Run nixpkgs-review in GitHub Actions
- Build on
x86_64-linux,aarch64-linux,x86_64-darwinandaarch64-darwin - No local setup
- Automatically post results on the reviewed pull request
- Optionally start an Upterm session after nixpkgs-review has finished to allow interactive testing/debugging via SSH
- Push new packages to an Attic or Cachix cache
- After a successful review, automatically mark the PR as ready for review, approve it, or merge it (directly or via the nixpkgs-merge-bot)
- Add a "Run nixpkgs-review" shortcut to pull request pages in nixpkgs
- Fork this repository.
- In your fork, go to the Actions tab and enable GitHub Actions workflows.
- If you don't want to set up automatic self-updates, please disable the
self-updateworkflow (Actions /self-update>...button (top right corner) >Disable workflow).
If you want nixpkgs-review-gha to automatically post the results on the reviewed pull requests or automatically mark them as ready for review or approve/merge them, you need to generate a personal access token:
- Go to https://github.com/settings/tokens and generate a new classic token with the
public_reposcope. - In your fork, go to "Settings" > "Secrets and variables" > "Actions" and add a new repository secret with the name
GH_TOKENand set its value to the personal access token you generated before.
If you want your fork to update itself on a regular basis, you need to generate a personal access token. Note that this token is different from the one used above!
- Go to https://github.com/settings/personal-access-tokens and generate a new Fine-grained token token with access to only your fork ("Repository access" > "Only select repositories") and "Read and write" permissions for both "Contents" and "Workflows".
- In your fork, go to "Settings" > "Secrets and variables" > "Actions" and add a new repository secret with the name
GH_SELF_UPDATE_TOKENand set its value to the personal access token you generated before.
Follow these steps if you want nixpkgs-review-gha to push new packages to an Attic cache. Replace $CACHE with the name of your cache (e.g. nixpkgs) and $SERVER with the url of your Attic server (e.g. https://attic.example.com/):
- Generate a token with
pushandpullpermissions:atticadm make-token --sub nixpkgs-review-gha --validity 1y --pull $CACHE --push $CACHE - Create a new variable with the name
ATTIC_SERVERand set it to the value of$SERVER - Create a new variable with the name
ATTIC_CACHEand set it to the value of$CACHE - Create a new secret with the name
ATTIC_TOKENand set its value to the token you generated before.
Follow these steps if you want nixpkgs-review-gha to push new packages to a Cachix cache. Note: If both an Attic cache and a Cachix cache is configured, the Attic cache is preferred and the Cachix configuration is ignored.
- Go to https://app.cachix.org/ and set up your binary cache.
- Create a new variable with the name
CACHIX_CACHEand set it to the name of your Cachix cache. - Create a new secret with the name
CACHIX_AUTH_TOKENand set its value to your auth token. If you are using a self-signed cache, you also need to create aCACHIX_SIGNING_KEYsecret and set its value to your private signing key.
If you have additional configuration you want to append to /etc/nix/nix.conf, you can create a new variable with the name EXTRA_NIX_CONFIG.
For example, if you want to configure nix to use additional substituters, set its value to the following:
extra-substituters = https://nix-community.cachix.org
extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=
Add shortcut.js as a user script in your browser for https://github.com/ for example using the User JavaScript and CSS chrome extension or Violentmonkey. Don't forget to update the repo constant at the top of the file to point to your fork.
- Open the review workflow in the "Actions" tab
- Click on "Run workflow"
- Enter the number of the pull request in nixpkgs you would like to review and click on "Run workflow"
- Reload the page if necessary and click on the review run to see the logs