name: Update Nix Packages with nix-update on: schedule: - cron: "0 2 * * *" workflow_dispatch: # Allow manual triggering inputs: package: description: "Specific package to update (optional)" required: false type: string env: GIT_AUTHOR_NAME: "nix-update bot" GIT_AUTHOR_EMAIL: "bot@m3ta.dev" GIT_COMMITTER_NAME: "nix-update bot" GIT_COMMITTER_EMAIL: "bot@m3ta.dev" GIT_TERMINAL_PROMPT: "0" GIT_ASKPASS: "/bin/echo" jobs: nix-update: runs-on: nixos steps: - name: Checkout repository run: | # Clean up any previous runs if [ -d "/tmp/nixpkgs" ]; then rm -rf /tmp/nixpkgs fi # 1. Configure Credentials Globally using a Credential Helper Script # This is the most robust way to handle auth without leaking tokens in `ps` output # and ensuring it works for all git commands (clone, push, submodules) # Create a dummy askpass script that returns the password (token) echo 'echo "${{ secrets.NIX_UPDATE_TOKEN }}"' > /tmp/git-askpass-helper.sh chmod +x /tmp/git-askpass-helper.sh export GIT_ASKPASS="/tmp/git-askpass-helper.sh" # Clone using the username 'm3tam3re' explicitly. # Gitea PATs usually require the username to match the token owner for write operations. git clone --no-single-branch \ "https://m3tam3re@code.m3ta.dev/m3tam3re/nixpkgs.git" \ /tmp/nixpkgs cd /tmp/nixpkgs # Configure local git user git config user.name "${{ env.GIT_AUTHOR_NAME }}" git config user.email "${{ env.GIT_AUTHOR_EMAIL }}" git config init.defaultBranch master # Verify checkout git status git log --oneline -5 - name: Check for available packages to update id: check-packages run: | cd /tmp/nixpkgs if [ -d "pkgs" ]; then echo "Packages found." else echo "pkgs directory not found" exit 1 fi # Check if flake.nix exists if [ -f "flake.nix" ]; then echo "has_flake=true" >> $GITHUB_OUTPUT else echo "has_flake=false" >> $GITHUB_OUTPUT fi - name: Update packages id: update run: | cd /tmp/nixpkgs set -e TIMESTAMP=$(date +%Y%m%d-%H%M%S) BRANCH_NAME="nix-update-${TIMESTAMP}" git checkout -b "${BRANCH_NAME}" UPDATES_FOUND=false UPDATED_PACKAGES="" check_commit() { local pkg=$1 local before=$2 local after=$(git rev-parse HEAD) if [ "$before" != "$after" ]; then echo "true" else echo "false" fi } if [ -n "${{ inputs.package }}" ]; then echo "Updating specific package: ${{ inputs.package }}" if [ -d "pkgs/${{ inputs.package }}" ]; then BEFORE_HASH=$(git rev-parse HEAD) if nix-update --flake --commit "${{ inputs.package }}" 2>&1 | tee /tmp/update.log; then if [ "$(check_commit "${{ inputs.package }}" "$BEFORE_HASH")" = "true" ]; then UPDATES_FOUND=true UPDATED_PACKAGES="${{ inputs.package }}" echo "✓ Updated ${{ inputs.package }}" fi fi else echo "✗ Package directory pkgs/${{ inputs.package }} not found" fi else echo "Checking all packages..." PACKAGES=$(find pkgs -mindepth 1 -maxdepth 1 -type d -not -name default.nix -not -name AGENTS.md -exec basename {} \; 2>/dev/null | sort) if [ -z "$PACKAGES" ]; then echo "No packages found to update" echo "has_updates=false" >> $GITHUB_OUTPUT exit 0 fi for pkg in $PACKAGES; do echo "Checking $pkg..." BEFORE_HASH=$(git rev-parse HEAD) if nix-update --flake --commit "$pkg" 2>&1 | tee /tmp/update-${pkg}.log; then if [ "$(check_commit "$pkg" "$BEFORE_HASH")" = "true" ]; then UPDATES_FOUND=true UPDATED_PACKAGES="${UPDATED_PACKAGES}, $pkg" echo "✓ Updated $pkg" fi fi done fi UPDATED_PACKAGES=$(echo "$UPDATED_PACKAGES" | sed 's/^, //') COMMIT_COUNT=$(git rev-list --count master..HEAD) if [ "$COMMIT_COUNT" -gt 0 ]; then echo "✓ $COMMIT_COUNT updates committed" echo "has_updates=true" >> $GITHUB_OUTPUT echo "updated_packages=${UPDATED_PACKAGES}" >> $GITHUB_OUTPUT echo "branch_name=${BRANCH_NAME}" >> $GITHUB_OUTPUT else echo "ℹ️ No package updates found" echo "has_updates=false" >> $GITHUB_OUTPUT git checkout master git branch -D "${BRANCH_NAME}" 2>/dev/null || true fi - name: Verify packages build if: steps.update.outputs.has_updates == 'true' run: | cd /tmp/nixpkgs PACKAGES="${{ steps.update.outputs.updated_packages }}" IFS=', ' read -ra PKG_ARRAY <<< "$PACKAGES" for pkg in "${PKG_ARRAY[@]}"; do echo "Building $pkg..." if ! nix build .#$pkg; then echo "❌ Build failed for $pkg" exit 1 fi done - name: Push branch and create pull request if: steps.update.outputs.has_updates == 'true' run: | cd /tmp/nixpkgs BRANCH="${{ steps.update.outputs.branch_name }}" PACKAGES="${{ steps.update.outputs.updated_packages }}" # Re-export the helper for this step just in case export GIT_ASKPASS="/tmp/git-askpass-helper.sh" echo "Pushing branch ${BRANCH}..." git push origin "${BRANCH}" echo "Creating pull request..." if ! command -v tea &> /dev/null; then echo "Error: tea not found" exit 1 fi # Reset tea login tea login delete m3ta >/dev/null 2>&1 || true tea login add --name m3ta --url https://code.m3ta.dev --token "${{ secrets.NIX_UPDATE_TOKEN }}" COMMITS=$(git log origin/master..HEAD --pretty=format:"%h %s" | sed 's/^/- /') tea pr create \ --head "${BRANCH}" \ --base master \ --title "chore: update packages with nix-update" \ --body "$(printf "Automated package updates using nix-update.\n\nUpdated packages:\n%s\n\nCommits:\n%s" "$PACKAGES" "$COMMITS")" \ --assignees m3tam3re \ --labels automated-update || echo "PR creation failed" # Cleanup rm -f /tmp/git-askpass-helper.sh - name: Summary if: always() run: | if [ "${{ steps.update.outputs.has_updates }}" = "true" ]; then echo "✅ Success: ${{ steps.update.outputs.updated_packages }}" else echo "ℹ️ No updates" fi