Merge pull request #281412 from tweag/by-name-update-contrib-docs

check-by-name: Fix CI, update contributor docs, remove legacy script
author: Silvan Mosberger <contact@infinisil.com> 2024-01-17 21:28:57 +0100
committer: GitHub <noreply@github.com> 2024-01-17 21:28:57 +0100
commit: 1cb065db34b2a1cfed444fe7fa038326d02385e7 (patch)
tree: 4f7c4433ac44cf14d327f052289f63f4a317ebbd /pkgs
parent: 0f6090448ac739cfa7ad70ca1e4c300e9a4e9e24 (diff)
parent: 1516b35afa9dca43d40a605292098bd24543009a (diff)
download: nixlib-1cb065db34b2a1cfed444fe7fa038326d02385e7.tar
nixlib-1cb065db34b2a1cfed444fe7fa038326d02385e7.tar.gz
nixlib-1cb065db34b2a1cfed444fe7fa038326d02385e7.tar.bz2
nixlib-1cb065db34b2a1cfed444fe7fa038326d02385e7.tar.lz
nixlib-1cb065db34b2a1cfed444fe7fa038326d02385e7.tar.xz
nixlib-1cb065db34b2a1cfed444fe7fa038326d02385e7.tar.zst
nixlib-1cb065db34b2a1cfed444fe7fa038326d02385e7.zip
3 files changed, 21 insertions, 52 deletions
diff --git a/pkgs/test/nixpkgs-check-by-name/README.md b/pkgs/test/nixpkgs-check-by-name/README.md
index d779529c7baf..7dcd807b2710 100644
--- a/pkgs/test/nixpkgs-check-by-name/README.md
+++ b/pkgs/test/nixpkgs-check-by-name/README.md
@@ -1,9 +1,13 @@
 # Nixpkgs pkgs/by-name checker
 
 This directory implements a program to check the [validity](#validity-checks) of the `pkgs/by-name` Nixpkgs directory.
-It is being used by [this GitHub Actions workflow](../../../.github/workflows/check-by-name.yml).
 This is part of the implementation of [RFC 140](https://github.com/NixOS/rfcs/pull/140).
 
+A [pinned version](./scripts/pinned-tool.json) of this tool is used by [this GitHub Actions workflow](../../../.github/workflows/check-by-name.yml).
+See [./scripts](./scripts/README.md#update-pinned-toolsh) for how to update the pinned version.
+
+The source of the tool being right inside Nixpkgs allows any Nixpkgs committer to make updates to it.
+
 ## Interface
 
 The interface of the tool is shown with `--help`:
@@ -96,18 +100,3 @@ Tests are declared in [`./tests`](./tests) as subdirectories imitating Nixpkgs w
 - `expected` (optional):
   A file containing the expected standard output.
   The default is expecting an empty standard output.
-
-## Hydra builds
-
-This program will always be available pre-built for `x86_64-linux` on the `nixos-unstable` channel and `nixos-XX.YY` channels.
-This is ensured by including it in the `tested` jobset description in [`nixos/release-combined.nix`](../../../nixos/release-combined.nix).
-
-This allows CI for PRs to development branches `master` and `release-XX.YY` to fetch the pre-built program from the corresponding channel and use that to check the PR. This has the following benefits:
-- It allows CI to check all PRs, even if they would break the CI tooling.
-- It makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds.
-- It improves security, since we don't have to build potentially untrusted code from PRs.
-  The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval).
-- It allows anybody to make updates to the tooling and for those updates to be automatically used by CI without needing a separate release mechanism.
-
-The tradeoff is that there's a delay between updates to the tool and those updates being used by CI.
-This needs to be considered when updating the [API](#api).
diff --git a/pkgs/test/nixpkgs-check-by-name/scripts/README.md b/pkgs/test/nixpkgs-check-by-name/scripts/README.md
index cfef2115d4c7..ccd4108ea288 100644
--- a/pkgs/test/nixpkgs-check-by-name/scripts/README.md
+++ b/pkgs/test/nixpkgs-check-by-name/scripts/README.md
@@ -19,6 +19,20 @@ Arguments:
 ## `./update-pinned-tool.sh`
 
 Updates the pinned CI tool in [`./pinned-tool.json`](./pinned-tool.json) to the
-[latest version from the `nixos-unstable` channel](https://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.tests.nixpkgs-check-by-name.x86_64-linux)
+[latest version from the `nixos-unstable` channel](https://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.tests.nixpkgs-check-by-name.x86_64-linux).
+
+This script needs to be called manually when the CI tooling needs to be updated.
+
+The `pinned-tool.json` file gets populated with both:
+- The `/nix/store` path for `x86_64-linux`, such that CI doesn't have to evaluate Nixpkgs and can directly fetch it from the cache instead.
+- The Nixpkgs revision, such that the `./run-local.sh` script can be used to run the checks locally on any system.
+
+To ensure that the tool is always pre-built for `x86_64-linux` in the `nixos-unstable` channel,
+it's included in the `tested` jobset description in [`nixos/release-combined.nix`](../../../nixos/release-combined.nix).
+
+Why not just build the tooling right from the PRs Nixpkgs version?
+- Because it allows CI to check all PRs, even if they would break the CI tooling.
+- Because it makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds.
+- Because it improves security, since we don't have to build potentially untrusted code from PRs.
+  The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval).
 
-This script is called manually once the CI tooling needs to be updated.
diff --git a/pkgs/test/nixpkgs-check-by-name/scripts/fetch-pinned-tool.sh b/pkgs/test/nixpkgs-check-by-name/scripts/fetch-pinned-tool.sh
deleted file mode 100755
index a69df2d08da2..000000000000
--- a/pkgs/test/nixpkgs-check-by-name/scripts/fetch-pinned-tool.sh
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/usr/bin/env bash
-# Legacy script, can be removed once the PR removing its use is merged.
-# It's not used anymore because CI and local runs both use pinned-tool.json as their source of truth now,
-# though in different ways since local runs need to support arbitrary platforms
-
-# Try to not use nix-shell here to avoid fetching Nixpkgs,
-# especially since this is used in CI
-# The only dependency is `jq`, which in CI is implicitly available
-# And when run from ./run-local.sh is provided by that parent script
-
-set -o pipefail -o errexit -o nounset
-
-trace() { echo >&2 "$@"; }
-
-SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-
-pin_file=$SCRIPT_DIR/pinned-tool.json
-
-if (( $# < 1 )); then
-    trace "Usage: $0 fetch OUTPUT_PATH"
-    trace "OUTPUT_PATH: The output symlink path for the tool"
-    exit 1
-fi
-output=$1
-
-trace "Reading $pin_file.. "
-rev=$(jq -r .rev "$SCRIPT_DIR"/pinned-tool.json)
-trace -e "Git revision is \e[34m$rev\e[0m"
-path=$(jq -r '."ci-path"' "$SCRIPT_DIR"/pinned-tool.json)
-trace "Tooling path is $path"
-
-trace -n "Fetching the prebuilt version of nixpkgs-check-by-name.. "
-nix-store --add-root "$output" -r "$path" >/dev/null
-realpath "$output"
author	Silvan Mosberger <contact@infinisil.com>	2024-01-17 21:28:57 +0100
committer	GitHub <noreply@github.com>	2024-01-17 21:28:57 +0100
commit	1cb065db34b2a1cfed444fe7fa038326d02385e7 (patch)
tree	4f7c4433ac44cf14d327f052289f63f4a317ebbd /pkgs
parent	0f6090448ac739cfa7ad70ca1e4c300e9a4e9e24 (diff)
parent	1516b35afa9dca43d40a605292098bd24543009a (diff)
download	nixlib-1cb065db34b2a1cfed444fe7fa038326d02385e7.tar nixlib-1cb065db34b2a1cfed444fe7fa038326d02385e7.tar.gz nixlib-1cb065db34b2a1cfed444fe7fa038326d02385e7.tar.bz2 nixlib-1cb065db34b2a1cfed444fe7fa038326d02385e7.tar.lz nixlib-1cb065db34b2a1cfed444fe7fa038326d02385e7.tar.xz nixlib-1cb065db34b2a1cfed444fe7fa038326d02385e7.tar.zst nixlib-1cb065db34b2a1cfed444fe7fa038326d02385e7.zip