From fe5f02c2c274e8f48a1072807fc9bb3f892584a4 Mon Sep 17 00:00:00 2001 From: NAHO <90870942+trueNAHO@users.noreply.github.com> Date: Fri, 27 Dec 2024 01:56:12 +0100 Subject: [PATCH] ci: lock Ubuntu runner to ubuntu-22.04 Lock the Ubuntu runner to ubuntu-22.04 to avoid accidental updates [1] and increase reproducibility. [1]: https://github.com/actions/runner-images/issues/10636 --- .github/workflows/ci.yml | 14 +++++++------- .github/workflows/labels.yml | 2 +- .mergify.yml | 4 ++-- doc/manual/source/development/testing.md | 2 +- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index addafb9f82d..2426ab16649 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,7 +8,7 @@ permissions: read-all jobs: eval: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 with: @@ -20,7 +20,7 @@ jobs: strategy: fail-fast: false matrix: - os: [ubuntu-latest, macos-latest] + os: [ubuntu-22.04, macos-latest] runs-on: ${{ matrix.os }} timeout-minutes: 60 steps: @@ -37,7 +37,7 @@ jobs: # Since ubuntu 22.30, unprivileged usernamespaces are no longer allowed to map to the root user: # https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 - if: matrix.os == 'ubuntu-latest' + if: matrix.os == 'ubuntu-22.04' - run: scripts/build-checks - run: scripts/prepare-installer-for-github-actions - name: Upload installer tarball @@ -51,7 +51,7 @@ jobs: strategy: fail-fast: false matrix: - os: [ubuntu-latest, macos-latest] + os: [ubuntu-22.04, macos-latest] runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 @@ -68,7 +68,7 @@ jobs: install_url: 'http://localhost:8126/install' install_options: "--tarball-url-prefix http://localhost:8126/" - run: sudo apt install fish zsh - if: matrix.os == 'ubuntu-latest' + if: matrix.os == 'ubuntu-22.04' - run: brew install fish if: matrix.os == 'macos-latest' - run: exec bash -c "nix-instantiate -E 'builtins.currentTime' --eval" @@ -86,7 +86,7 @@ jobs: permissions: contents: none name: Check Docker secrets present for installer tests - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 outputs: docker: ${{ steps.secret.outputs.docker }} steps: @@ -106,7 +106,7 @@ jobs: needs.check_secrets.outputs.docker == 'true' && github.event_name == 'push' && github.ref_name == 'master' - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - name: Check for secrets id: secret diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml index 34aa4e6bdf0..9d2ac80a3f3 100644 --- a/.github/workflows/labels.yml +++ b/.github/workflows/labels.yml @@ -15,7 +15,7 @@ permissions: jobs: labels: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 if: github.repository_owner == 'NixOS' steps: - uses: actions/labeler@v5 diff --git a/.mergify.yml b/.mergify.yml index 70fccae4911..c2e1154879e 100644 --- a/.mergify.yml +++ b/.mergify.yml @@ -3,9 +3,9 @@ queue_rules: # all required tests need to go here merge_conditions: - check-success=tests (macos-latest) - - check-success=tests (ubuntu-latest) + - check-success=tests (ubuntu-22.04) - check-success=installer_test (macos-latest) - - check-success=installer_test (ubuntu-latest) + - check-success=installer_test (ubuntu-22.04) - check-success=vm_tests batch_size: 5 diff --git a/doc/manual/source/development/testing.md b/doc/manual/source/development/testing.md index 30aa7d0d51b..7e8762fe0e0 100644 --- a/doc/manual/source/development/testing.md +++ b/doc/manual/source/development/testing.md @@ -297,7 +297,7 @@ Creating a Cachix cache for your installer tests and adding its authorisation to - `armv7l-linux` - `x86_64-darwin` -- The `installer_test` job (which runs on `ubuntu-latest` and `macos-latest`) will try to install Nix with the cached installer and run a trivial Nix command. +- The `installer_test` job (which runs on `ubuntu-22.04` and `macos-latest`) will try to install Nix with the cached installer and run a trivial Nix command. ### One-time setup