Merge branch 'main' into renovate/pre-commit-pre-commit-hooks-4.x

This commit is contained in:
Truxnell 2024-03-26 22:54:51 +11:00 committed by GitHub
commit aabc2821f8
3 changed files with 156 additions and 2 deletions

24
.github/renovate.json vendored Normal file
View file

@ -0,0 +1,24 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"github>truxnell/renovate-config",
"github>truxnell/renovate-config:automerge-github-actions",
"github>aquaproj/aqua-renovate-config#2.2.0",
"github>aquaproj/aqua-renovate-config:installer-script#2.2.0(install-aqua\\.sh)",
"github>aquaproj/aqua-renovate-config:file#2.2.0(^aqua/.*\\.ya?ml$)"
],
"platform": "github",
"username": "trux-bot[bot]",
"gitAuthor": "Trux-Bot <19149206+trux-bot[bot]@users.noreply.github.com>",
"repositories": ["truxnell/nix-config"],
"ignoreTests": false,
// TODO remove once out of beta?
// https://docs.renovatebot.com/modules/manager/nix/
"nix": {
"enabled": true
},
"lockFileMaintenance": {
"enabled": true
},
}

129
.github/workflows/diff-pr.yaml vendored Normal file
View file

@ -0,0 +1,129 @@
name: Pull Request
permissions:
pull-requests: write
on:
pull_request:
paths:
- .github/workflows/**
- "**.nix"
- "flake.lock"
jobs:
build:
if: github.event.pull_request.draft == false
name: "Build ${{ matrix.target }}"
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
target: pride
- os: ubuntu-latest
target: sloth
- os: ubuntu-latest
target: eden
- os: ubuntu-latest
target: wrath
steps:
- name: Create nix mount point
if: contains(matrix.os, 'ubuntu')
run: sudo mkdir /nix
- name: Maximize build space
uses: easimon/maximize-build-space@v10
if: contains(matrix.os, 'ubuntu')
with:
root-reserve-mb: 512
swap-size-mb: 1024
build-mount-path: "/nix"
remove-dotnet: true
remove-android: true
remove-haskell: true
remove-docker-images: true
remove-codeql: true
overprovision-lvm: true
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install nix
uses: cachix/install-nix-action@v25
with:
extra_nix_config: |
experimental-features = nix-command flakes
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
- uses: cachix/cachix-action@v14
with:
name: edeneast
skipPush: true
extraPullNames: nix-community
- name: Garbage collect build dependencies
run: nix-collect-garbage
- name: Fetch old system profile
run: nix build github:EdenEast/nyx#top.${{ matrix.target }} -v --log-format raw --profile ./profile
- name: Add new system to profile
run: |
set -o pipefail
nix build .#top.${{ matrix.target }} --profile ./profile --show-trace --fallback -v --log-format raw > >(tee stdout.log) 2> >(tee /tmp/nix-build-err.log >&2)
- name: Output build failure
if: failure()
run: |
drv=$(grep "For full logs, run" /tmp/nix-build-err.log | grep -oE "/nix/store/.*.drv")
if [ -n $drv ]; then
nix log $drv
echo $drv
fi
exit 1
- name: Diff profile
id: diff
run: |
nix profile diff-closures --profile ./profile
delimiter="$(openssl rand -hex 16)"
echo "diff<<${delimiter}" >> "${GITHUB_OUTPUT}"
nix profile diff-closures --profile ./profile | perl -pe 's/\e\[[0-9;]*m(?:\e\[K)?//g' >> "${GITHUB_OUTPUT}"
echo "${delimiter}" >> "${GITHUB_OUTPUT}"
- name: Scan for security issues
id: security
run: |
nix run nixpkgs/nixos-unstable#vulnix -- -w https://raw.githubusercontent.com/ckauhaus/nixos-vulnerability-roundup/master/whitelists/nixos-unstable.toml ./profile | tee /tmp/security.txt
OUTPUT_SECURITY="$(cat /tmp/security.txt)"
OUTPUT_SECURITY="${OUTPUT_SECURITY//'%'/'%25'}"
OUTPUT_SECURITY="${OUTPUT_SECURITY//$'\n'/'%0A'}"
OUTPUT_SECURITY="${OUTPUT_SECURITY//$'\r'/'%0D'}"
echo "$OUTPUT_SECURITY"
delimiter="$(openssl rand -hex 16)"
echo "security<<${delimiter}" >> "${GITHUB_OUTPUT}"
echo "$OUTPUT_SECURITY" >> "${GITHUB_OUTPUT}"
echo "${delimiter}" >> "${GITHUB_OUTPUT}"
- name: Comment report in pr
uses: marocchino/sticky-pull-request-comment@v2
if: ${{ !startswith(github.ref, 'dependabot') }}
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
header: ".#top.${{ matrix.target }}"
message: |
### Report for `${{ matrix.target }}`
<details>
<summary> Version changes </summary> <br>
<pre> ${{ steps.diff.outputs.diff }} </pre>
</details>
<details>
<summary> Security vulnerability report </summary> <br>
<pre> ${{ steps.security.outputs.security }} </pre>
</details>
# Liberated from edeneast's github

View file

@ -1,9 +1,10 @@
# Truxnell's homelab # Truxnell's homelab
[![NixOS](https://img.shields.io/badge/NIXOS-5277C3.svg?style=for-the-badge&logo=NixOS&logoColor=white)](https://nixos.org) [![NixOS](https://img.shields.io/badge/NIXOS-5277C3.svg?style=for-the-badge&logo=NixOS&logoColor=white)](https://nixos.org)
[![NixOS](https://img.shields.io/badge/NixOS-23.11-blue?style=flat&logo=nixos&logoColor=white)](https://nixos.org) [![NixOS](https://img.shields.io/badge/NixOS-23.11-blue?style=for-the-badge&logo=nixos&logoColor=white)](https://nixos.org)
[![MIT License](https://img.shields.io/github/license/truxnell/nix-config?style=for-the-badge)](https://github.com/truxnell/nix-config/blob/ci/LICENSE)
[![built with garnix](https://img.shields.io/endpoint.svg?url=https%3A%2F%2Fgarnix.io%2Fapi%2Fbadges%2Ftruxnell%2Fnix-config%3Fbranch%3Dmain)](https://garnix.io) [![built with garnix](https://img.shields.io/endpoint.svg?url=https%3A%2F%2Fgarnix.io%2Fapi%2Fbadges%2Ftruxnell%2Fnix-config%3Fbranch%3Dmain)](https://garnix.io)
[![MIT License](https://img.shields.io/github/license/truxnell/nix-config)][mit]
Leveraging nix, nix-os to apply machine and home configurations Leveraging nix, nix-os to apply machine and home configurations