diff --git a/.gitea/workflows/nix-update.yml b/.gitea/workflows/nix-update.yml index ffb7b94..30e8cb4 100644 --- a/.gitea/workflows/nix-update.yml +++ b/.gitea/workflows/nix-update.yml @@ -16,42 +16,39 @@ env: GIT_COMMITTER_NAME: "nix-update bot" GIT_COMMITTER_EMAIL: "bot@m3ta.dev" GIT_TERMINAL_PROMPT: "0" - GIT_ASKPASS: "/bin/echo" jobs: nix-update: runs-on: nixos steps: + - name: Configure Authentication (.netrc) + run: | + # Configure .netrc for seamless authentication + # This bypasses git credential helpers and works reliably in CI environments + cat < $HOME/.netrc + machine code.m3ta.dev + login m3tam3re + password ${{ secrets.NIX_UPDATE_TOKEN }} + NETRC + chmod 600 $HOME/.netrc + - name: Checkout repository run: | - # Clean up any previous runs if [ -d "/tmp/nixpkgs" ]; then rm -rf /tmp/nixpkgs fi - # 1. Configure Credentials Globally using a Credential Helper Script - # This is the most robust way to handle auth without leaking tokens in `ps` output - # and ensuring it works for all git commands (clone, push, submodules) - - # Create a dummy askpass script that returns the password (token) - echo 'echo "${{ secrets.NIX_UPDATE_TOKEN }}"' > /tmp/git-askpass-helper.sh - chmod +x /tmp/git-askpass-helper.sh - export GIT_ASKPASS="/tmp/git-askpass-helper.sh" - - # Clone using the username 'm3tam3re' explicitly. - # Gitea PATs usually require the username to match the token owner for write operations. + # Clone using the HTTPS URL (auth handled by .netrc) git clone --no-single-branch \ - "https://m3tam3re@code.m3ta.dev/m3tam3re/nixpkgs.git" \ + "https://code.m3ta.dev/m3tam3re/nixpkgs.git" \ /tmp/nixpkgs cd /tmp/nixpkgs - # Configure local git user git config user.name "${{ env.GIT_AUTHOR_NAME }}" git config user.email "${{ env.GIT_AUTHOR_EMAIL }}" git config init.defaultBranch master - # Verify checkout git status git log --oneline -5 @@ -66,7 +63,6 @@ jobs: exit 1 fi - # Check if flake.nix exists if [ -f "flake.nix" ]; then echo "has_flake=true" >> $GITHUB_OUTPUT else @@ -171,10 +167,8 @@ jobs: BRANCH="${{ steps.update.outputs.branch_name }}" PACKAGES="${{ steps.update.outputs.updated_packages }}" - # Re-export the helper for this step just in case - export GIT_ASKPASS="/tmp/git-askpass-helper.sh" - echo "Pushing branch ${BRANCH}..." + # Authentication is handled by .netrc git push origin "${BRANCH}" echo "Creating pull request..." @@ -184,7 +178,6 @@ jobs: exit 1 fi - # Reset tea login tea login delete m3ta >/dev/null 2>&1 || true tea login add --name m3ta --url https://code.m3ta.dev --token "${{ secrets.NIX_UPDATE_TOKEN }}" @@ -197,9 +190,9 @@ jobs: --body "$(printf "Automated package updates using nix-update.\n\nUpdated packages:\n%s\n\nCommits:\n%s" "$PACKAGES" "$COMMITS")" \ --assignees m3tam3re \ --labels automated-update || echo "PR creation failed" - + # Cleanup - rm -f /tmp/git-askpass-helper.sh + rm -f $HOME/.netrc - name: Summary if: always()