Add support for CEL conditions

2025-04-28 07:22:04 +02:00 · 2024-06-17 15:59:33 -07:00 · 2024-06-17 15:59:33 -07:00 · 829568a669
commit 829568a669
parent a548f47873
5 changed files with 19 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -35,6 +35,7 @@ The Nix Flake Checker Action has a number of configuration parameters that you c

 | Parameter                   | Description                                                                                                                                                                                                                                                                           | Default      |
 | :-------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :----------- |
+| `condition`                 | An optional Common Expression Language (CEL) condition expressing your flake policy. Supersedes all `check-*` parameters.                                                                                                                                                             |              |
 | `flake-lock-path`           | The path to the `flake.lock` file you want to check.                                                                                                                                                                                                                                  | `flake.lock` |
 | `check-outdated`            | Whether to check that the root Nixpkgs input is less than 30 days old.                                                                                                                                                                                                                | `true`       |
 | `check-owner`               | Whether to check that the root Nixpkgs input has the `NixOS` GitHub org as its owner.                                                                                                                                                                                                 | `true`       |
--- a/action.yml
+++ b/action.yml
@ -9,6 +9,11 @@ inputs:
    description: |
      The path to the `flake.lock` file you want to check.
    default: flake.lock
+  condition:
+    description: |
+      A Common Expression Language (CEL) condition expressing your flake policy.
+      Supersedes all `check-*` parameters.
+    required: false
  check-outdated:
    description: |
      Whether to check that the root Nixpkgs input is less than 30 days old.
--- a/dist/index.js
+++ b/dist/index.js
@ -93735,7 +93735,7 @@ const external_node_path_namespaceObject = __WEBPACK_EXTERNAL_createRequire(impo
 const external_node_stream_promises_namespaceObject = __WEBPACK_EXTERNAL_createRequire(import.meta.url)("node:stream/promises");
 ;// CONCATENATED MODULE: external "node:zlib"
 const external_node_zlib_namespaceObject = __WEBPACK_EXTERNAL_createRequire(import.meta.url)("node:zlib");
-;// CONCATENATED MODULE: ./node_modules/.pnpm/github.com+DeterminateSystems+detsys-ts@856a75af22949b76e23f6e54a1b4d27d8816cea4_pejzgrm5rdrx2cw4uhq4rkbcmm/node_modules/detsys-ts/dist/index.js
+;// CONCATENATED MODULE: ./node_modules/.pnpm/github.com+DeterminateSystems+detsys-ts@dd1509475ee7fee37677b858b67aa96ef37a7531_5xj7muga2pf2jza4obzcpzufey/node_modules/detsys-ts/dist/index.js
 var __defProp = Object.defineProperty;
 var __export = (target, all) => {
  for (var name in all)
@ -95094,6 +95094,7 @@ var FlakeCheckerAction = class extends DetSysAction {
      // We don't need Nix in this Action because we fetch a static binary using curl and run it
      requireNix: "ignore"
    });
+    this.condition = inputs_exports.getStringOrNull("condition");
    this.flakeLockPath = inputs_exports.getString("flake-lock-path");
    this.nixpkgsKeys = inputs_exports.getString("nixpkgs-keys");
    this.checkOutdated = inputs_exports.getBool("check-outdated");
@ -95135,6 +95136,9 @@ var FlakeCheckerAction = class extends DetSysAction {
    const executionEnv = {};
    executionEnv.NIX_FLAKE_CHECKER_FLAKE_LOCK_PATH = this.flakeLockPath;
    executionEnv.NIX_FLAKE_CHECKER_NIXPKGS_KEYS = this.nixpkgsKeys;
+    if (this.condition) {
+      executionEnv.NIX_FLAKE_CHECKER_CONDITION = this.condition;
+    }
    if (!this.sendStatistics) {
      executionEnv.NIX_FLAKE_CHECKER_NO_TELEMETRY = "false";
    }
--- a/dist/index.js.map
+++ b/dist/index.js.map
--- a/src/index.ts
+++ b/src/index.ts
@ -5,6 +5,7 @@ import { DetSysAction, inputs } from "detsys-ts";
 const EVENT_EXECUTION_FAILURE = "execution_failure";

 class FlakeCheckerAction extends DetSysAction {
+  condition: string | null;
  flakeLockPath: string;
  nixpkgsKeys: string;
  checkOutdated: boolean;
@ -23,6 +24,7 @@ class FlakeCheckerAction extends DetSysAction {
      requireNix: "ignore",
    });

+    this.condition = inputs.getStringOrNull("condition");
    this.flakeLockPath = inputs.getString("flake-lock-path");
    this.nixpkgsKeys = inputs.getString("nixpkgs-keys");
    this.checkOutdated = inputs.getBool("check-outdated");
@ -72,6 +74,10 @@ class FlakeCheckerAction extends DetSysAction {
    executionEnv.NIX_FLAKE_CHECKER_FLAKE_LOCK_PATH = this.flakeLockPath;
    executionEnv.NIX_FLAKE_CHECKER_NIXPKGS_KEYS = this.nixpkgsKeys;

+    if (this.condition) {
+      executionEnv.NIX_FLAKE_CHECKER_CONDITION = this.condition;
+    }
+
    if (!this.sendStatistics) {
      executionEnv.NIX_FLAKE_CHECKER_NO_TELEMETRY = "false";
    }
@ -103,6 +109,7 @@ class FlakeCheckerAction extends DetSysAction {
 type ExecutionEnvironment = {
  // All env vars are strings, no fanciness here.
  RUST_BACKTRACE?: string;
+  NIX_FLAKE_CHECKER_CONDITION?: string;
  NIX_FLAKE_CHECKER_FLAKE_LOCK_PATH?: string;
  NIX_FLAKE_CHECKER_NIXPKGS_KEYS?: string;
  NIX_FLAKE_CHECKER_NO_TELEMETRY?: string;