From 7639adc36fb76cffb7800ef0efb4a271eda1d504 Mon Sep 17 00:00:00 2001 From: m3tm3re Date: Sun, 18 Jan 2026 07:28:51 +0100 Subject: [PATCH] wf test --- .gitea/workflows/nix-update.yml | 196 ++++++++++++++++---------------- 1 file changed, 101 insertions(+), 95 deletions(-) diff --git a/.gitea/workflows/nix-update.yml b/.gitea/workflows/nix-update.yml index 30e8cb4..5b059f6 100644 --- a/.gitea/workflows/nix-update.yml +++ b/.gitea/workflows/nix-update.yml @@ -3,7 +3,7 @@ name: Update Nix Packages with nix-update on: schedule: - cron: "0 2 * * *" - workflow_dispatch: # Allow manual triggering + workflow_dispatch: inputs: package: description: "Specific package to update (optional)" @@ -15,64 +15,68 @@ env: GIT_AUTHOR_EMAIL: "bot@m3ta.dev" GIT_COMMITTER_NAME: "nix-update bot" GIT_COMMITTER_EMAIL: "bot@m3ta.dev" - GIT_TERMINAL_PROMPT: "0" + REPO_DIR: "/tmp/nixpkgs" # Centralized workspace path jobs: nix-update: runs-on: nixos steps: - - name: Configure Authentication (.netrc) + - name: Setup Environment and Authenticate run: | - # Configure .netrc for seamless authentication - # This bypasses git credential helpers and works reliably in CI environments - cat < $HOME/.netrc - machine code.m3ta.dev - login m3tam3re - password ${{ secrets.NIX_UPDATE_TOKEN }} - NETRC - chmod 600 $HOME/.netrc + # 1. Clean Workspace + if [ -d "$REPO_DIR" ]; then rm -rf "$REPO_DIR"; fi - - name: Checkout repository - run: | - if [ -d "/tmp/nixpkgs" ]; then - rm -rf /tmp/nixpkgs + # 2. Configure Git Credentials + # Using 'store' helper is robust and avoids interactive prompts + git config --global credential.helper store + echo "https://m3tam3re:${{ secrets.NIX_UPDATE_TOKEN }}@code.m3ta.dev" > ~/.git-credentials + chmod 600 ~/.git-credentials + + # 3. Configure Git Identity + git config --global user.name "$GIT_AUTHOR_NAME" + git config --global user.email "$GIT_AUTHOR_EMAIL" + git config --global init.defaultBranch master + + # 4. Verify Authentication (Fail fast) + if command -v tea &> /dev/null; then + echo "Verifying API access..." + tea login delete m3ta >/dev/null 2>&1 || true + if ! tea login add --name m3ta --url https://code.m3ta.dev --token "${{ secrets.NIX_UPDATE_TOKEN }}"; then + echo "❌ Authentication failed. Check NIX_UPDATE_TOKEN." + exit 1 + fi + echo "✓ Authentication successful." fi - # Clone using the HTTPS URL (auth handled by .netrc) - git clone --no-single-branch \ - "https://code.m3ta.dev/m3tam3re/nixpkgs.git" \ - /tmp/nixpkgs - - cd /tmp/nixpkgs - - git config user.name "${{ env.GIT_AUTHOR_NAME }}" - git config user.email "${{ env.GIT_AUTHOR_EMAIL }}" - git config init.defaultBranch master - - git status - git log --oneline -5 - - - name: Check for available packages to update - id: check-packages + - name: Checkout Repository run: | - cd /tmp/nixpkgs - if [ -d "pkgs" ]; then - echo "Packages found." - else - echo "pkgs directory not found" + # Clone using explicit username to match credentials + git clone --no-single-branch \ + "https://m3tam3re@code.m3ta.dev/m3tam3re/nixpkgs.git" \ + "$REPO_DIR" + + - name: Check Prerequisites + id: check + run: | + cd "$REPO_DIR" + + # Check for packages directory + if [ ! -d "pkgs" ]; then + echo "❌ Error: 'pkgs' directory not found." exit 1 fi + # Check for flake.nix if [ -f "flake.nix" ]; then echo "has_flake=true" >> $GITHUB_OUTPUT else echo "has_flake=false" >> $GITHUB_OUTPUT fi - - name: Update packages + - name: Update Packages id: update run: | - cd /tmp/nixpkgs + cd "$REPO_DIR" set -e TIMESTAMP=$(date +%Y%m%d-%H%M%S) @@ -83,33 +87,44 @@ jobs: UPDATES_FOUND=false UPDATED_PACKAGES="" + # Helper to verify commits check_commit() { + [ "$1" != "$(git rev-parse HEAD)" ] && echo "true" || echo "false" + } + + run_update() { local pkg=$1 - local before=$2 - local after=$(git rev-parse HEAD) - if [ "$before" != "$after" ]; then - echo "true" - else - echo "false" + local before_hash=$(git rev-parse HEAD) + + echo "Checking $pkg..." + # Run nix-update, capturing output to log but allowing failure + if nix-update --flake --commit "$pkg" 2>&1 | tee /tmp/update-${pkg}.log; then + if [ "$(check_commit "$before_hash")" = "true" ]; then + echo "✓ Updated $pkg" + return 0 + fi fi + + # Log failure reason if not just "up to date" + if ! grep -q "already up to date\|No new version found" /tmp/update-${pkg}.log; then + echo "⚠️ Update failed for $pkg" + fi + return 1 } if [ -n "${{ inputs.package }}" ]; then - echo "Updating specific package: ${{ inputs.package }}" - if [ -d "pkgs/${{ inputs.package }}" ]; then - BEFORE_HASH=$(git rev-parse HEAD) - if nix-update --flake --commit "${{ inputs.package }}" 2>&1 | tee /tmp/update.log; then - if [ "$(check_commit "${{ inputs.package }}" "$BEFORE_HASH")" = "true" ]; then - UPDATES_FOUND=true - UPDATED_PACKAGES="${{ inputs.package }}" - echo "✓ Updated ${{ inputs.package }}" - fi - fi + # Single package mode + pkg="${{ inputs.package }}" + if [ -d "pkgs/$pkg" ]; then + if run_update "$pkg"; then + UPDATES_FOUND=true + UPDATED_PACKAGES="$pkg" + fi else - echo "✗ Package directory pkgs/${{ inputs.package }} not found" + echo "✗ Package 'pkgs/$pkg' not found" fi else - echo "Checking all packages..." + # All packages mode PACKAGES=$(find pkgs -mindepth 1 -maxdepth 1 -type d -not -name default.nix -not -name AGENTS.md -exec basename {} \; 2>/dev/null | sort) if [ -z "$PACKAGES" ]; then @@ -119,86 +134,77 @@ jobs: fi for pkg in $PACKAGES; do - echo "Checking $pkg..." - BEFORE_HASH=$(git rev-parse HEAD) - if nix-update --flake --commit "$pkg" 2>&1 | tee /tmp/update-${pkg}.log; then - if [ "$(check_commit "$pkg" "$BEFORE_HASH")" = "true" ]; then - UPDATES_FOUND=true - UPDATED_PACKAGES="${UPDATED_PACKAGES}, $pkg" - echo "✓ Updated $pkg" - fi + if run_update "$pkg"; then + UPDATES_FOUND=true + UPDATED_PACKAGES="${UPDATED_PACKAGES}, $pkg" fi done fi + # Finalize UPDATED_PACKAGES=$(echo "$UPDATED_PACKAGES" | sed 's/^, //') COMMIT_COUNT=$(git rev-list --count master..HEAD) if [ "$COMMIT_COUNT" -gt 0 ]; then - echo "✓ $COMMIT_COUNT updates committed" + echo "✓ $COMMIT_COUNT updates committed." echo "has_updates=true" >> $GITHUB_OUTPUT echo "updated_packages=${UPDATED_PACKAGES}" >> $GITHUB_OUTPUT echo "branch_name=${BRANCH_NAME}" >> $GITHUB_OUTPUT else - echo "ℹ️ No package updates found" + echo "ℹ️ No updates found." echo "has_updates=false" >> $GITHUB_OUTPUT git checkout master git branch -D "${BRANCH_NAME}" 2>/dev/null || true fi - - name: Verify packages build + - name: Verify Builds if: steps.update.outputs.has_updates == 'true' run: | - cd /tmp/nixpkgs - PACKAGES="${{ steps.update.outputs.updated_packages }}" - IFS=', ' read -ra PKG_ARRAY <<< "$PACKAGES" - for pkg in "${PKG_ARRAY[@]}"; do + cd "$REPO_DIR" + IFS=', ' read -ra PKGS <<< "${{ steps.update.outputs.updated_packages }}" + + for pkg in "${PKGS[@]}"; do echo "Building $pkg..." if ! nix build .#$pkg; then echo "❌ Build failed for $pkg" exit 1 fi + echo "✓ Build successful" done - - name: Push branch and create pull request + - name: Push and PR if: steps.update.outputs.has_updates == 'true' run: | - cd /tmp/nixpkgs + cd "$REPO_DIR" BRANCH="${{ steps.update.outputs.branch_name }}" PACKAGES="${{ steps.update.outputs.updated_packages }}" - echo "Pushing branch ${BRANCH}..." - # Authentication is handled by .netrc - git push origin "${BRANCH}" - - echo "Creating pull request..." - - if ! command -v tea &> /dev/null; then - echo "Error: tea not found" - exit 1 - fi - - tea login delete m3ta >/dev/null 2>&1 || true - tea login add --name m3ta --url https://code.m3ta.dev --token "${{ secrets.NIX_UPDATE_TOKEN }}" + echo "Pushing branch $BRANCH..." + git push origin "$BRANCH" + echo "Creating Pull Request..." COMMITS=$(git log origin/master..HEAD --pretty=format:"%h %s" | sed 's/^/- /') - + tea pr create \ - --head "${BRANCH}" \ + --head "$BRANCH" \ --base master \ --title "chore: update packages with nix-update" \ - --body "$(printf "Automated package updates using nix-update.\n\nUpdated packages:\n%s\n\nCommits:\n%s" "$PACKAGES" "$COMMITS")" \ + --body "$(printf "Automated package updates.\n\nUpdated packages:\n%s\n\nCommits:\n%s" "$PACKAGES" "$COMMITS")" \ --assignees m3tam3re \ - --labels automated-update || echo "PR creation failed" - - # Cleanup - rm -f $HOME/.netrc + --labels automated-update + + - name: Cleanup Credentials + if: always() # Run even if job fails + run: | + rm -f ~/.git-credentials + # Optional: Clear repo to save space + # rm -rf "$REPO_DIR" - name: Summary if: always() run: | if [ "${{ steps.update.outputs.has_updates }}" = "true" ]; then - echo "✅ Success: ${{ steps.update.outputs.updated_packages }}" + echo "✅ Successfully updated: ${{ steps.update.outputs.updated_packages }}" else - echo "ℹ️ No updates" + echo "ℹ️ No updates required." fi