nixpkgs/.gitea/workflows/nix-update.yml

name: Update Nix Packages with nix-update

on:
  schedule:
    - cron: "0 2 * * *"
  workflow_dispatch: # Allow manual triggering
    inputs:
      package:
        description: "Specific package to update (optional)"
        required: false
        type: string

env:
  GIT_AUTHOR_NAME: "nix-update bot"
  GIT_AUTHOR_EMAIL: "bot@m3ta.dev"
  GIT_COMMITTER_NAME: "nix-update bot"
  GIT_COMMITTER_EMAIL: "bot@m3ta.dev"

jobs:
  nix-update:
    runs-on: nixos
    steps:
      - name: Checkout repository
        run: |
          # Disable terminal prompts for all git operations
          export GIT_TERMINAL_PROMPT=0
          export GIT_ASKPASS="/bin/echo"

          # Clone repository with token authentication
          git clone --no-single-branch \
            "https://${{ secrets.NIX_UPDATE_TOKEN }}@code.m3ta.dev/m3tam3re/nixpkgs.git" \
            /workspace/m3tam3re/nixpkgs

          cd /workspace/m3tam3re/nixpkgs

          # Configure git author/committer
          git config --global user.name "${{ env.GIT_AUTHOR_NAME }}"
          git config --global user.email "${{ env.GIT_AUTHOR_EMAIL }}"
          git config --global init.defaultBranch master

          # Verify checkout
          git status
          git log --oneline -5

      - name: Check for available packages to update
        id: check-packages
        run: |
          echo "Found packages in pkgs/ directory:"
          ls -1 pkgs/ | grep -v default.nix | grep -v AGENTS.md || echo "No package directories found"

          # Check if flake.nix exists
          if [ -f "flake.nix" ]; then
            echo "✓ Found flake.nix"
            echo "has_flake=true" >> $GITHUB_OUTPUT
          else
            echo "✗ No flake.nix found"
            echo "has_flake=false" >> $GITHUB_OUTPUT
          fi

      - name: Update packages
        id: update
        run: |
          set -e

          # Create timestamp for branch naming
          TIMESTAMP=$(date +%Y%m%d-%H%M%S)
          BRANCH_NAME="nix-update-${TIMESTAMP}"

          # Create and checkout new branch
          git checkout -b "${BRANCH_NAME}"

          # Track if any packages were updated
          UPDATES_FOUND=false
          UPDATED_PACKAGES=""

          # Check if specific package was requested
          if [ -n "${{ inputs.package }}" ]; then
            echo "Updating specific package: ${{ inputs.package }}"
            if [ -d "pkgs/${{ inputs.package }}" ]; then
              if nix-update --flake --commit "${{ inputs.package }}" 2>&1 | tee /tmp/update.log; then
                UPDATES_FOUND=true
                UPDATED_PACKAGES="${{ inputs.package }}"
                echo "✓ Updated ${{ inputs.package }}"
              else
                echo "ℹ️ Package ${{ inputs.package }} update failed or not needed"
                cat /tmp/update.log
              fi
            else
              echo "✗ Package directory pkgs/${{ inputs.package }} not found"
            fi
          else
            echo "Checking all packages for updates..."

            # Get list of package directories (exclude default.nix and AGENTS.md)
            PACKAGES=$(find pkgs -mindepth 1 -maxdepth 1 -type d -not -name default.nix -not -name AGENTS.md -exec basename {} \; 2>/dev/null | sort)

            if [ -z "$PACKAGES" ]; then
              echo "No packages found to update"
              echo "has_updates=false" >> $GITHUB_OUTPUT
              exit 0
            fi

            # Update each package
            for pkg in $PACKAGES; do
              echo ""
              echo "━━━ Checking $pkg ━━━"
              if nix-update --flake --commit "$pkg" 2>&1 | tee /tmp/update-${pkg}.log; then
                UPDATES_FOUND=true
                UPDATED_PACKAGES="${UPDATED_PACKAGES}, $pkg"
                echo "✓ Updated $pkg"
              else
                # Check if it was actually an update or just "already up to date"
                if grep -q "already up to date\|No new version found" /tmp/update-${pkg}.log; then
                  echo "ℹ️ $pkg already up to date"
                else
                  echo "⚠️ Update check for $pkg failed:"
                  cat /tmp/update-${pkg}.log
                fi
              fi
            done
          fi

          # Remove trailing comma from package list
          UPDATED_PACKAGES=$(echo "$UPDATED_PACKAGES" | sed 's/^, //')

          # Check if there are any changes
          if [ "$UPDATES_FOUND" = "true" ]; then
            echo ""
            echo "━━━ Summary ━━━"
            echo "✓ Package updates found: $UPDATED_PACKAGES"
            echo "has_updates=true" >> $GITHUB_OUTPUT
            echo "updated_packages=${UPDATED_PACKAGES}" >> $GITHUB_OUTPUT
            echo "branch_name=${BRANCH_NAME}" >> $GITHUB_OUTPUT

            # Check if there are actual git changes
            if git diff-index --quiet HEAD --; then
              echo "⚠️ No actual git changes detected despite nix-update success"
              echo "has_updates=false" >> $GITHUB_OUTPUT
            else
              echo "✓ Git changes detected"
              git status
            fi
          else
            echo ""
            echo "━━━ Summary ━━━"
            echo "ℹ️ No package updates found"
            echo "has_updates=false" >> $GITHUB_OUTPUT
            # Switch back to master if no updates
            git checkout master
            git branch -D "${BRANCH_NAME}" 2>/dev/null || true
          fi

      - name: Verify packages build
        if: steps.update.outputs.has_updates == 'true'
        run: |
          PACKAGES="${{ steps.update.outputs.updated_packages }}"
          echo "Verifying builds for: $PACKAGES"

          # Parse comma-separated package list
          IFS=', ' read -ra PKG_ARRAY <<< "$PACKAGES"
          for pkg in "${PKG_ARRAY[@]}"; do
            echo "━━━ Building $pkg ━━━"
            if nix build .#$pkg; then
              echo "✓ $pkg built successfully"
            else
              echo "❌ Build failed for $pkg"
              exit 1
            fi
          done

      - name: Push branch and create pull request
        if: steps.update.outputs.has_updates == 'true'
        run: |
          BRANCH="${{ steps.update.outputs.branch_name }}"
          PACKAGES="${{ steps.update.outputs.updated_packages }}"

          echo "Pushing branch ${BRANCH}..."

          # Push the branch
          git push origin "${BRANCH}" || (git fetch origin "${BRANCH}" 2>/dev/null && git push origin "${BRANCH}" --force)

          echo "Creating pull request..."

          # Create pull request using tea CLI
          wget -q https://dl.gitea.com/tea/latest/tea-linux-amd64 -O /tmp/tea
          chmod +x /tmp/tea

          # Get commit messages for PR description
          COMMITS=$(git log origin/master..origin/"${BRANCH}" --pretty=format:"%h %s" | sed 's/^/- /')

          # Create PR
          /tmp/tea pr create \
            --head "${BRANCH}" \
            --base master \
            --title "chore: update packages with nix-update" \
            --body "Automated package updates using nix-update.\n\nUpdated packages:\n${PACKAGES}\n\nCommits:\n${COMMITS}" \
            --assignees m3tam3re \
            --labels automated-update || echo "Failed to create PR. Please create manually."

          echo "✓ Pull request created or branch pushed: ${BRANCH}"

      - name: Summary
        if: always()
        run: |
          echo "━━━ Workflow Summary ━━━"
          if [ "${{ steps.update.outputs.has_updates }}" = "true" ]; then
            echo "✅ Successfully updated packages"
            echo "Branch: ${{ steps.update.outputs.branch_name }}"
            echo "Packages: ${{ steps.update.outputs.updated_packages }}"
          else
            echo "ℹ️ No package updates needed or found"
          fi