name: Update Nix Packages with nix-update on: schedule: - cron: "0 2 * * *" workflow_dispatch: inputs: package: description: "Specific package to update (optional)" required: false type: string env: GIT_AUTHOR_NAME: "nix-update bot" GIT_AUTHOR_EMAIL: "bot@m3ta.dev" GIT_COMMITTER_NAME: "nix-update bot" GIT_COMMITTER_EMAIL: "bot@m3ta.dev" REPO_DIR: "/tmp/nixpkgs" # Centralized workspace path jobs: nix-update: runs-on: nixos steps: - name: Setup Environment and Authenticate run: | # 1. Clean Workspace if [ -d "$REPO_DIR" ]; then rm -rf "$REPO_DIR"; fi # 2. Configure Git Credentials # Using 'store' helper is robust and avoids interactive prompts git config --global credential.helper store echo "https://m3tam3re:${{ secrets.NIX_UPDATE_TOKEN }}@code.m3ta.dev" > ~/.git-credentials chmod 600 ~/.git-credentials # 3. Configure Git Identity git config --global user.name "$GIT_AUTHOR_NAME" git config --global user.email "$GIT_AUTHOR_EMAIL" git config --global init.defaultBranch master # 4. Verify Authentication (Fail fast) if command -v tea &> /dev/null; then echo "Verifying API access..." tea login delete m3ta >/dev/null 2>&1 || true if ! tea login add --name m3ta --url https://code.m3ta.dev --token "${{ secrets.NIX_UPDATE_TOKEN }}"; then echo "❌ Authentication failed. Check NIX_UPDATE_TOKEN." exit 1 fi echo "✓ Authentication successful." fi - name: Checkout Repository run: | # Clone using explicit username to match credentials git clone --no-single-branch \ "https://m3tam3re@code.m3ta.dev/m3tam3re/nixpkgs.git" \ "$REPO_DIR" - name: Check Prerequisites id: check run: | cd "$REPO_DIR" # Check for packages directory if [ ! -d "pkgs" ]; then echo "❌ Error: 'pkgs' directory not found." exit 1 fi # Check for flake.nix if [ -f "flake.nix" ]; then echo "has_flake=true" >> $GITHUB_OUTPUT else echo "has_flake=false" >> $GITHUB_OUTPUT fi - name: Update Packages id: update run: | cd "$REPO_DIR" set -e TIMESTAMP=$(date +%Y%m%d-%H%M%S) BRANCH_NAME="nix-update-${TIMESTAMP}" git checkout -b "${BRANCH_NAME}" UPDATES_FOUND=false UPDATED_PACKAGES="" # Helper to verify commits check_commit() { [ "$1" != "$(git rev-parse HEAD)" ] && echo "true" || echo "false" } run_update() { local pkg=$1 local before_hash=$(git rev-parse HEAD) echo "Checking $pkg..." # Run nix-update, capturing output to log but allowing failure if nix-update --flake --commit "$pkg" 2>&1 | tee /tmp/update-${pkg}.log; then if [ "$(check_commit "$before_hash")" = "true" ]; then echo "✓ Updated $pkg" return 0 fi fi # Log failure reason if not just "up to date" if ! grep -q "already up to date\|No new version found" /tmp/update-${pkg}.log; then echo "⚠️ Update failed for $pkg" fi return 1 } if [ -n "${{ inputs.package }}" ]; then # Single package mode pkg="${{ inputs.package }}" if [ -d "pkgs/$pkg" ]; then if run_update "$pkg"; then UPDATES_FOUND=true UPDATED_PACKAGES="$pkg" fi else echo "✗ Package 'pkgs/$pkg' not found" fi else # All packages mode PACKAGES=$(find pkgs -mindepth 1 -maxdepth 1 -type d -not -name default.nix -not -name AGENTS.md -exec basename {} \; 2>/dev/null | sort) if [ -z "$PACKAGES" ]; then echo "No packages found to update" echo "has_updates=false" >> $GITHUB_OUTPUT exit 0 fi for pkg in $PACKAGES; do if run_update "$pkg"; then UPDATES_FOUND=true UPDATED_PACKAGES="${UPDATED_PACKAGES}, $pkg" fi done fi # Finalize UPDATED_PACKAGES=$(echo "$UPDATED_PACKAGES" | sed 's/^, //') COMMIT_COUNT=$(git rev-list --count master..HEAD) if [ "$COMMIT_COUNT" -gt 0 ]; then echo "✓ $COMMIT_COUNT updates committed." echo "has_updates=true" >> $GITHUB_OUTPUT echo "updated_packages=${UPDATED_PACKAGES}" >> $GITHUB_OUTPUT echo "branch_name=${BRANCH_NAME}" >> $GITHUB_OUTPUT else echo "ℹ️ No updates found." echo "has_updates=false" >> $GITHUB_OUTPUT git checkout master git branch -D "${BRANCH_NAME}" 2>/dev/null || true fi - name: Verify Builds if: steps.update.outputs.has_updates == 'true' run: | cd "$REPO_DIR" IFS=', ' read -ra PKGS <<< "${{ steps.update.outputs.updated_packages }}" for pkg in "${PKGS[@]}"; do echo "Building $pkg..." if ! nix build .#$pkg; then echo "❌ Build failed for $pkg" exit 1 fi echo "✓ Build successful" done - name: Push and PR if: steps.update.outputs.has_updates == 'true' run: | cd "$REPO_DIR" BRANCH="${{ steps.update.outputs.branch_name }}" PACKAGES="${{ steps.update.outputs.updated_packages }}" echo "Pushing branch $BRANCH..." git push origin "$BRANCH" echo "Creating Pull Request..." COMMITS=$(git log origin/master..HEAD --pretty=format:"%h %s" | sed 's/^/- /') tea pr create \ --head "$BRANCH" \ --base master \ --title "chore: update packages with nix-update" \ --body "$(printf "Automated package updates.\n\nUpdated packages:\n%s\n\nCommits:\n%s" "$PACKAGES" "$COMMITS")" \ --assignees m3tam3re \ --labels automated-update - name: Cleanup Credentials if: always() # Run even if job fails run: | rm -f ~/.git-credentials # Optional: Clear repo to save space # rm -rf "$REPO_DIR" - name: Summary if: always() run: | if [ "${{ steps.update.outputs.has_updates }}" = "true" ]; then echo "✅ Successfully updated: ${{ steps.update.outputs.updated_packages }}" else echo "ℹ️ No updates required." fi