nixpkgs/.github/workflows/merge-group.yml
Aliaksandr 124d676b88 ci/eval: name the base branch in the performance comparison summary
The performance comparison summary previously stated it compared against
"its pull request base branch (e.g., 'master')" regardless of the actual
base branch.

Plumb the base branch classification computed in prepare.js through the
eval workflow to the `compare` derivation so the summary names the real
base branch (e.g. "staging-25.11"). The local `eval.full` helper defaults
to "master", matching its touched-files convention.

Assisted-by: claude-code with claude-opus-4-8[1m]-high
(cherry picked from commit a100d091a0)
2026-06-17 11:26:41 +00:00

146 lines
5.2 KiB
YAML

name: Merge Group
on:
merge_group:
workflow_call:
inputs:
artifact-prefix:
required: true
type: string
mergedSha:
required: true
type: string
targetSha:
required: true
type: string
permissions: {}
jobs:
prepare:
runs-on: ubuntu-slim
outputs:
baseBranch: ${{ steps.prepare.outputs.base }}
mergedSha: ${{ steps.prepare.outputs.mergedSha }}
targetSha: ${{ steps.prepare.outputs.targetSha }}
systems: ${{ steps.prepare.outputs.systems }}
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
sparse-checkout: |
ci/github-script/supportedSystems.js
- id: prepare
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
env:
MERGED_SHA: ${{ inputs.mergedSha }}
TARGET_SHA: ${{ inputs.targetSha }}
with:
script: |
const { classify } = require('./ci/supportedBranches.js')
const supportedSystems = require('./ci/github-script/supportedSystems.js')
const baseBranch = (
context.payload.merge_group?.base_ref ??
context.payload.pull_request.base.ref
).replace(/^refs\/heads\//, '')
const baseClassification = classify(baseBranch)
core.setOutput('base', baseClassification)
core.info('base classification:', baseClassification)
const mergedSha = context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA
core.setOutput('mergedSha', mergedSha)
core.info(`mergedSha: ${mergedSha}`)
const targetSha = context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA
core.setOutput('targetSha', targetSha)
core.info(`targetSha: ${targetSha}`)
const systems = await supportedSystems({ github, context, targetSha })
core.setOutput('systems', systems)
check:
name: Check
needs: [prepare]
uses: ./.github/workflows/check.yml
permissions:
pull-requests: write # cherry-picks: unused in merge queue but required for check workflow
secrets:
CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
with:
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
targetSha: ${{ needs.prepare.outputs.targetSha }}
lint:
name: Lint
needs: [prepare]
uses: ./.github/workflows/lint.yml
secrets:
CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
with:
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
targetSha: ${{ needs.prepare.outputs.targetSha }}
eval:
name: Eval
needs: [prepare]
uses: ./.github/workflows/eval.yml
# The eval workflow requests these permissions so we must explicitly allow them,
# even though they are unused when working with the merge queue.
permissions:
pull-requests: write # compare: unused in merge queue but required by eval workflow
statuses: write # compare: unused in merge queue but required by eval workflow
secrets:
CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
with:
artifact-prefix: ${{ inputs.artifact-prefix }}
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
targetSha: ${{ needs.prepare.outputs.targetSha }}
baseBranch: ${{ needs.prepare.outputs.baseBranch }}
systems: ${{ needs.prepare.outputs.systems }}
build:
name: Build
needs: [prepare]
uses: ./.github/workflows/build.yml
secrets:
CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
with:
artifact-prefix: ${{ inputs.artifact-prefix }}
baseBranch: ${{ needs.prepare.outputs.baseBranch }}
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
targetSha: ${{ needs.prepare.outputs.targetSha }}
# This job's only purpose is to create the target for the "Required Status Checks" branch ruleset.
# It "needs" all the jobs that should block the Merge Queue.
unlock:
if: github.event_name != 'pull_request' && always()
# Modify this list to add or remove jobs from required status checks.
needs:
- check
- lint
- eval
- build
runs-on: ubuntu-slim
permissions:
statuses: write # creating 'no PR failures' commit status
steps:
- uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
env:
RESULTS: ${{ toJSON(needs.*.result) }}
with:
script: |
const { serverUrl, repo, runId, payload } = context
const target_url =
`${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}`
await github.rest.repos.createCommitStatus({
...repo,
sha: payload.merge_group.head_sha,
// WARNING:
// Do NOT change the name of this, otherwise the rule will not catch it anymore.
// This would prevent all PRs from merging.
context: 'no PR failures',
state: JSON.parse(process.env.RESULTS).every(result => result == 'success') ? 'success' : 'error',
target_url,
})