wf test

2026-01-18 07:17:32 +01:00
parent cc9e70d6d6
commit 109cfbd515
1 changed files with 16 additions and 23 deletions
--- a/.gitea/workflows/nix-update.yml
+++ b/.gitea/workflows/nix-update.yml
@@ -16,42 +16,39 @@ env:
  GIT_COMMITTER_NAME: "nix-update bot"
  GIT_COMMITTER_EMAIL: "bot@m3ta.dev"
  GIT_TERMINAL_PROMPT: "0"
-  GIT_ASKPASS: "/bin/echo"

 jobs:
  nix-update:
    runs-on: nixos
    steps:
+      - name: Configure Authentication (.netrc)
+        run: |
+          # Configure .netrc for seamless authentication
+          # This bypasses git credential helpers and works reliably in CI environments
+          cat <<NETRC > $HOME/.netrc
+          machine code.m3ta.dev
+          login m3tam3re
+          password ${{ secrets.NIX_UPDATE_TOKEN }}
+          NETRC
+          chmod 600 $HOME/.netrc
+
      - name: Checkout repository
        run: |
-          # Clean up any previous runs
          if [ -d "/tmp/nixpkgs" ]; then
            rm -rf /tmp/nixpkgs
          fi

-          # 1. Configure Credentials Globally using a Credential Helper Script
-          # This is the most robust way to handle auth without leaking tokens in `ps` output
-          # and ensuring it works for all git commands (clone, push, submodules)
-          
-          # Create a dummy askpass script that returns the password (token)
-          echo 'echo "${{ secrets.NIX_UPDATE_TOKEN }}"' > /tmp/git-askpass-helper.sh
-          chmod +x /tmp/git-askpass-helper.sh
-          export GIT_ASKPASS="/tmp/git-askpass-helper.sh"
-
-          # Clone using the username 'm3tam3re' explicitly.
-          # Gitea PATs usually require the username to match the token owner for write operations.
+          # Clone using the HTTPS URL (auth handled by .netrc)
          git clone --no-single-branch \
-            "https://m3tam3re@code.m3ta.dev/m3tam3re/nixpkgs.git" \
+            "https://code.m3ta.dev/m3tam3re/nixpkgs.git" \
            /tmp/nixpkgs

          cd /tmp/nixpkgs
          
-          # Configure local git user
          git config user.name "${{ env.GIT_AUTHOR_NAME }}"
          git config user.email "${{ env.GIT_AUTHOR_EMAIL }}"
          git config init.defaultBranch master

-          # Verify checkout
          git status
          git log --oneline -5

@@ -66,7 +63,6 @@ jobs:
             exit 1
          fi

-          # Check if flake.nix exists
          if [ -f "flake.nix" ]; then
            echo "has_flake=true" >> $GITHUB_OUTPUT
          else
@@ -171,10 +167,8 @@ jobs:
          BRANCH="${{ steps.update.outputs.branch_name }}"
          PACKAGES="${{ steps.update.outputs.updated_packages }}"

-          # Re-export the helper for this step just in case
-          export GIT_ASKPASS="/tmp/git-askpass-helper.sh"
-
          echo "Pushing branch ${BRANCH}..."
+          # Authentication is handled by .netrc
          git push origin "${BRANCH}"

          echo "Creating pull request..."
@@ -184,7 +178,6 @@ jobs:
             exit 1
          fi

-          # Reset tea login
          tea login delete m3ta >/dev/null 2>&1 || true
          tea login add --name m3ta --url https://code.m3ta.dev --token "${{ secrets.NIX_UPDATE_TOKEN }}"

@@ -199,7 +192,7 @@ jobs:
            --labels automated-update || echo "PR creation failed"
            
          # Cleanup
-          rm -f /tmp/git-askpass-helper.sh
+          rm -f $HOME/.netrc

      - name: Summary
        if: always()