diff --git a/.forgejo/actions/update-flake-lock/action.yml b/.forgejo/actions/update-flake-lock/action.yml new file mode 100644 index 0000000..5df9ea5 --- /dev/null +++ b/.forgejo/actions/update-flake-lock/action.yml @@ -0,0 +1,222 @@ +name: "Update Nix Flake Lock" +description: "Update your Nix flake.lock and send a PR" +inputs: + inputs: + description: "A space-separated list of inputs to update. Leave empty to update all inputs." + required: false + default: "" + token: + description: "GITHUB_TOKEN or a `repo` scoped Personal Access Token (PAT)" + required: false + default: ${{ github.token }} + commit-msg: + description: "The message provided with the commit" + required: false + default: "flake.lock: Update" + base: + description: "Sets the pull request base branch. Defaults to the branch checked out in the workflow." + required: false + branch: + description: "The branch of the PR to be created" + required: false + default: "update_flake_lock_action" + path-to-flake-dir: + description: "The path of the directory containing `flake.nix` file within your repository. Useful when `flake.nix` cannot reside at the root of your repository." + required: false + pr-title: + description: "The title of the PR to be created" + required: false + default: "flake.lock: Update" + pr-body: + description: "The body of the PR to be created" + required: false + default: | + Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action. + + ``` + {{ env.GIT_COMMIT_MESSAGE }} + ``` + + ### Running GitHub Actions on this PR + + GitHub Actions will not run workflows on pull requests which are opened by a GitHub Action. + + To run GitHub Actions workflows on this PR, run: + + ```sh + git branch -D update_flake_lock_action + git fetch origin + git checkout update_flake_lock_action + git commit --amend --no-edit + git push origin update_flake_lock_action --force + ``` + + pr-labels: + description: "A comma or newline separated list of labels to set on the Pull Request to be created" + required: false + default: "" + pr-assignees: + description: "A comma or newline separated list of assignees (GitHub usernames)." + required: false + default: "" + pr-reviewers: + description: "A comma or newline separated list of reviewers (GitHub usernames) to request a review from." + required: false + default: "" + git-author-name: + description: "Author name used for commit. Only used if sign-commits is false." + required: false + default: "github-actions[bot]" + git-author-email: + description: "Author email used for commit. Only used if sign-commits is false." + required: false + default: "github-actions[bot]@users.noreply.github.com" + git-committer-name: + description: "Committer name used for commit. Only used if sign-commits is false." + required: false + default: "github-actions[bot]" + git-committer-email: + description: "Committer email used for commit. Only used if sign-commits is false." + required: false + default: "github-actions[bot]@users.noreply.github.com" + sign-commits: + description: "Set to true if the action should sign the commit with GPG" + required: false + default: "false" + gpg-private-key: + description: "GPG Private Key with which to sign the commits in the PR to be created" + required: false + default: "" + gpg-fingerprint: + description: "Fingerprint of specific GPG subkey to use" + required: false + gpg-passphrase: + description: "GPG Private Key Passphrase for the GPG Private Key with which to sign the commits in the PR to be created" + required: false + default: "" + nix-options: + description: "A space-separated list of options to pass to the nix command" + required: false + default: "" + # _internal-strict-mode: + # description: Whether to fail when any errors are thrown. Used only to test the Action; do not set this in your own workflows. + # required: false + # default: false +outputs: + pull-request-number: + description: "The number of the opened pull request" + value: ${{ steps.create-pr.outputs.pull-request-number }} + pull-request-operation: + description: "The pull request operation performed by the action, `created`, `updated` or `closed`." + value: ${{ steps.create-pr.outputs.pull-request-operation }} +runs: + using: "composite" + steps: + - name: Import bot's GPG key for signing commits + if: ${{ inputs.sign-commits == 'true' }} + id: import-gpg + uses: https://github.com/crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0 + with: + gpg_private_key: ${{ inputs.gpg-private-key }} + fingerprint: ${{ inputs.gpg-fingerprint }} + passphrase: ${{ inputs.gpg-passphrase }} + git_config_global: true + git_user_signingkey: true + git_commit_gpgsign: true + - name: Set environment variables (signed commits) + if: ${{ inputs.sign-commits == 'true' }} + shell: bash + env: + GIT_AUTHOR_NAME: ${{ steps.import-gpg.outputs.name }} + GIT_AUTHOR_EMAIL: ${{ steps.import-gpg.outputs.email }} + GIT_COMMITTER_NAME: ${{ steps.import-gpg.outputs.name }} + GIT_COMMITTER_EMAIL: ${{ steps.import-gpg.outputs.email }} + TARGETS: ${{ inputs.inputs }} + run: | + echo "GIT_AUTHOR_NAME=$GIT_AUTHOR_NAME" >> $GITHUB_ENV + echo "GIT_AUTHOR_EMAIL=<$GIT_AUTHOR_EMAIL>" >> $GITHUB_ENV + echo "GIT_COMMITTER_NAME=$GIT_COMMITTER_NAME" >> $GITHUB_ENV + echo "GIT_COMMITTER_EMAIL=<$GIT_COMMITTER_EMAIL>" >> $GITHUB_ENV + - name: Set environment variables (unsigned commits) + if: ${{ inputs.sign-commits != 'true' }} + shell: bash + run: | + echo "GIT_AUTHOR_NAME=${{ inputs.git-author-name }}" >> $GITHUB_ENV + echo "GIT_AUTHOR_EMAIL=<${{ inputs.git-author-email }}>" >> $GITHUB_ENV + echo "GIT_COMMITTER_NAME=${{ inputs.git-committer-name }}" >> $GITHUB_ENV + echo "GIT_COMMITTER_EMAIL=<${{ inputs.git-committer-email }}>" >> $GITHUB_ENV + - name: Run update-flake-lock + shell: bash + run: node "$GITHUB_ACTION_PATH/dist/index.js" + env: + # The following manually exposes all of the action inputs into INPUT_ environment variables so actionsCore.getInput works: + # https://github.com/actions/toolkit/blob/ae38557bb0dba824cdda26ce787bd6b66cf07a83/packages/core/src/core.ts#L126 + INPUT_BASE: ${{ inputs.base }} + INPUT_BRANCH: ${{ inputs.branch }} + INPUT_COMMIT-MSG: ${{ inputs.commit-msg }} + INPUT_GIT-AUTHOR-EMAIL: ${{ inputs.git-author-email }} + INPUT_GIT-AUTHOR-NAME: ${{ inputs.git-author-name }} + INPUT_GIT-COMMITTER-EMAIL: ${{ inputs.git-committer-email }} + INPUT_GIT-COMMITTER-NAME: ${{ inputs.git-committer-name }} + INPUT_GPG-FINGERPRINT: ${{ inputs.gpg-fingerprint }} + INPUT_GPG-PASSPHRASE: ${{ inputs.gpg-passphrase }} + INPUT_GPG-PRIVATE-KEY: ${{ inputs.gpg-private-key }} + INPUT_INPUTS: ${{ inputs.inputs }} + INPUT_NIX-OPTIONS: ${{ inputs.nix-options }} + INPUT_PATH-TO-FLAKE-DIR: ${{ inputs.path-to-flake-dir }} + INPUT_PR-ASSIGNEES: ${{ inputs.pr-assignees }} + INPUT_PR-BODY: ${{ inputs.pr-body }} + INPUT_PR-LABELS: ${{ inputs.pr-labels }} + INPUT_PR-REVIEWERS: ${{ inputs.pr-reviewers }} + INPUT_PR-TITLE: ${{ inputs.pr-title }} + INPUT_PULL-REQUEST-NUMBER: ${{ inputs.pull-request-number }} + INPUT_PULL-REQUEST-OPERATION: ${{ inputs.pull-request-operation }} + INPUT_SIGN-COMMITS: ${{ inputs.sign-commits }} + INPUT_TOKEN: ${{ inputs.token }} + INPUT__INTERNAL-STRICT-MODE: ${{ inputs._internal-strict-mode }} + - name: Save PR Body as file + uses: https://github.com/DamianReeves/write-file-action@v1.3 + with: + path: pr_body.template + contents: ${{ inputs.pr-body }} + env: {} + - name: Set additional env variables (GIT_COMMIT_MESSAGE) + shell: bash + run: | + DELIMITER=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) + COMMIT_MESSAGE="$(git log --format=%b -n 1)" + echo "GIT_COMMIT_MESSAGE<<$DELIMITER" >> $GITHUB_ENV + echo "$COMMIT_MESSAGE" >> $GITHUB_ENV + echo "$DELIMITER" >> $GITHUB_ENV + echo "GIT_COMMIT_MESSAGE is: ${COMMIT_MESSAGE}" + - name: Interpolate PR Body + uses: pedrolamas/handlebars-action@2995d7eadacbc8f2f6ab8431a01d84a5fa3b8bb4 # v2.4.0 + with: + files: "pr_body.template" + output-filename: "pr_body.txt" + - name: Read pr_body.txt + id: pr_body + uses: juliangruber/read-file-action@v1 + with: + path: "pr_body.txt" + # We need to remove the pr_body files so that the + # peter-evans/create-pull-request action does not commit it (the + # action commits all new and modified files). + - name: Remove PR body template files + shell: bash + run: rm -f pr_body.txt pr_body.template + - name: Create PR + id: create-pr + uses: https://github.com/peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5 + with: + base: ${{ inputs.base }} + branch: ${{ inputs.branch }} + delete-branch: true + committer: ${{ env.GIT_COMMITTER_NAME }} ${{ env.GIT_COMMITTER_EMAIL }} + author: ${{ env.GIT_AUTHOR_NAME }} ${{ env.GIT_AUTHOR_EMAIL }} + title: ${{ inputs.pr-title }} + token: ${{ inputs.token }} + assignees: ${{ inputs.pr-assignees }} + labels: ${{ inputs.pr-labels }} + reviewers: ${{ inputs.pr-reviewers }} + body: ${{ steps.pr_body.outputs.content }} diff --git a/.forgejo/workflows/update_lock.yaml b/.forgejo/workflows/update_lock.yaml index 2e5dc87..d362035 100644 --- a/.forgejo/workflows/update_lock.yaml +++ b/.forgejo/workflows/update_lock.yaml @@ -18,7 +18,7 @@ jobs: - name: Install Nix uses: https://github.com/DeterminateSystems/nix-installer-action@main - name: Update flake.lock - uses: https://github.com/DeterminateSystems/update-flake-lock@main + uses: ./.forgejo/actions/update-flake-lock with: pr-title: "Update flake.lock" # Title of PR to be created pr-labels: | # Labels to be set on the PR