From cc9e70d6d6b5d669cb01d071652ede83a0448951 Mon Sep 17 00:00:00 2001 From: m3tm3re Date: Sun, 18 Jan 2026 07:12:45 +0100 Subject: [PATCH] wf test --- .gitea/workflows/nix-update.yml | 126 ++++++++++---------------------- 1 file changed, 39 insertions(+), 87 deletions(-) diff --git a/.gitea/workflows/nix-update.yml b/.gitea/workflows/nix-update.yml index 97500c6..ffb7b94 100644 --- a/.gitea/workflows/nix-update.yml +++ b/.gitea/workflows/nix-update.yml @@ -15,9 +15,8 @@ env: GIT_AUTHOR_EMAIL: "bot@m3ta.dev" GIT_COMMITTER_NAME: "nix-update bot" GIT_COMMITTER_EMAIL: "bot@m3ta.dev" - # Global environment variables to prevent interactive prompts in any step GIT_TERMINAL_PROMPT: "0" - GIT_ASKPASS: "echo" + GIT_ASKPASS: "/bin/echo" jobs: nix-update: @@ -25,20 +24,29 @@ jobs: steps: - name: Checkout repository run: | - # Clean up any previous runs to avoid "destination path already exists" errors + # Clean up any previous runs if [ -d "/tmp/nixpkgs" ]; then - echo "Cleaning up existing /tmp/nixpkgs directory..." rm -rf /tmp/nixpkgs fi - # Clone repository with token authentication + # 1. Configure Credentials Globally using a Credential Helper Script + # This is the most robust way to handle auth without leaking tokens in `ps` output + # and ensuring it works for all git commands (clone, push, submodules) + + # Create a dummy askpass script that returns the password (token) + echo 'echo "${{ secrets.NIX_UPDATE_TOKEN }}"' > /tmp/git-askpass-helper.sh + chmod +x /tmp/git-askpass-helper.sh + export GIT_ASKPASS="/tmp/git-askpass-helper.sh" + + # Clone using the username 'm3tam3re' explicitly. + # Gitea PATs usually require the username to match the token owner for write operations. git clone --no-single-branch \ - "https://${{ secrets.NIX_UPDATE_TOKEN }}@code.m3ta.dev/m3tam3re/nixpkgs.git" \ + "https://m3tam3re@code.m3ta.dev/m3tam3re/nixpkgs.git" \ /tmp/nixpkgs cd /tmp/nixpkgs - - # Configure git author/committer (local to this repo) + + # Configure local git user git config user.name "${{ env.GIT_AUTHOR_NAME }}" git config user.email "${{ env.GIT_AUTHOR_EMAIL }}" git config init.defaultBranch master @@ -51,19 +59,17 @@ jobs: id: check-packages run: | cd /tmp/nixpkgs - echo "Found packages in pkgs/ directory:" if [ -d "pkgs" ]; then - find pkgs -mindepth 1 -maxdepth 1 -type d -not -name default.nix | grep -v AGENTS.md || echo "No packages found" + echo "Packages found." else echo "pkgs directory not found" + exit 1 fi # Check if flake.nix exists if [ -f "flake.nix" ]; then - echo "✓ Found flake.nix" echo "has_flake=true" >> $GITHUB_OUTPUT else - echo "✗ No flake.nix found" echo "has_flake=false" >> $GITHUB_OUTPUT fi @@ -73,113 +79,73 @@ jobs: cd /tmp/nixpkgs set -e - # Create timestamp for branch naming TIMESTAMP=$(date +%Y%m%d-%H%M%S) BRANCH_NAME="nix-update-${TIMESTAMP}" - # Create and checkout new branch git checkout -b "${BRANCH_NAME}" - # Track if any packages were updated UPDATES_FOUND=false UPDATED_PACKAGES="" - # Function to check if commit happened check_commit() { local pkg=$1 local before=$2 local after=$(git rev-parse HEAD) - if [ "$before" != "$after" ]; then - echo "✓ Successfully updated $pkg (commit created)" echo "true" else - echo "ℹ️ No changes committed for $pkg" echo "false" fi } - # Check if specific package was requested if [ -n "${{ inputs.package }}" ]; then echo "Updating specific package: ${{ inputs.package }}" if [ -d "pkgs/${{ inputs.package }}" ]; then - BEFORE_HASH=$(git rev-parse HEAD) - - # Run update (allow fail, but capturing output) if nix-update --flake --commit "${{ inputs.package }}" 2>&1 | tee /tmp/update.log; then - # Check if commit was actually made if [ "$(check_commit "${{ inputs.package }}" "$BEFORE_HASH")" = "true" ]; then UPDATES_FOUND=true UPDATED_PACKAGES="${{ inputs.package }}" + echo "✓ Updated ${{ inputs.package }}" fi - else - echo "ℹ️ Package ${{ inputs.package }} update failed or not needed" - cat /tmp/update.log fi else echo "✗ Package directory pkgs/${{ inputs.package }} not found" fi else - echo "Checking all packages for updates..." - - # Get list of package directories - if [ -d "pkgs" ]; then - PACKAGES=$(find pkgs -mindepth 1 -maxdepth 1 -type d -not -name default.nix -not -name AGENTS.md -exec basename {} \; 2>/dev/null | sort) - else - PACKAGES="" - fi - + echo "Checking all packages..." + PACKAGES=$(find pkgs -mindepth 1 -maxdepth 1 -type d -not -name default.nix -not -name AGENTS.md -exec basename {} \; 2>/dev/null | sort) + if [ -z "$PACKAGES" ]; then echo "No packages found to update" echo "has_updates=false" >> $GITHUB_OUTPUT exit 0 fi - # Update each package for pkg in $PACKAGES; do - echo "" - echo "━━━ Checking $pkg ━━━" - + echo "Checking $pkg..." BEFORE_HASH=$(git rev-parse HEAD) - if nix-update --flake --commit "$pkg" 2>&1 | tee /tmp/update-${pkg}.log; then if [ "$(check_commit "$pkg" "$BEFORE_HASH")" = "true" ]; then UPDATES_FOUND=true UPDATED_PACKAGES="${UPDATED_PACKAGES}, $pkg" - fi - else - if grep -q "already up to date\|No new version found" /tmp/update-${pkg}.log; then - echo "ℹ️ $pkg already up to date" - else - echo "⚠️ Update check for $pkg failed:" - cat /tmp/update-${pkg}.log + echo "✓ Updated $pkg" fi fi done fi - # Remove trailing comma from package list UPDATED_PACKAGES=$(echo "$UPDATED_PACKAGES" | sed 's/^, //') - - # Final verification of changes COMMIT_COUNT=$(git rev-list --count master..HEAD) - + if [ "$COMMIT_COUNT" -gt 0 ]; then - echo "" - echo "━━━ Summary ━━━" - echo "✓ $COMMIT_COUNT package updates committed" - echo "Updates: $UPDATED_PACKAGES" + echo "✓ $COMMIT_COUNT updates committed" echo "has_updates=true" >> $GITHUB_OUTPUT echo "updated_packages=${UPDATED_PACKAGES}" >> $GITHUB_OUTPUT echo "branch_name=${BRANCH_NAME}" >> $GITHUB_OUTPUT else - echo "" - echo "━━━ Summary ━━━" - echo "ℹ️ No package updates found (no commits created)" + echo "ℹ️ No package updates found" echo "has_updates=false" >> $GITHUB_OUTPUT - - # Switch back to master and clean up empty branch git checkout master git branch -D "${BRANCH_NAME}" 2>/dev/null || true fi @@ -189,14 +155,10 @@ jobs: run: | cd /tmp/nixpkgs PACKAGES="${{ steps.update.outputs.updated_packages }}" - echo "Verifying builds for: $PACKAGES" - IFS=', ' read -ra PKG_ARRAY <<< "$PACKAGES" for pkg in "${PKG_ARRAY[@]}"; do - echo "━━━ Building $pkg ━━━" - if nix build .#$pkg; then - echo "✓ $pkg built successfully" - else + echo "Building $pkg..." + if ! nix build .#$pkg; then echo "❌ Build failed for $pkg" exit 1 fi @@ -209,51 +171,41 @@ jobs: BRANCH="${{ steps.update.outputs.branch_name }}" PACKAGES="${{ steps.update.outputs.updated_packages }}" - echo "Configuring git push authentication..." - # Ensure the remote URL has the token to prevent interactive prompts - git remote set-url origin "https://${{ secrets.NIX_UPDATE_TOKEN }}@code.m3ta.dev/m3tam3re/nixpkgs.git" + # Re-export the helper for this step just in case + export GIT_ASKPASS="/tmp/git-askpass-helper.sh" echo "Pushing branch ${BRANCH}..." - # Force push if needed (though branch is new) git push origin "${BRANCH}" echo "Creating pull request..." - + if ! command -v tea &> /dev/null; then - echo "Error: tea not found in PATH" + echo "Error: tea not found" exit 1 fi - # Remove existing tea login to ensure we use the fresh token - # We ignore errors in case the login doesn't exist + # Reset tea login tea login delete m3ta >/dev/null 2>&1 || true - - # Add tea login with the secret token - echo "Adding tea login..." tea login add --name m3ta --url https://code.m3ta.dev --token "${{ secrets.NIX_UPDATE_TOKEN }}" - # Get commit messages COMMITS=$(git log origin/master..HEAD --pretty=format:"%h %s" | sed 's/^/- /') - # Create PR tea pr create \ --head "${BRANCH}" \ --base master \ --title "chore: update packages with nix-update" \ --body "$(printf "Automated package updates using nix-update.\n\nUpdated packages:\n%s\n\nCommits:\n%s" "$PACKAGES" "$COMMITS")" \ --assignees m3tam3re \ - --labels automated-update || echo "Failed to create PR. Please create manually." + --labels automated-update || echo "PR creation failed" - echo "✓ Pull request created or branch pushed: ${BRANCH}" + # Cleanup + rm -f /tmp/git-askpass-helper.sh - name: Summary if: always() run: | - echo "━━━ Workflow Summary ━━━" if [ "${{ steps.update.outputs.has_updates }}" = "true" ]; then - echo "✅ Successfully updated packages" - echo "Branch: ${{ steps.update.outputs.branch_name }}" - echo "Packages: ${{ steps.update.outputs.updated_packages }}" + echo "✅ Success: ${{ steps.update.outputs.updated_packages }}" else - echo "ℹ️ No package updates needed or found" + echo "ℹ️ No updates" fi