -r '.user.id' <<< "$pr")" >> "$GITHUB_OUTPUT"
env:
GH_TOKEN: ${{ github.token }}
@ -190,7 +196,7 @@ jobs:
if [[ ${{ vars.ATTIC_SERVER != '' && vars.ATTIC_CACHE != '' }} = true ]]; then
attic login default "$ATTIC_SERVER" "$ATTIC_TOKEN"
if ! attic cache info "$ATTIC_CACHE"; then
echo "::error:: attic returned an error"
echo "::error::attic returned an error"
exit 0
fi
attic push --stdin "$ATTIC_CACHE" < paths
@ -323,8 +329,8 @@ jobs:
post-result:
runs-on: ubuntu-latest
needs: [report]
if: ${{ inputs.post-result || inputs.approve-on-success }}
needs: [prepare, report]
if: ${{ inputs.post-result || inputs.on-success != 'nothing' }}
steps:
- name: fetch report
@ -342,10 +348,42 @@ jobs:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
- name: approve pull request
if: ${{ inputs.approve-on-success && needs.report.outputs.success == 'true' }}
if: ${{ needs.report.outputs.success == 'true' && (inputs.on-success == 'approve' || inputs.on-success == 'merge') }}
run: |
if [[ -n "$GH_TOKEN" ]]; then
gh pr -R NixOS/nixpkgs review ${PR_NUMBER} --approve -b "Approved automatically following the successful run of \`nixpkgs-review\`." || true
if [[ -z "$GH_TOKEN" ]]; then
echo "::error::Cannot approve the PR because no GH_TOKEN has been configured."
exit 1
fi
user_id="$(gh api /user --jq .id)"
if [[ "$user_id" != "$PR_AUTHOR_ID" ]]; then
gh pr -R NixOS/nixpkgs review ${PR_NUMBER} --approve -b "Approved automatically following the successful run of \`nixpkgs-review\`."
elif [[ "${{ inputs.on-success }}" = "approve" ]]; then
echo "::error::You cannot approve your own pull request."
exit 1
fi
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
PR_AUTHOR_ID: ${{ needs.prepare.outputs.author_id }}
- name: merge pull request
if: ${{ needs.report.outputs.success == 'true' && inputs.on-success == 'merge' }}
run: |
if [[ -z "$GH_TOKEN" ]]; then
echo "::error::Cannot merge the PR because no GH_TOKEN has been configured."
exit 1
fi
is_committer="$(gh api /repos/NixOS/nixpkgs --jq .permissions.push)"
if [[ "$is_committer" = true ]]; then
gh pr -R NixOS/nixpkgs merge ${PR_NUMBER} --merge --match-head-commit "$HEAD"
else
current_head="$(gh api "/repos/NixOS/nixpkgs/pulls/$PR_NUMBER" --jq .head.sha)"
if [[ "$current_head" != "$HEAD" ]]; then
echo "::error::Refusing to merge because the head branch was modified (expected $HEAD, got $current_head instead)"
exit 1
fi
gh pr -R NixOS/nixpkgs comment ${PR_NUMBER} -b "@NixOS/nixpkgs-merge-bot merge"
fi
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
HEAD: ${{ needs.prepare.outputs.head }}

View file

@ -8,7 +8,7 @@ Run [nixpkgs-review](https://github.com/Mic92/nixpkgs-review) in GitHub Actions
- Automatically post results on the reviewed pull request
- Optionally start an [Upterm](https://upterm.dev/) session after nixpkgs-review has finished to allow interactive testing/debugging via SSH
- Push new packages to an [Attic](https://github.com/zhaofengli/attic) or [Cachix](https://www.cachix.org/) cache
- Automatically approve pull requests on review success
- After a successful review, automatically approve the PR or merge it (directly or via the [nixpkgs-merge-bot](https://github.com/NixOS/nixpkgs-merge-bot))
- Add a "Run nixpkgs-review" shortcut to pull request pages in nixpkgs
## Setup
@ -16,8 +16,8 @@ Run [nixpkgs-review](https://github.com/Mic92/nixpkgs-review) in GitHub Actions
2. In your fork, go to the [Actions](../../actions) tab and enable GitHub Actions workflows.
3. If you don't want to set up [automatic self-updates](#automatic-self-updates-optional), please disable the `self-update` workflow ([Actions / `self-update`](../../actions/workflows/self-update.yml) > `...` button (top right corner) > `Disable workflow`).
### Post Results / Auto Approve (optional)
If you want nixpkgs-review-gha to automatically post the results on the reviewed pull requests or automatically approve them, you need to generate a [personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens):
### Post Results / Auto Approve/Merge (optional)
If you want nixpkgs-review-gha to automatically post the results on the reviewed pull requests or automatically approve/merge them, you need to generate a [personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens):
1. Go to <https://github.com/settings/tokens> and generate a new **classic** token with the `public_repo` scope.
2. In your fork, go to "Settings" > "Secrets and variables" > "Actions" and [add a new repository secret](../../settings/secrets/actions/new) with the name `GH_TOKEN` and set its value to the personal access token you generated before.

View file

@ -19,7 +19,7 @@ const reviewDefaults = ({ title, commits, labels, author, authoredByMe, hasLinux
// "push-to-cache": true,
// "upterm": false,
// "post-result": true,
// "approve-on-success": false,
// "on-success": "nothing",
};
};