diff options
Diffstat (limited to 'pkgs/test')
-rw-r--r-- | pkgs/test/nixpkgs-check-by-name/README.md | 21 | ||||
-rw-r--r-- | pkgs/test/nixpkgs-check-by-name/default.nix | 17 | ||||
-rw-r--r-- | pkgs/test/nixpkgs-check-by-name/scripts/README.md | 19 | ||||
-rwxr-xr-x | pkgs/test/nixpkgs-check-by-name/scripts/fetch-pinned-tool.sh | 30 | ||||
-rw-r--r-- | pkgs/test/nixpkgs-check-by-name/scripts/pinned-tool.json | 2 | ||||
-rwxr-xr-x | pkgs/test/nixpkgs-check-by-name/scripts/run-local.sh | 16 | ||||
-rwxr-xr-x | pkgs/test/nixpkgs-check-by-name/scripts/update-pinned-tool.sh | 17 | ||||
-rw-r--r-- | pkgs/test/nixpkgs-check-by-name/src/eval.rs | 19 | ||||
-rw-r--r-- | pkgs/test/nixpkgs-check-by-name/src/main.rs | 42 |
9 files changed, 76 insertions, 107 deletions
diff --git a/pkgs/test/nixpkgs-check-by-name/README.md b/pkgs/test/nixpkgs-check-by-name/README.md index 0ed898f14565..1aa256978416 100644 --- a/pkgs/test/nixpkgs-check-by-name/README.md +++ b/pkgs/test/nixpkgs-check-by-name/README.md @@ -1,9 +1,13 @@ # Nixpkgs pkgs/by-name checker This directory implements a program to check the [validity](#validity-checks) of the `pkgs/by-name` Nixpkgs directory. -It is being used by [this GitHub Actions workflow](../../../.github/workflows/check-by-name.yml). This is part of the implementation of [RFC 140](https://github.com/NixOS/rfcs/pull/140). +A [pinned version](./scripts/pinned-tool.json) of this tool is used by [this GitHub Actions workflow](../../../.github/workflows/check-by-name.yml). +See [./scripts](./scripts/README.md#update-pinned-toolsh) for how to update the pinned version. + +The source of the tool being right inside Nixpkgs allows any Nixpkgs committer to make updates to it. + ## Interface The interface of the tool is shown with `--help`: @@ -96,18 +100,3 @@ Tests are declared in [`./tests`](./tests) as subdirectories imitating Nixpkgs w - `expected` (optional): A file containing the expected standard output. The default is expecting an empty standard output. - -## Hydra builds - -This program will always be available pre-built for `x86_64-linux` on the `nixos-unstable` channel and `nixos-XX.YY` channels. -This is ensured by including it in the `tested` jobset description in [`nixos/release-combined.nix`](../../../nixos/release-combined.nix). - -This allows CI for PRs to development branches `master` and `release-XX.YY` to fetch the pre-built program from the corresponding channel and use that to check the PR. This has the following benefits: -- It allows CI to check all PRs, even if they would break the CI tooling. -- It makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds. -- It improves security, since we don't have to build potentially untrusted code from PRs. - The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval). -- It allows anybody to make updates to the tooling and for those updates to be automatically used by CI without needing a separate release mechanism. - -The tradeoff is that there's a delay between updates to the tool and those updates being used by CI. -This needs to be considered when updating the [API](#api). diff --git a/pkgs/test/nixpkgs-check-by-name/default.nix b/pkgs/test/nixpkgs-check-by-name/default.nix index f2a6473ad202..8836da1f403f 100644 --- a/pkgs/test/nixpkgs-check-by-name/default.nix +++ b/pkgs/test/nixpkgs-check-by-name/default.nix @@ -11,6 +11,7 @@ let runtimeExprPath = ./src/eval.nix; nixpkgsLibPath = ../../../lib; + testNixpkgsPath = ./tests/mock-nixpkgs.nix; # Needed to make Nix evaluation work inside nix builds initNix = '' @@ -26,10 +27,20 @@ let nix-store --init ''; + fs = lib.fileset; + package = rustPlatform.buildRustPackage { name = "nixpkgs-check-by-name"; - src = lib.cleanSource ./.; + src = fs.toSource { + root = ./.; + fileset = fs.unions [ + ./Cargo.lock + ./Cargo.toml + ./src + ./tests + ]; + }; cargoLock.lockFile = ./Cargo.lock; nativeBuildInputs = [ nix @@ -38,7 +49,7 @@ let makeWrapper ]; env.NIX_CHECK_BY_NAME_EXPR_PATH = "${runtimeExprPath}"; - env.NIXPKGS_LIB_PATH = "${nixpkgsLibPath}"; + env.NIX_PATH = "test-nixpkgs=${testNixpkgsPath}:test-nixpkgs/lib=${nixpkgsLibPath}"; preCheck = initNix; postCheck = '' cargo fmt --check @@ -50,7 +61,7 @@ let ''; passthru.shell = mkShell { env.NIX_CHECK_BY_NAME_EXPR_PATH = toString runtimeExprPath; - env.NIXPKGS_LIB_PATH = toString nixpkgsLibPath; + env.NIX_PATH = "test-nixpkgs=${toString testNixpkgsPath}:test-nixpkgs/lib=${toString nixpkgsLibPath}"; inputsFrom = [ package ]; }; diff --git a/pkgs/test/nixpkgs-check-by-name/scripts/README.md b/pkgs/test/nixpkgs-check-by-name/scripts/README.md index cb520f4728d3..ccd4108ea288 100644 --- a/pkgs/test/nixpkgs-check-by-name/scripts/README.md +++ b/pkgs/test/nixpkgs-check-by-name/scripts/README.md @@ -19,15 +19,20 @@ Arguments: ## `./update-pinned-tool.sh` Updates the pinned CI tool in [`./pinned-tool.json`](./pinned-tool.json) to the -[latest version from the `nixos-unstable` channel](https://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.tests.nixpkgs-check-by-name.x86_64-linux) +[latest version from the `nixos-unstable` channel](https://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.tests.nixpkgs-check-by-name.x86_64-linux). -This script is called manually once the CI tooling needs to be updated. +This script needs to be called manually when the CI tooling needs to be updated. -## `./fetch-pinned-tool.sh OUTPUT_PATH` +The `pinned-tool.json` file gets populated with both: +- The `/nix/store` path for `x86_64-linux`, such that CI doesn't have to evaluate Nixpkgs and can directly fetch it from the cache instead. +- The Nixpkgs revision, such that the `./run-local.sh` script can be used to run the checks locally on any system. -Fetches the pinned tooling specified in [`./pinned-tool.json`](./pinned-tool.json). +To ensure that the tool is always pre-built for `x86_64-linux` in the `nixos-unstable` channel, +it's included in the `tested` jobset description in [`nixos/release-combined.nix`](../../../nixos/release-combined.nix). -This script is used both by [`./run-local.sh`](#run-local-sh-base-branch-repository) and CI. +Why not just build the tooling right from the PRs Nixpkgs version? +- Because it allows CI to check all PRs, even if they would break the CI tooling. +- Because it makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds. +- Because it improves security, since we don't have to build potentially untrusted code from PRs. + The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval). -Arguments: -- `OUTPUT_PATH`: The output symlink path for the tool diff --git a/pkgs/test/nixpkgs-check-by-name/scripts/fetch-pinned-tool.sh b/pkgs/test/nixpkgs-check-by-name/scripts/fetch-pinned-tool.sh deleted file mode 100755 index 2e52275cab87..000000000000 --- a/pkgs/test/nixpkgs-check-by-name/scripts/fetch-pinned-tool.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/env bash -# Try to not use nix-shell here to avoid fetching Nixpkgs, -# especially since this is used in CI -# The only dependency is `jq`, which in CI is implicitly available -# And when run from ./run-local.sh is provided by that parent script - -set -o pipefail -o errexit -o nounset - -trace() { echo >&2 "$@"; } - -SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) - -pin_file=$SCRIPT_DIR/pinned-tool.json - -if (( $# < 1 )); then - trace "Usage: $0 fetch OUTPUT_PATH" - trace "OUTPUT_PATH: The output symlink path for the tool" - exit 1 -fi -output=$1 - -trace "Reading $pin_file.. " -rev=$(jq -r .rev "$SCRIPT_DIR"/pinned-tool.json) -trace -e "Git revision is \e[34m$rev\e[0m" -path=$(jq -r .path "$SCRIPT_DIR"/pinned-tool.json) -trace "Tooling path is $path" - -trace -n "Fetching the prebuilt version of nixpkgs-check-by-name.. " -nix-store --add-root "$output" -r "$path" >/dev/null -realpath "$output" diff --git a/pkgs/test/nixpkgs-check-by-name/scripts/pinned-tool.json b/pkgs/test/nixpkgs-check-by-name/scripts/pinned-tool.json index bbcbc57e86b2..b703ce74771e 100644 --- a/pkgs/test/nixpkgs-check-by-name/scripts/pinned-tool.json +++ b/pkgs/test/nixpkgs-check-by-name/scripts/pinned-tool.json @@ -1,4 +1,4 @@ { "rev": "9b19f5e77dd906cb52dade0b7bd280339d2a1f3d", - "path": "/nix/store/qlls5ca8q88qpyygg9ddi60gl1nmvpij-nixpkgs-check-by-name" + "ci-path": "/nix/store/qlls5ca8q88qpyygg9ddi60gl1nmvpij-nixpkgs-check-by-name" } diff --git a/pkgs/test/nixpkgs-check-by-name/scripts/run-local.sh b/pkgs/test/nixpkgs-check-by-name/scripts/run-local.sh index b464515b37f6..46cbd5e858e2 100755 --- a/pkgs/test/nixpkgs-check-by-name/scripts/run-local.sh +++ b/pkgs/test/nixpkgs-check-by-name/scripts/run-local.sh @@ -14,6 +14,7 @@ cleanup() { [[ -e "$tmp/base" ]] && git worktree remove --force "$tmp/base" [[ -e "$tmp/merged" ]] && git worktree remove --force "$tmp/merged" + [[ -e "$tmp/tool-nixpkgs" ]] && git worktree remove --force "$tmp/tool-nixpkgs" rm -rf "$tmp" @@ -62,7 +63,20 @@ trace -n "Merging base branch into the HEAD commit in $tmp/merged.. " git -C "$tmp/merged" merge -q --no-edit "$baseSha" trace -e "\e[34m$(git -C "$tmp/merged" rev-parse HEAD)\e[0m" -"$tmp/merged/pkgs/test/nixpkgs-check-by-name/scripts/fetch-pinned-tool.sh" "$tmp/tool" +trace -n "Reading pinned nixpkgs-check-by-name revision from pinned-tool.json.. " +toolSha=$(jq -r .rev "$tmp/merged/pkgs/test/nixpkgs-check-by-name/scripts/pinned-tool.json") +trace -e "\e[34m$toolSha\e[0m" + +trace -n "Creating Git worktree for the nixpkgs-check-by-name revision in $tmp/tool-nixpkgs.. " +git worktree add -q "$tmp/tool-nixpkgs" "$toolSha" +trace "Done" + +trace "Building/fetching nixpkgs-check-by-name.." +nix-build -o "$tmp/tool" "$tmp/tool-nixpkgs" \ + -A tests.nixpkgs-check-by-name \ + --arg config '{}' \ + --arg overlays '[]' \ + -j 0 trace "Running nixpkgs-check-by-name.." "$tmp/tool/bin/nixpkgs-check-by-name" --base "$tmp/base" "$tmp/merged" diff --git a/pkgs/test/nixpkgs-check-by-name/scripts/update-pinned-tool.sh b/pkgs/test/nixpkgs-check-by-name/scripts/update-pinned-tool.sh index 3e44cf35b0d2..dbc6e91df08a 100755 --- a/pkgs/test/nixpkgs-check-by-name/scripts/update-pinned-tool.sh +++ b/pkgs/test/nixpkgs-check-by-name/scripts/update-pinned-tool.sh @@ -7,6 +7,9 @@ trace() { echo >&2 "$@"; } SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +# Determined by `runs-on: ubuntu-latest` in .github/workflows/check-by-name.yml +CI_SYSTEM=x86_64-linux + channel=nixos-unstable pin_file=$SCRIPT_DIR/pinned-tool.json @@ -19,13 +22,19 @@ trace "$nixpkgs" rev=$(<"$nixpkgs/.git-revision") trace -e "Git revision of channel $channel is \e[34m$rev\e[0m" - -trace -n "Fetching the prebuilt version of nixpkgs-check-by-name.. " -path=$(nix-build --no-out-link "$nixpkgs" -A tests.nixpkgs-check-by-name -j 0 | tee /dev/stderr) +trace -n "Fetching the prebuilt version of nixpkgs-check-by-name for $CI_SYSTEM.. " +# This is the architecture used by CI, we want to prefetch the exact path to avoid having to evaluate Nixpkgs +ci_path=$(nix-build --no-out-link "$nixpkgs" \ + -A tests.nixpkgs-check-by-name \ + --arg config '{}' \ + --argstr system "$CI_SYSTEM" \ + --arg overlays '[]' \ + -j 0 \ + | tee /dev/stderr) trace "Updating $pin_file" jq -n \ --arg rev "$rev" \ - --arg path "$path" \ + --arg ci-path "$ci_path" \ '$ARGS.named' \ > "$pin_file" diff --git a/pkgs/test/nixpkgs-check-by-name/src/eval.rs b/pkgs/test/nixpkgs-check-by-name/src/eval.rs index c4dad8257cf9..e4584f09d8cd 100644 --- a/pkgs/test/nixpkgs-check-by-name/src/eval.rs +++ b/pkgs/test/nixpkgs-check-by-name/src/eval.rs @@ -2,8 +2,6 @@ use crate::nixpkgs_problem::NixpkgsProblem; use crate::ratchet; use crate::structure; use crate::validation::{self, Validation::Success}; -use std::collections::HashMap; -use std::ffi::OsString; use std::path::Path; use anyhow::Context; @@ -73,7 +71,7 @@ enum CallPackageVariant { pub fn check_values( nixpkgs_path: &Path, package_names: Vec<String>, - eval_nix_path: &HashMap<String, PathBuf>, + keep_nix_path: bool, ) -> validation::Result<ratchet::Nixpkgs> { // Write the list of packages we need to check into a temporary JSON file. // This can then get read by the Nix evaluation. @@ -99,8 +97,6 @@ pub fn check_values( command // Inherit stderr so that error messages always get shown .stderr(process::Stdio::inherit()) - // Clear NIX_PATH to be sure it doesn't influence the result - .env_remove("NIX_PATH") .args([ "--eval", "--json", @@ -121,15 +117,12 @@ pub fn check_values( .arg("-I") .arg(nixpkgs_path); - // Also add extra paths that need to be accessible - for (name, path) in eval_nix_path { - command.arg("-I"); - let mut name_value = OsString::new(); - name_value.push(name); - name_value.push("="); - name_value.push(path); - command.arg(name_value); + // Clear NIX_PATH to be sure it doesn't influence the result + // But not when requested to keep it, used so that the tests can pass extra Nix files + if !keep_nix_path { + command.env_remove("NIX_PATH"); } + command.args(["-I", &expr_path]); command.arg(expr_path); diff --git a/pkgs/test/nixpkgs-check-by-name/src/main.rs b/pkgs/test/nixpkgs-check-by-name/src/main.rs index 273ebca1643e..8179ec8ded74 100644 --- a/pkgs/test/nixpkgs-check-by-name/src/main.rs +++ b/pkgs/test/nixpkgs-check-by-name/src/main.rs @@ -12,7 +12,6 @@ use crate::validation::Validation::Success; use anyhow::Context; use clap::Parser; use colored::Colorize; -use std::collections::HashMap; use std::io; use std::path::{Path, PathBuf}; use std::process::ExitCode; @@ -45,12 +44,7 @@ pub struct Args { fn main() -> ExitCode { let args = Args::parse(); - match process( - &args.base, - &args.nixpkgs, - &HashMap::new(), - &mut io::stderr(), - ) { + match process(&args.base, &args.nixpkgs, false, &mut io::stderr()) { Ok(true) => { eprintln!("{}", "Validated successfully".green()); ExitCode::SUCCESS @@ -71,9 +65,9 @@ fn main() -> ExitCode { /// # Arguments /// - `base_nixpkgs`: Path to the base Nixpkgs to run ratchet checks against. /// - `main_nixpkgs`: Path to the main Nixpkgs to check. -/// - `eval_accessible_paths`: -/// Extra paths that need to be accessible to evaluate Nixpkgs using `restrict-eval`. -/// This is used to allow the tests to access the mock-nixpkgs.nix file +/// - `keep_nix_path`: Whether the value of the NIX_PATH environment variable should be kept for +/// the evaluation stage, allowing its contents to be accessed. +/// This is used to allow the tests to access e.g. the mock-nixpkgs.nix file /// - `error_writer`: An `io::Write` value to write validation errors to, if any. /// /// # Return value @@ -83,15 +77,15 @@ fn main() -> ExitCode { pub fn process<W: io::Write>( base_nixpkgs: &Path, main_nixpkgs: &Path, - eval_nix_path: &HashMap<String, PathBuf>, + keep_nix_path: bool, error_writer: &mut W, ) -> anyhow::Result<bool> { // Check the main Nixpkgs first - let main_result = check_nixpkgs(main_nixpkgs, eval_nix_path, error_writer)?; + let main_result = check_nixpkgs(main_nixpkgs, keep_nix_path, error_writer)?; let check_result = main_result.result_map(|nixpkgs_version| { // If the main Nixpkgs doesn't have any problems, run the ratchet checks against the base // Nixpkgs - check_nixpkgs(base_nixpkgs, eval_nix_path, error_writer)?.result_map( + check_nixpkgs(base_nixpkgs, keep_nix_path, error_writer)?.result_map( |base_nixpkgs_version| { Ok(ratchet::Nixpkgs::compare( base_nixpkgs_version, @@ -119,7 +113,7 @@ pub fn process<W: io::Write>( /// ratchet check against another result. pub fn check_nixpkgs<W: io::Write>( nixpkgs_path: &Path, - eval_nix_path: &HashMap<String, PathBuf>, + keep_nix_path: bool, error_writer: &mut W, ) -> validation::Result<ratchet::Nixpkgs> { Ok({ @@ -140,7 +134,7 @@ pub fn check_nixpkgs<W: io::Write>( } else { check_structure(&nixpkgs_path)?.result_map(|package_names| // Only if we could successfully parse the structure, we do the evaluation checks - eval::check_values(&nixpkgs_path, package_names, eval_nix_path))? + eval::check_values(&nixpkgs_path, package_names, keep_nix_path))? } }) } @@ -150,10 +144,8 @@ mod tests { use crate::process; use crate::utils; use anyhow::Context; - use std::collections::HashMap; use std::fs; use std::path::Path; - use std::path::PathBuf; use tempfile::{tempdir_in, TempDir}; #[test] @@ -234,20 +226,6 @@ mod tests { } fn test_nixpkgs(name: &str, path: &Path, expected_errors: &str) -> anyhow::Result<()> { - let eval_nix_path = HashMap::from([ - ( - "test-nixpkgs".to_string(), - PathBuf::from("tests/mock-nixpkgs.nix"), - ), - ( - "test-nixpkgs/lib".to_string(), - PathBuf::from( - std::env::var("NIXPKGS_LIB_PATH") - .with_context(|| "Could not get environment variable NIXPKGS_LIB_PATH")?, - ), - ), - ]); - let base_path = path.join("base"); let base_nixpkgs = if base_path.exists() { base_path.as_path() @@ -258,7 +236,7 @@ mod tests { // We don't want coloring to mess up the tests let writer = temp_env::with_var("NO_COLOR", Some("1"), || -> anyhow::Result<_> { let mut writer = vec![]; - process(base_nixpkgs, &path, &eval_nix_path, &mut writer) + process(base_nixpkgs, &path, true, &mut writer) .with_context(|| format!("Failed test case {name}"))?; Ok(writer) })?; |