Add refStatuses CEL variable
#151
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
As far as stable versions of Nix Flake Checker are concerned, a Nixpkgs
branch is considered supported if it meets the following criteria:
1. The branch is connected to a channel.
2. The branch’s status is not "unmaintained".
3. The branch’s status is not "beta".
Before this change, here’s how Nix Flake Checker would enforce those
criteria:
1. An API request was made to get a list of channels. Refs were only
considered if they were on that list [1].
2. Refs would only get added to allowed-refs.json if their current field
was set to "1" [1]. (The current field gets set to "0" for
unmaintained channels and "1" for all other channels [2].)
3. The Nix Flake Checker project was careful about when it released
updates that contained changes to allowed-refs.json. Specifically,
updates to allowed-refs.json would stay in the main branch and
not be released while Nixpkgs channels were in beta.
This change replaces allowed-refs.json with ref-statuses.json.
allowed-refs.json contained a list of supported Nixpkgs branches.
ref-statuses.json contains a list of Nixpkgs branches along with their
current status ("rolling", "beta", "stable", "deprecated" or
"unmaintained").
Here’s how Nix Flake Checker now enforces those same criteria:
1. Unchanged.
2. All channel branches get added to ref-statuses.json regardless of
whether or not they’re supported. Nix Flake Checker checks if a
branch’s status is "unmaintained" at runtime.
3. Nix Flake Checker checks if a branch’s status is "beta" at runtime.
The main motivation behind this change is to make it easier to create a
future commit. That future commit will allow users to access a branch’s
status via a CEL variable. As an added bonus, this change also makes it
so that the Nix Flake Checker project doesn’t have to be careful about
releasing updates while there’s Nixpkgs branches that are in beta.
[1]: src/allowed_refs.rs
[2]: <https://github.com/NixOS/infra/blob/ae9b362fe0d92cff76c0b5404d0bcec59dd322cb/build/pluto/prometheus/exporters/channel-exporter.py#L78>
By default, Nix Flake Checker will reject Nixpkgs branches that have their status set to "beta" or "unmaintained". All other statuses are allowed. That policy works well most of the time, but there are some situations where that policy is undesirable. Here are some examples: 1. A user might want Nix Flake Checker to give them an error if they’re using a deprecated Nixpkgs branch. This way, Nix Flake Checker will remind the user to update before a branch becomes unmaintained. (This is what I want to do, personally). 2. A user might want to upgrade to a Nixpkgs branch while that branch is in beta. This way, the user can report issues with a particular NixOS, and (hopefully) get those issues fixed before that NixOS release is declared stable. (This is what @dpc wants to do [1][2]). 3. An organisation might want to forbid the use of rolling branches. This way, the organisation only has to deal with breaking changes once every six months. Before this change, here’s what you would need to do in order to make Nix Flake Checker enforce those three policies: 1. flake-checker --condition "supportedRefs.contains(gitRef) && !(gitRef.contains('24.05'))" 2. flake-checker --condition "supportedRefs.contains(gitRef) || gitRef.contains('24.11')" 3. flake-checker --condition "supportedRefs.contains(gitRef) && !(gitRef.contains('unstable'))" Number 1 and 2 are especially problematic because they must manually be updated whenever new channels are created or an existing channel’s status changes. This change adds a new CEL variable named refStatuses. refStatuses makes it easier to override Nix Flake Checker’s default policy for allowed branches. Here’s how you would implement those three policies using the new refStatuses variable. 1. flake-checker --condition "supportedRefs.contains(gitRef) && refStatuses[gitRef] != 'deprecated'" 2. flake-checker --condition "supportedRefs.contains(gitRef) || refStatuses[gitRef] == 'beta'" 3. flake-checker --condition "supportedRefs.contains(gitRef) && refStatuses[gitRef] != 'rolling'" [1]: DeterminateSystems/flake-checker-action#47 [2]: DeterminateSystems#149
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request allows you to filter Nixpkgs branches by status. For example, you could run the following command if you wanted Nix Flake Checker to give you an error if detects a deprecated branch:
flake-checker --condition "supportedRefs.contains(gitRef) && refStatuses[gitRef] != 'deprecated'"See the commit messages for details.