workflows/eval: avoid potential script injection attack

[azuwis]

Although matrix.system is supposed to be generated from trusted code, we'd better follow Github Actions good practices.

CC: @infinisil

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[JohnRTitor]

Could you make the changes for #355847 (comment), in a seperate commit?

[infinisil]

Oh yeah nice catch. This workflow doesn't (currently) deal with secrets, so nothing bad could've happened, but still

[JohnRTitor]

@infinisil I am seeing another CI fail (likely also related to high per chunk memory)?

https://github.com/NixOS/nixpkgs/actions/runs/11940805989/job/33284337358

Would reducing chunk size to 750 be sufficient?

[infinisil]

I'm thinking 9000, we can easily lower it further if needed

[JohnRTitor]

oh I missed an extra 0. 🤦

[Mic92]

Can we first just merge the first commit: #357800

[Mic92]

I'm thinking 9000, we can easily lower it further if needed

There seems to be plenty of memory available. Infinite recursion errors are related to stack memory limits. Should we not rather increase the stack size?

[JohnRTitor]

Sorry shouldn't have mixed these two

[Mic92]

Here is my proposal to better understand where the infinite recursion errors come from: #357805

[JohnRTitor]

Oof, merged this one, and #357805 seemed to merge automatically as well

(Github has a nice way of detecting this)

[Mic92]

@JohnRTitor that's normal and not problematic. It's not #357805 that was merged but #357800

[JohnRTitor]

By the way, any idea why backport PRs are not automatically evaluated? #357821

[infinisil]

@JohnRTitor It's because the backport was created by the default GitHub Actions account, which GitHub prevents from triggering other actions to prevent too easy infinite CI recursions. If we use a GitHub App instead tp create the PR that would be fixed

[JohnRTitor]

Could we create a listener to automatically start the eval action, like @ofborg eval?

[azuwis]

By the way, any idea why backport PRs are not automatically evaluated? #357821

Github Actions limitation.

Some documentations and workarounds https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#triggering-further-workflow-runs