chore: ci-update

.gitea/workflows/nix-update.yml

@@ -179,94 +179,79 @@ jobs:
            is_custom_update_script() {
               local pkg=$1
               local result
-              # nix-update-script returns a list like [ "/nix/store/...-nix-update/bin/nix-update" ]
+              # Custom scripts (./update.sh) become store paths ending in .sh
-              # Custom scripts return a path like "/nix/store/.../update.sh"
+              # nix-update-script produces a list with nix-update binary path
               result=$(nix eval --impure --raw --expr "
-                let 
+                let
                   flake = builtins.getFlake (toString ./.);
                   pkg = flake.packages.\${builtins.currentSystem}.${pkg};
-                  script = pkg.passthru.updateScript or [];
+                  script = pkg.passthru.updateScript or null;
-                in 
+                in
-                  if builtins.isPath script then
+                  if script == null then \"none\"
-                    \"custom\"
+                  else if builtins.isPath script then \"custom\"
-                  else if builtins.isList script && builtins.length script > 0 then
+                  else if builtins.isString script then
+                    (if builtins.match \".*\\.sh$\" script != null then \"custom\" else \"other\")
+                  else if builtins.isList script then
                     let first = builtins.head script;
-                    in if builtins.isString first && builtins.match \".*/nix-update$\" first != null then
+                    in if builtins.isString first && builtins.match \".*/nix-update$\" first != null
-                      \"nix-update-script\"
+                       then \"nix-update-script\"
-                    else if builtins.isPath first then
+                       else \"custom\"
-                      \"custom\"
+                  else if builtins.isAttrs script && script ? command then \"custom\"
-                    else
+                  else \"other\"
-                      \"other\"
-                  else if builtins.isAttrs script && script ? command then
-                    if builtins.isPath script.command then \"custom\"
-                    else if builtins.isList script.command && builtins.isPath (builtins.head script.command) then \"custom\"
-                    else \"other\"
-                  else
-                    \"other\"
               " 2>/dev/null || echo "other")
               [[ "$result" == "custom" ]]
            }
 
-           # Run a custom update script directly (for packages like n8n)
+           # Run a custom update script directly
+           # Scripts must use nix-shell shebang for their own dependencies
            run_custom_update_script() {
               local pkg=$1
               local before_hash=$(git rev-parse HEAD)
-              
+
               echo "  🔧 Detected custom update script for $pkg"
-              
+
-              # Get package metadata for environment variables
+              # Resolve the store path of the update script
-              local name pname version
+              local script_path
-              name=$(nix eval --raw .#${pkg}.name 2>/dev/null || echo "$pkg")
+              script_path=$(nix eval --impure --raw --expr "
-              pname=$(nix eval --raw .#${pkg}.pname 2>/dev/null || echo "$pkg")
+                let
-              version=$(nix eval --raw .#${pkg}.version 2>/dev/null || echo "unknown")
+                  flake = builtins.getFlake (toString ./.);
-              
+                  pkg = flake.packages.\${builtins.currentSystem}.${pkg};
-              # Run the custom script using nix develop
+                  script = pkg.passthru.updateScript;
-              if nix develop --impure --expr "
+                  cmd = if builtins.isAttrs script then script.command
-                with builtins;
+                        else if builtins.isList script then builtins.head script
-                let 
+                        else script;
-                  flake = getFlake (toString ./.);
+                in toString cmd
-                  pkgs = flake.inputs.nixpkgs.legacyPackages.\${currentSystem};
+              " 2>/dev/null)
-                  pkg' = flake.packages.\${currentSystem}.${pkg};
+
-                  script = pkg'.passthru.updateScript;
+              if [ -z "$script_path" ]; then
-                  cmd = if isAttrs script then script.command else script;
+                echo "❌ Could not resolve update script path for $pkg"
-                  scriptPath = if isList cmd then head cmd else cmd;
+                return 1
-                in pkgs.mkShell {
+              fi
-                  inputsFrom = [pkg'];
+
-                  packages = with pkgs; [ curl jq git ];
+              # Set environment variables that nix-update would normally provide
-                }
+              export UPDATE_NIX_NAME=$(nix eval --raw .#${pkg}.name 2>/dev/null || echo "$pkg")
-              " --command bash -c "
+              export UPDATE_NIX_PNAME=$(nix eval --raw .#${pkg}.pname 2>/dev/null || echo "$pkg")
-                export UPDATE_NIX_NAME='${name}'
+              export UPDATE_NIX_OLD_VERSION=$(nix eval --raw .#${pkg}.version 2>/dev/null || echo "unknown")
-                export UPDATE_NIX_PNAME='${pname}'
+              export UPDATE_NIX_ATTR_PATH="$pkg"
-                export UPDATE_NIX_OLD_VERSION='${version}'
+
-                export UPDATE_NIX_ATTR_PATH='${pkg}'
+              echo "  Running: $script_path"
-                
+              if bash "$script_path" 2>&1 | tee /tmp/update-${pkg}.log; then
-                # Get the script path and execute it
-                script_path=\$(nix eval --impure --raw --expr '
-                  let 
-                    flake = builtins.getFlake (toString ./.);
-                    pkg = flake.packages.\${builtins.currentSystem}.${pkg};
-                    script = pkg.passthru.updateScript;
-                    cmd = if builtins.isAttrs script then script.command else script;
-                  in if builtins.isList cmd then toString (builtins.head cmd)
-                     else toString cmd
-                ' 2>/dev/null)
-                
-                if [ -n \"\$script_path\" ]; then
-                  echo \"Running: \$script_path\"
-                  bash \"\$script_path\"
-                fi
-              " 2>&1 | tee /tmp/update-${pkg}.log; then
                 if [ "$(check_commit "$before_hash")" = "true" ]; then
                    echo "✅ Updated $pkg (via custom script)"
                    return 0
                 fi
+                # Script succeeded but no commit — may already be up to date
+                if grep -q "already at latest\|nothing to do" /tmp/update-${pkg}.log; then
+                  echo "✓ $pkg already up to date"
+                  return 1
+                fi
               fi
-              
+
               # Clean up on failure
               git checkout -- . 2>/dev/null || true
               git clean -fd 2>/dev/null || true
-              
+
-              if ! grep -q "already up to date\|No new version found" /tmp/update-${pkg}.log; then
+              if ! grep -q "already at latest\|nothing to do\|No new version found" /tmp/update-${pkg}.log; then
                  echo "⚠️ Custom update script failed for $pkg"
               fi
               return 1

flake.lock

@@ -18,11 +18,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1774359777,
+        "lastModified": 1774459280,
-        "narHash": "sha256-O1rLshVxPjevFoLsmxH9MFfuKOs0o5R6RKgDQdEPhc4=",
+        "narHash": "sha256-pSoDFN/r8sgnGcTWRwahIUaGBaAEFcG80D3OKJugZRc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4dadc5203f16ccff702e755fb59175a972604ac5",
+        "rev": "6e80a55cd41cd97903fdbd080154450651b694f3",
         "type": "github"
       },
       "original": {
@@ -39,16 +39,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1774222321,
+        "lastModified": 1774392635,
-        "narHash": "sha256-JQsccVflS/GAjzguvZTLn7UH7tsou8yCSlaA48DVY10=",
+        "narHash": "sha256-04eOIBHX9e8Brwn+uL/7q8szvRUilr4G0B8eB76dhKU=",
         "owner": "anomalyco",
         "repo": "opencode",
-        "rev": "eb3bfffad453f1c8c3f0f92bba0d8e34c83fa244",
+        "rev": "0dcdf5f529dced23d8452c9aa5f166abb24d8f7c",
         "type": "github"
       },
       "original": {
         "owner": "anomalyco",
-        "ref": "v1.3.0",
+        "ref": "v1.3.2",
         "repo": "opencode",
         "type": "github"
       }

flake.nix

@@ -7,7 +7,7 @@
 
     # opencode needs newer bun from master
     opencode = {
-      url = "github:anomalyco/opencode/v1.3.0";
+      url = "github:anomalyco/opencode/v1.3.2";
       inputs.nixpkgs.follows = "nixpkgs-master";
     };
 

pkgs/kestractl/update.sh

@@ -1,9 +1,9 @@
-#!/usr/bin/env bash
+#!/usr/bin/env nix-shell
+#!nix-shell --pure -i bash -p bash curl jq nix cacert git
 set -euo pipefail
 
 # Update kestractl sources.json with the latest release from GitHub.
-# Usage: ./update.sh
+# Usage: ./update.sh (or via nix-update --update-script)
-# Called automatically by: nix-update --update-script kestractl
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 SOURCES_FILE="$SCRIPT_DIR/sources.json"
@@ -49,3 +49,13 @@ jq -n \
   > "$SOURCES_FILE"
 
 echo "Updated $SOURCES_FILE to $VERSION"
+
+# Commit when running in CI or via nix-update
+if [[ -d "$SCRIPT_DIR/../../.git" ]] || git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+  NIXPKGS_ROOT=$(git -C "$SCRIPT_DIR" rev-parse --show-toplevel 2>/dev/null || true)
+  if [[ -n "$NIXPKGS_ROOT" && -n "$(git -C "$NIXPKGS_ROOT" status --porcelain "$SOURCES_FILE")" ]]; then
+    git -C "$NIXPKGS_ROOT" add "$SOURCES_FILE"
+    git -C "$NIXPKGS_ROOT" commit -m "kestractl: ${CURRENT_VERSION} -> ${VERSION}"
+    echo "Committed update to git"
+  fi
+fi

pkgs/n8n/default.nix

@@ -25,20 +25,20 @@
 in
   stdenv.mkDerivation (finalAttrs: {
     pname = "n8n";
-    version = "2.11.4";
+    version = "2.13.3";
 
     src = fetchFromGitHub {
       owner = "n8n-io";
       repo = "n8n";
       tag = "n8n@${finalAttrs.version}";
-      hash = "sha256-mhfVipTAoHCY1BPSV5Ge1iQpa/LaUCw2aiI3KFkW0CI=";
+      hash = "sha256-ErChLX9bzOABz1hM4YuB2horhTWR4tskItx5rE0zR8g=";
     };
 
     pnpmDeps = fetchPnpmDeps {
       inherit (finalAttrs) pname version src;
       pnpm = pnpm_10;
       fetcherVersion = 3;
-      hash = "sha256-fWE/uJTs7lawbVu7iDSrpufqFaOkzFc5jjTD8u3Drok=";
+      hash = "sha256-SyGVhJ1kKH209TQken89RnBpZ7K3agHPN0jSmoFtX6c=";
     };
 
     nativeBuildInputs =

pkgs/openshell/update.sh

@@ -1,9 +1,9 @@
-#!/usr/bin/env bash
+#!/usr/bin/env nix-shell
+#!nix-shell --pure -i bash -p bash curl jq nix cacert git
 set -euo pipefail
 
 # Update openshell sources.json with the latest release from GitHub.
-# Usage: ./update.sh
+# Usage: ./update.sh (or via nix-update --update-script)
-# Called automatically by: nix-update --update-script openshell
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 SOURCES_FILE="$SCRIPT_DIR/sources.json"
@@ -50,3 +50,14 @@ jq -n \
   > "$SOURCES_FILE"
 
 echo "Updated $SOURCES_FILE to $VERSION"
+
+# Commit when running in CI or via nix-update
+if [[ -d "$SCRIPT_DIR/../../.git" ]] || git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+  NIXPKGS_ROOT=$(git -C "$SCRIPT_DIR" rev-parse --show-toplevel 2>/dev/null || true)
+  if [[ -n "$NIXPKGS_ROOT" && -n "$(git -C "$NIXPKGS_ROOT" status --porcelain "$SOURCES_FILE")" ]]; then
+    CLEAN_VERSION="${VERSION#v}"
+    git -C "$NIXPKGS_ROOT" add "$SOURCES_FILE"
+    git -C "$NIXPKGS_ROOT" commit -m "openshell: ${CURRENT_VERSION#v} -> ${CLEAN_VERSION}"
+    echo "Committed update to git"
+  fi
+fi