-
Notifications
You must be signed in to change notification settings - Fork 0
99 lines (91 loc) · 4.16 KB
/
update-nix-lock.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# GitHub Actions workflow to automate updating the Nix flake.lock file
# Triggered manually or every 4 hours via cron schedule
# Steps:
# 1. **SSH Agent Setup**: Uses `webfactory/ssh-agent` to set up SSH access with deploy keys (ensure the deploy key is added to the repository settings)
# 2. **Checkout Repository**: Checks out the repository using `actions/checkout`
# 3. **Install Nix**: Installs Nix with `DeterminateSystems/nix-installer-action`
# 4. **Update flake.lock**: Updates the `flake.lock` file using `DeterminateSystems/update-flake-lock`, creating or updating a pull request with specified commit message, PR body, title, and labels
# 5. **Create Compare URLs**: If a pull request is created or updated, runs a script using `actions/github-script` to add a comment with compare URLs
# Notes:
# - Secrets (`secrets.GH_ACTIONS` and `secrets.TESTING`) are used for authentication
# - `nix-options` includes the GitHub token for accessing private repositories
name: Update flake
on:
workflow_dispatch:
schedule:
- cron: "0 */4 * * *" # Every 4 hours
pull_request:
types: [opened, synchronize]
# types: [ assigned, unassigned, labeled, unlabeled, opened, edited, closed, reopened, synchronize, converted_to_draft, locked, unlocked, ready_for_review, review_requested, review_request_removed, auto_merge_enabled, auto_merge_disabled ]
branches: [main, testing]
permissions:
contents: write
pull-requests: write
jobs:
lockfile:
runs-on: ubuntu-latest # The operating system to run the job on
steps:
- uses: webfactory/ssh-agent@master
with:
ssh-private-key: ${{ secrets.GH_ACTIONS }}
- name: Checkout repository
uses: actions/checkout@main # The action to checkout the repository
with:
token: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/cache@main
with:
path: /nix/store
key: ${{ runner.os }}-nix-${{ hashFiles('flake.lock') }}
restore-keys: |
${{ runner.os }}-nix-
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main
- name: Run linter
run: nix run nixpkgs#nixpkgs-fmt -- --check .
- name: Run statix
run: nix run nixpkgs#statix -- .
- name: Run NixOS tests
run: nix flake check --tests
- name: Update flake.lock
uses: DeterminateSystems/update-flake-lock@main # The action to update the flake.lock file
id: update-flake-lock
with:
commit-msg: "🧹 chore(flake.lock): update"
pr-body: |
```
{{ env.GIT_COMMIT_MESSAGE }}
```
pr-title: "🧹 chore(flake.lock): update"
pr-labels: auto-merge
nix-options: "--access-tokens github.com=${{ secrets.BOT_PAT }}"
token: ${{ secrets.GITHUB_TOKEN }} # Use GITHUB_TOKEN for PR operations
- name: Create compare URLs
uses: actions/github-script@main # The action to run a script using the GitHub API
if: steps.update-flake-lock.outputs.pull-request-operation == 'created' || steps.update-flake-lock.outputs.pull-request-operation == 'updated'
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const comment = require('.github/scripts/comment')
const compare = require('.github/scripts/compare')
const urls = await compare({ core })
if (!urls?.length) {
return
}
const header = "# Compare URLs"
const body = urls.map((url) => `- ${url}`).join("\n")
const issueNumber = parseInt(process.env.PULL_REQUEST_NUMBER, 10)
if (Number.isNaN(issueNumber)) {
return
}
await comment({ github, context, header, body, issueNumber })
- name: Auto-merge GitHub bot PRs
if: ${{ steps.update-flake-lock.outputs.pull-request-url != '' }}
run: |
if [ -n "$PR_URL" ]; then
gh pr merge --auto --merge "$PR_URL"
else
echo "PR_URL is not set!"
fi
env:
PR_URL: ${{ steps.update-flake-lock.outputs.pull-request-url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}