Update flake #97
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# GitHub Actions workflow to automate updating the Nix flake.lock file | |
# Triggered manually or every 4 hours via cron schedule | |
# Steps: | |
# 1. **SSH Agent Setup**: Uses `webfactory/ssh-agent` to set up SSH access with deploy keys (ensure the deploy key is added to the repository settings) | |
# 2. **Checkout Repository**: Checks out the repository using `actions/checkout` | |
# 3. **Install Nix**: Installs Nix with `DeterminateSystems/nix-installer-action` | |
# 4. **Update flake.lock**: Updates the `flake.lock` file using `DeterminateSystems/update-flake-lock`, creating or updating a pull request with specified commit message, PR body, title, and labels | |
# 5. **Create Compare URLs**: If a pull request is created or updated, runs a script using `actions/github-script` to add a comment with compare URLs | |
# Notes: | |
# - Secrets (`secrets.GH_ACTIONS` and `secrets.TESTING`) are used for authentication | |
# - `nix-options` includes the GitHub token for accessing private repositories | |
name: Update flake | |
on: | |
workflow_dispatch: | |
schedule: | |
- cron: "0 */4 * * *" # Every 4 hours | |
pull_request: | |
types: [opened, synchronize] | |
# types: [ assigned, unassigned, labeled, unlabeled, opened, edited, closed, reopened, synchronize, converted_to_draft, locked, unlocked, ready_for_review, review_requested, review_request_removed, auto_merge_enabled, auto_merge_disabled ] | |
branches: [main, testing] | |
permissions: | |
contents: write | |
pull-requests: write | |
jobs: | |
lockfile: | |
runs-on: ubuntu-latest # The operating system to run the job on | |
steps: | |
- name: Access private repository | |
uses: webfactory/ssh-agent@master | |
with: | |
ssh-private-key: ${{ secrets.GH_ACTIONS }} | |
- name: Checkout main repository | |
uses: actions/checkout@main # The action to checkout the repository | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Create a cache of the Nix store | |
uses: actions/cache@main | |
with: | |
path: /nix/store | |
key: ${{ runner.os }}-nix-${{ hashFiles('flake.lock') }} | |
restore-keys: | | |
${{ runner.os }}-nix- | |
- name: Install Nix | |
uses: DeterminateSystems/nix-installer-action@main | |
- name: Check linting | |
id: check-formatting | |
run: nix run nixpkgs#nixpkgs-fmt -- --check . | |
continue-on-error: true | |
- name: Format files | |
if: ${{ steps.check-formatting.outcome == 'failure' }} | |
run: | | |
nix run nixpkgs#nixpkgs-fmt . | |
git config user.name "github-actions[bot]" | |
git config user.email "github-actions[bot]@users.noreply.github.com" | |
git add . | |
git commit -m "style: automatic formatting by nixpkgs-fmt" | |
- name: Set formatting message | |
if: ${{ steps.check-formatting.outcome == 'failure' }} | |
run: echo "NIXFMT_MESSAGE=Changes were automatically formatted by nixpkgs-fmt." >> $GITHUB_ENV | |
- name: Run NixOS tests | |
run: nix flake check --tests | |
- name: Update flake.lock | |
uses: DeterminateSystems/update-flake-lock@main # The action to update the flake.lock file | |
id: update-flake-lock | |
with: | |
commit-msg: "🧹 chore(flake.lock): update" | |
pr-body: | | |
``` | |
{{ env.GIT_COMMIT_MESSAGE }} | |
``` | |
pr-title: "🧹 chore(flake.lock): update" | |
pr-labels: auto-merge | |
nix-options: "--access-tokens github.com=${{ secrets.BOT_PAT }}" | |
token: ${{ secrets.GITHUB_TOKEN }} # Use GITHUB_TOKEN for PR operations | |
- name: Create compare URLs | |
uses: actions/github-script@main # The action to run a script using the GitHub API | |
if: steps.update-flake-lock.outputs.pull-request-operation == 'created' || steps.update-flake-lock.outputs.pull-request-operation == 'updated' | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
const comment = require('.github/scripts/comment') | |
const compare = require('.github/scripts/compare') | |
const urls = await compare({ core }) | |
if (!urls?.length) { | |
return | |
} | |
const header = "# Compare URLs" | |
const body = urls.map((url) => `- ${url}`).join("\n") | |
const issueNumber = parseInt(process.env.PULL_REQUEST_NUMBER, 10) | |
if (Number.isNaN(issueNumber)) { | |
return | |
} | |
await comment({ github, context, header, body, issueNumber }) | |
- name: Auto-merge GitHub bot PRs | |
if: ${{ steps.update-flake-lock.outputs.pull-request-url != '' }} | |
run: | | |
if [ -n "$PR_URL" ]; then | |
gh pr merge --auto --merge "$PR_URL" | |
else | |
echo "PR_URL is not set!" | |
fi | |
env: | |
PR_URL: ${{ steps.update-flake-lock.outputs.pull-request-url }} | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |