drop bors, switch to merge queue

.github/CONTRIBUTING.md

@@ -1,7 +1,3 @@
 ### Pull requests from forks
 
-As PRs from forks don't have automatic CI checks, admins can test PRs by posting a comment on the PR instead.
-
-- `bors try` - check if the PR builds.
-- `bors merge` - same as `bors try` but will also merge the PR if it builds successfully.
-- https://bors.tech/documentation/
+PRs from forks don't have automatic CI checks but they will go through CI during merge.

.github/settings.yml

@@ -34,11 +34,11 @@ repository:
 
   # Either `true` to allow squash-merging pull requests, or `false` to prevent
   # squash-merging.
-  allow_squash_merge: true
+  allow_squash_merge: false
 
   # Either `true` to allow merging pull requests with a merge commit, or `false`
   # to prevent merging pull requests with merge commits.
-  allow_merge_commit: true
+  allow_merge_commit: false
 
   # Either `true` to allow rebase-merging pull requests, or `false` to prevent
   # rebase-merging.
@@ -55,6 +55,8 @@ repository:
   # vulnerability alerts.
   enable_vulnerability_alerts: true
 
+  allow_auto_merge: true
+
 # Labels: define labels for Issues and Pull Requests
 #
 labels:
@@ -103,6 +105,20 @@ teams:
     permission: admin
 
 branches:
+  # gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
+
+  # not available in the api yet
+  # `Require merge queue`: true
+  # `Merge method`: Rebase and merge
+  # `Maximum pull requests to build`: 1
+  # `Maximum pull requests to merge`: 1
+  # defaults:
+  # `Maximum pull requests to build`: 5
+  # `Minimum pull requests to merge`: 1 or 5 minutes
+  # `Maximum pull requests to merge`: 5
+  # `Only merge non-failing pull requests`: true
+  # `Consider check failed after`: 60 minutes
+
   - name: master
     # https://docs.github.com/en/rest/reference/repos#update-branch-protection
     # Branch Protection settings. Set to null to disable
@@ -127,13 +143,15 @@ branches:
         # Required. Require branches to be up to date before merging.
         strict: false
         # Required. The list of status checks to require in order to merge into this branch
-        contexts: ["bors"]
+        contexts:
+          - ci/hercules/evaluation
+          - ci/hercules/onPush/default
       # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
       enforce_admins: true
       # Disabled for bors to work
       required_linear_history: false
       # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
       restrictions:
-        apps: ["bors"]
-        users: []
+        apps: ["hercules-ci"]
+        users: ["nix-infra-bot"]
         teams: []

.github/workflows/flake-updates-nixpkgs-update.yml

@@ -13,13 +13,12 @@ jobs:
           extra_nix_config: |
             experimental-features = nix-command flakes
       - name: Update flake.lock
+        id: update
         uses: DeterminateSystems/update-flake-lock@v19
         with:
           token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
-          pr-body: |
-            Automated changes by the update-flake-lock
-            ```
-            {{ env.GIT_COMMIT_MESSAGE }}
-            ```
-            bors merge
           inputs: nixpkgs-update
+      - name: Enable Automerge
+        run: gh pr merge --rebase --auto "${{ steps.update.outputs.pull-request-number }}"
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN_FOR_UPDATES }}

.github/workflows/flake-updates.yml

@@ -1,20 +0,0 @@
-name: "Update flakes"
-on:
-  repository_dispatch:
-  workflow_dispatch:
-  schedule:
-    - cron: "51 2 * * 1,5"
-jobs:
-  createPullRequest:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - name: Install Nix
-        uses: cachix/install-nix-action@v20
-        with:
-          extra_nix_config: |
-            experimental-features = nix-command flakes
-      - name: Update flake.lock
-        uses: DeterminateSystems/update-flake-lock@v19
-        with:
-          token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}

bors.toml

@@ -1,5 +0,0 @@
-cut_body_after = "" # don't include text from the PR body in the merge commit message
-status = [
-  "ci/hercules/evaluation",
-  "ci/hercules/onPush/default",
-]

effect.nix

@@ -8,7 +8,7 @@
       onPush.default.outputs.effects = withSystem "x86_64-linux" ({ hci-effects, pkgs, ... }:
         {
           terraform-deploy =
-            hci-effects.runIf (ref == "refs/heads/trying" || ref == "refs/heads/staging")
+            hci-effects.runIf (pkgs.lib.hasPrefix "refs/heads/gh-readonly-queue/master/" ref)
               (hci-effects.mkEffect {
                 name = "terraform-deploy";
                 inputs = [ (builtins.getFlake (toString ./terraform/.)).outputs.devShells.x86_64-linux.default.nativeBuildInputs ];
@@ -23,11 +23,7 @@
                   pushd terraform
                   terraform init
                   terraform validate
-                  if [[ ${ref} == "refs/heads/staging" ]]; then
-                    terraform apply -auto-approve
-                  else
-                    terraform plan
-                  fi
+                  terraform apply -auto-approve
                 '';
               });
         });

flake.nix

@@ -55,6 +55,16 @@
           };
         };
 
+        hercules-ci.flake-update = {
+          enable = true;
+          createPullRequest = true;
+          autoMergeMethod = "rebase";
+          when = {
+            hour = [ 2 ];
+            dayOfWeek = [ "Mon" "Fri" ];
+          };
+        };
+
         imports = [
           inputs.hercules-ci-effects.flakeModule
           inputs.treefmt-nix.flakeModule

roles/hercules-ci/secrets.yaml

@@ -1,6 +1,6 @@
 cluster-join-token.key: ENC[AES256_GCM,data:Ba8S5Cx3NJR/FoKkSVc5pX1bwKkYHAhTid3dlWcGRXPCmVtrMgBKLjDZ5b3AajZio+IvS7XNajsVqPUB/rsBUPL+mz/DPbnI4bibLkB0KZl5v6FnMf6RbGr7RWbEsGXWlJh77l/AmGRWJTj7Dh3LaQ53dguhNIDuXGvNhTLs690/93Xnc+x+d5tzl2hNz/A4/IQxpsRoJJKygqGndbc0bTUPo0QZMLtf8kHQtCiozfm1SeW49ITnM+4VCOJB8NkSkwUfy5Rs574fFijYSOGT8LSSH0ly2oxHEY+UaJudRhjr5uzrcZPI/WrrtkI=,iv:87JRtvlkkExu37uYRaHojsk1vjhO1ocw2L9yE+7shpI=,tag:0de71eZjy8F/w0LQzOVAyg==,type:str]
 binary-caches.json: ENC[AES256_GCM,data:pshvo/BxcIDXrWpW6jb1Hti8pqIEER+andBFpbOArKdaSb1LoVC45G+QwqLxjnDckiBeJm+refQE/x8i6QI0kYHcHEmX4iByvtcDM7RB6ZQSghTO0oqhi1blZRp+NjVdpgeti9VOkLPOYR+ruCDXeZmjt9fWnpGxC6ok5h5z5XLtq5xICy0DBl4VJXw3NwMnpIfj4vvczTP1TlUmP3GElHImRj6F59Vyw4jbTZRIqrib97x8nrO24t3P6RqooY0WHPR1sQXJebxCCO3TiJjxLHNtjLhJgez/O6Ou8CJx999wGvGmm3k8DzUDh94bnG12tal0PrPSJLdsQItpYqDPbK6f6R0wVmzcAywW22SCqk6kaCLGSDCYQRh3xGNsdmVfDQSJPjnAOJDNjJR5adoe8KPHIrc5eZiXjS9mJO7eYPX2IfkNHlM18NjT/Q716Ez9tnBatVb5+YKLlZMm+SSgWNxwZhBiQUvR3wdX3jOXIAjdfCGy4ocCffP05WC4YzjHo5E1EsOBN/cr5LfAS36XFwChHJ6iE4zjwsQe3X7jN9mlZdksBe8gEKFns2rr5IMmXG/enLdVjigRgDShNglP,iv:IOqba6lLXCEVZ+HNaH3uM4E3lbKzm8XCXlbAp6UPBIE=,tag:RX2d2UEWpZu48pW1UUaQcQ==,type:str]
-hercules-secrets: ENC[AES256_GCM,data:CG4W3mfGHS1bS3aNKRJHWWUmT9F5KB3hCYWSpPZDSElb6J+jhiIKP+d9n81yZ1T1cH4LpkULR8rsu00ZULMdRfghCF+KG3dperxYsMahhU0CjUj5mhCKb+6UpGOct87qJ3ILydFtBnVfkv4ohAjOdlidNDRnf4Yc0XKz1srBtBr0pmPf9hKMPXScs3nR4ecrkZjhC61CBCAVEuoGD+C8xklgV+v1Bg3CqjK2Rhxyhg5PfNZNtue5V7Lhq9TrY0S/9N+Hw3YxjAo4qCBQmOdLcLyN7MYwTJUmlIrPDzFAyfbXLRZZR6xX7+ArlgUbGNMlV3FjLXZ2E2+Abxp/uJ2/QF/6eKc44jp82hF7wjjc1My3Z//sT3pZZas/dVe40n715CtkzN8bdBZw/fHxc61QhDMz4wBpQ+SPZLdiHZ67COAkw/XKBdym4GEziqWEuYrx1aEgj5k4+qXOFgjqKHXeT783ZK2YDTwtJieSy/2bQCsTYg2V1GUDPEjxPqptDSDVDlTbMJ05EHELQvKpWQ8/cuQonGHdA9ENldA43rHnL98VLuS+YLToM0LN2oUGfXElISTXtt+x2bfBvOrNwC28nVQTCo1pgQMMWI3Tn1u2VDETBq3/X5hgOh+wDvikFnQEmw+DDd/b7eA3B4i0u/fS33aHprqqsjKdaYPmeFtQ4KIY8ZCaj8CcReH8Xp48E4JklVS2/BaPRnv7TlHQAhYKD+KMlRub9pzhhwNpRlkum/v+q1g0ZVr7kVB8e7Y=,iv:+dILru8YNvl51tFGoOTtYwpaTbcuiujtkX4zTAzqDlg=,tag:N6VAPhSha/6cjZW/EvYKcw==,type:str]
+hercules-secrets: ENC[AES256_GCM,data:ALuK/eGc2B3cXhAQjr5ZOcW0TaOraj+ZpwatF54XcTOgg49ezziXim0hUzgVbV96QMZVTkI/Fr8YobcL5oMvYXZijVit+OSrONbk703ygyogJslUKfHn0Wgho0XM/Jx/zvB2zEkLMr+UVc1lGRY+JsYT8Jx5bLrinGHzSWAHSquLVk+6tek9dqXZM2imiFMrzyUevUAUWywlqflEO3Fuos6TUEF5m0x9mqYD88nIqFfBewrJ9CuxMpLlVDDDdJBcqgdZ+m0ukQuwvx+bcY2jWwIZIx2rc3SitWQZfA2l37jRIZE7mCmZizu2V2o3xkH5MXvFgTLuItxwulNc9iFkragNXZ7D5iZMXpo+6JLZ9NR1TVAFXM+hvd0eqXqDVs+m7WjHWrO8B9yUNgYwVI29EImnqyjJ5ap+iOm0s2iQSE3od76U272VrViya3jTaV3es3nFWBxL8b+ofsey/RNAe2o7bCyUZzS0LlnH1GouAZnvh542hbPHu3TV8yoHobAxc83WO/pzw+qlRQH8tRi5MNZb0rpXCeLcXyVv18FS+9JGr10FEZ5x3rV/Jw5ZxcZptzBTjsy1zsa1SZz/bwds7mjt7MkpHEmsNLTE0QU52rX7kW1l1I3+ISB9kxdPEg0qA6/TmFqwa/NfaeigBw==,iv:uRMgAyeDZvtapc0hplLx+E1XA2N6+csPld0d833TTys=,tag:tdbRYkeTjURSxxDBNgjMSQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -70,8 +70,8 @@ sops:
             QTh4K0xzYVgzWVcwNzJ6bHFncHNTNHMK/iAbmGaTunJefyKK/GQYYMzd1PY+hvOt
             i2SfjO8ZPXRkQcDxRa5EqOkKzpzBijjSsGGH04MprCBI6ysaJA+lEg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-03-14T02:45:18Z"
-    mac: ENC[AES256_GCM,data:JaQ76rjVO15ksVAXtiVVpVzXFMhZwsOgX4HUOIKG2RfbxSFSWGK9wrJeSMe6y3Wm8sYHNaa17QQUoaOd6ym+QspjZocvN5XZB0xh+FruLxZ5Z6k2UPZLt0gtJcHEgvsaNEbY6rIuXs6uw6L3NdUVzles7c1GUvQJlaTkQMxxgwU=,iv:Urf97S2M27sxu3awAOa5++EV0IT27xQYLXqLCgWRRi4=,tag:GBJRRV7r7RatWBUZJTbw5Q==,type:str]
+    lastmodified: "2023-05-04T22:00:39Z"
+    mac: ENC[AES256_GCM,data:D2smiMskdRdj/b5hE2matw82z1Kf4CZGGKaptt7zd77sCuK1TQ6Te8n89LJ5SdGQpUcfZ9eaPVutMLgLr0vJufaOwHo8BVSuyN7/EC9IeeeLrJygl1wYZzbVcWm9KW2YthYTj+n2RtAvS7VtuYUdSPk7oSG7Xs6XaBp5qtoxeBs=,iv:PrbJvAFDsxeWqce5aXC97d6IKr66Ao1qLfljE/EFufg=,tag:wVeBLqclaE4IpsFMLZHOeg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3