m3tam3re/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7639adc36fb76cffb7800ef0efb4a271eda1d504
nixpkgs/.gitea/workflows/nix-update.yml
m3tm3re 7639adc36f wf test
2026-01-18 07:28:51 +01:00

211 lines
6.9 KiB
YAML
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
name: Update Nix Packages with nix-update
on:
schedule:
- cron: "0 2 * * *"
workflow_dispatch:
inputs:
package:
description: "Specific package to update (optional)"
required: false
type: string
env:
GIT_AUTHOR_NAME: "nix-update bot"
GIT_AUTHOR_EMAIL: "bot@m3ta.dev"
GIT_COMMITTER_NAME: "nix-update bot"
GIT_COMMITTER_EMAIL: "bot@m3ta.dev"
REPO_DIR: "/tmp/nixpkgs" # Centralized workspace path
jobs:
nix-update:
runs-on: nixos
steps:
- name: Setup Environment and Authenticate
run: |
# 1. Clean Workspace
if [ -d "$REPO_DIR" ]; then rm -rf "$REPO_DIR"; fi
# 2. Configure Git Credentials
# Using 'store' helper is robust and avoids interactive prompts
git config --global credential.helper store
echo "https://m3tam3re:${{ secrets.NIX_UPDATE_TOKEN }}@code.m3ta.dev" > ~/.git-credentials
chmod 600 ~/.git-credentials
# 3. Configure Git Identity
git config --global user.name "$GIT_AUTHOR_NAME"
git config --global user.email "$GIT_AUTHOR_EMAIL"
git config --global init.defaultBranch master
# 4. Verify Authentication (Fail fast)
if command -v tea &> /dev/null; then
echo "Verifying API access..."
tea login delete m3ta >/dev/null 2>&1 || true
if ! tea login add --name m3ta --url https://code.m3ta.dev --token "${{ secrets.NIX_UPDATE_TOKEN }}"; then
echo "❌ Authentication failed. Check NIX_UPDATE_TOKEN."
exit 1
fi
echo "✓ Authentication successful."
fi
- name: Checkout Repository
run: |
# Clone using explicit username to match credentials
git clone --no-single-branch \
"https://m3tam3re@code.m3ta.dev/m3tam3re/nixpkgs.git" \
"$REPO_DIR"
- name: Check Prerequisites
id: check
run: |
cd "$REPO_DIR"
# Check for packages directory
if [ ! -d "pkgs" ]; then
echo "❌ Error: 'pkgs' directory not found."
exit 1
fi
# Check for flake.nix
if [ -f "flake.nix" ]; then
echo "has_flake=true" >> $GITHUB_OUTPUT
else
echo "has_flake=false" >> $GITHUB_OUTPUT
fi
- name: Update Packages
id: update
run: |
cd "$REPO_DIR"
set -e
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
BRANCH_NAME="nix-update-${TIMESTAMP}"
git checkout -b "${BRANCH_NAME}"
UPDATES_FOUND=false
UPDATED_PACKAGES=""
# Helper to verify commits
check_commit() {
[ "$1" != "$(git rev-parse HEAD)" ] && echo "true" || echo "false"
}
run_update() {
local pkg=$1
local before_hash=$(git rev-parse HEAD)
echo "Checking $pkg..."
# Run nix-update, capturing output to log but allowing failure
if nix-update --flake --commit "$pkg" 2>&1 | tee /tmp/update-${pkg}.log; then
if [ "$(check_commit "$before_hash")" = "true" ]; then
echo "✓ Updated $pkg"
return 0
fi
fi
# Log failure reason if not just "up to date"
if ! grep -q "already up to date\|No new version found" /tmp/update-${pkg}.log; then
echo "⚠️ Update failed for $pkg"
fi
return 1
}
if [ -n "${{ inputs.package }}" ]; then
# Single package mode
pkg="${{ inputs.package }}"
if [ -d "pkgs/$pkg" ]; then
if run_update "$pkg"; then
UPDATES_FOUND=true
UPDATED_PACKAGES="$pkg"
fi
else
echo "✗ Package 'pkgs/$pkg' not found"
fi
else
# All packages mode
PACKAGES=$(find pkgs -mindepth 1 -maxdepth 1 -type d -not -name default.nix -not -name AGENTS.md -exec basename {} \; 2>/dev/null | sort)
if [ -z "$PACKAGES" ]; then
echo "No packages found to update"
echo "has_updates=false" >> $GITHUB_OUTPUT
exit 0
fi
for pkg in $PACKAGES; do
if run_update "$pkg"; then
UPDATES_FOUND=true
UPDATED_PACKAGES="${UPDATED_PACKAGES}, $pkg"
fi
done
fi
# Finalize
UPDATED_PACKAGES=$(echo "$UPDATED_PACKAGES" | sed 's/^, //')
COMMIT_COUNT=$(git rev-list --count master..HEAD)
if [ "$COMMIT_COUNT" -gt 0 ]; then
echo "✓ $COMMIT_COUNT updates committed."
echo "has_updates=true" >> $GITHUB_OUTPUT
echo "updated_packages=${UPDATED_PACKAGES}" >> $GITHUB_OUTPUT
echo "branch_name=${BRANCH_NAME}" >> $GITHUB_OUTPUT
else
echo " No updates found."
echo "has_updates=false" >> $GITHUB_OUTPUT
git checkout master
git branch -D "${BRANCH_NAME}" 2>/dev/null || true
fi
- name: Verify Builds
if: steps.update.outputs.has_updates == 'true'
run: |
cd "$REPO_DIR"
IFS=', ' read -ra PKGS <<< "${{ steps.update.outputs.updated_packages }}"
for pkg in "${PKGS[@]}"; do
echo "Building $pkg..."
if ! nix build .#$pkg; then
echo "❌ Build failed for $pkg"
exit 1
fi
echo "✓ Build successful"
done
- name: Push and PR
if: steps.update.outputs.has_updates == 'true'
run: |
cd "$REPO_DIR"
BRANCH="${{ steps.update.outputs.branch_name }}"
PACKAGES="${{ steps.update.outputs.updated_packages }}"
echo "Pushing branch $BRANCH..."
git push origin "$BRANCH"
echo "Creating Pull Request..."
COMMITS=$(git log origin/master..HEAD --pretty=format:"%h %s" | sed 's/^/- /')
tea pr create \
--head "$BRANCH" \
--base master \
--title "chore: update packages with nix-update" \
--body "$(printf "Automated package updates.\n\nUpdated packages:\n%s\n\nCommits:\n%s" "$PACKAGES" "$COMMITS")" \
--assignees m3tam3re \
--labels automated-update
- name: Cleanup Credentials
if: always() # Run even if job fails
run: |
rm -f ~/.git-credentials
# Optional: Clear repo to save space
# rm -rf "$REPO_DIR"
- name: Summary
if: always()
run: |
if [ "${{ steps.update.outputs.has_updates }}" = "true" ]; then
echo "✅ Successfully updated: ${{ steps.update.outputs.updated_packages }}"
else
echo " No updates required."
fi
Reference in New Issue View Git Blame Copy Permalink