Skip to content

Update flake

Update flake #97

# GitHub Actions workflow to automate updating the Nix flake.lock file
# Triggered manually or every 4 hours via cron schedule
# Steps:
# 1. **SSH Agent Setup**: Uses `webfactory/ssh-agent` to set up SSH access with deploy keys (ensure the deploy key is added to the repository settings)
# 2. **Checkout Repository**: Checks out the repository using `actions/checkout`
# 3. **Install Nix**: Installs Nix with `DeterminateSystems/nix-installer-action`
# 4. **Update flake.lock**: Updates the `flake.lock` file using `DeterminateSystems/update-flake-lock`, creating or updating a pull request with specified commit message, PR body, title, and labels
# 5. **Create Compare URLs**: If a pull request is created or updated, runs a script using `actions/github-script` to add a comment with compare URLs
# Notes:
# - Secrets (`secrets.GH_ACTIONS` and `secrets.TESTING`) are used for authentication
# - `nix-options` includes the GitHub token for accessing private repositories
name: Update flake
on:
workflow_dispatch:
schedule:
- cron: "0 */4 * * *" # Every 4 hours
pull_request:
types: [opened, synchronize]
# types: [ assigned, unassigned, labeled, unlabeled, opened, edited, closed, reopened, synchronize, converted_to_draft, locked, unlocked, ready_for_review, review_requested, review_request_removed, auto_merge_enabled, auto_merge_disabled ]
branches: [main, testing]
permissions:
contents: write
pull-requests: write
jobs:
lockfile:
runs-on: ubuntu-latest # The operating system to run the job on
steps:
- name: Access private repository
uses: webfactory/ssh-agent@master
with:
ssh-private-key: ${{ secrets.GH_ACTIONS }}
- name: Checkout main repository
uses: actions/checkout@main # The action to checkout the repository
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Create a cache of the Nix store
uses: actions/cache@main
with:
path: /nix/store
key: ${{ runner.os }}-nix-${{ hashFiles('flake.lock') }}
restore-keys: |
${{ runner.os }}-nix-
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main
- name: Check linting
id: check-formatting
run: nix run nixpkgs#nixpkgs-fmt -- --check .
continue-on-error: true
- name: Format files
if: ${{ steps.check-formatting.outcome == 'failure' }}
run: |
nix run nixpkgs#nixpkgs-fmt .
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add .
git commit -m "style: automatic formatting by nixpkgs-fmt"
- name: Set formatting message
if: ${{ steps.check-formatting.outcome == 'failure' }}
run: echo "NIXFMT_MESSAGE=Changes were automatically formatted by nixpkgs-fmt." >> $GITHUB_ENV
- name: Run NixOS tests
run: nix flake check --tests
- name: Update flake.lock
uses: DeterminateSystems/update-flake-lock@main # The action to update the flake.lock file
id: update-flake-lock
with:
commit-msg: "🧹 chore(flake.lock): update"
pr-body: |
```
{{ env.GIT_COMMIT_MESSAGE }}
```
pr-title: "🧹 chore(flake.lock): update"
pr-labels: auto-merge
nix-options: "--access-tokens github.com=${{ secrets.BOT_PAT }}"
token: ${{ secrets.GITHUB_TOKEN }} # Use GITHUB_TOKEN for PR operations
- name: Create compare URLs
uses: actions/github-script@main # The action to run a script using the GitHub API
if: steps.update-flake-lock.outputs.pull-request-operation == 'created' || steps.update-flake-lock.outputs.pull-request-operation == 'updated'
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const comment = require('.github/scripts/comment')
const compare = require('.github/scripts/compare')
const urls = await compare({ core })
if (!urls?.length) {
return
}
const header = "# Compare URLs"
const body = urls.map((url) => `- ${url}`).join("\n")
const issueNumber = parseInt(process.env.PULL_REQUEST_NUMBER, 10)
if (Number.isNaN(issueNumber)) {
return
}
await comment({ github, context, header, body, issueNumber })
- name: Auto-merge GitHub bot PRs
if: ${{ steps.update-flake-lock.outputs.pull-request-url != '' }}
run: |
if [ -n "$PR_URL" ]; then
gh pr merge --auto --merge "$PR_URL"
else
echo "PR_URL is not set!"
fi
env:
PR_URL: ${{ steps.update-flake-lock.outputs.pull-request-url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}