ahuston-0/determinate-nix-mirror
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

add initial determinate nix update action

Browse Source 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
This commit is contained in:
ahuston-0 2025-05-26 13:16:03 -04:00
commit 563c1df3bb
No known key found for this signature in database
GPG Key ID: 47940175096C1330
2 changed files with 328 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

170
.github/settings.yml vendored Normal file
View File

@ -0,0 +1,170 @@
# Have borrowed this config from nix-community/infra
repository:
# See https://developer.github.com/v3/repos/#edit for all available settings.
# The name of the repository. Changing this will rename the repository
name: determinate-nix-mirror
# A short description of the repository that will show up on GitHub
description: Pulls a local copy of the Determinate Nix installer
# A URL with more information about the repository
# homepage: "https://nix-community.org"
# A comma-separated list of topics to set on the repository
topics: "nixos"
# Either `true` to make the repository private, or `false` to make it public.
private: true
# Either `true` to enable issues for this repository, `false` to disable them.
has_issues: true
# Either `true` to enable projects for this repository, or `false` to disable them.
# If projects are disabled for the organization, passing `true` will cause an API error.
has_projects: false
# Either `true` to enable the wiki for this repository, `false` to disable it.
has_wiki: false
# Either `true` to enable downloads for this repository, `false` to disable them.
has_downloads: true
# Updates the default branch for this repository.
default_branch: main
# Either `true` to allow squash-merging pull requests, or `false` to prevent
# squash-merging.
allow_squash_merge: true
# Either `true` to allow merging pull requests with a merge commit, or `false`
# to prevent merging pull requests with merge commits.
allow_merge_commit: false
# Either `true` to allow rebase-merging pull requests, or `false` to prevent
# rebase-merging.
allow_rebase_merge: true
# Either `true` to enable automatic deletion of branches on merge, or `false` to disable
delete_branch_on_merge: true
# Either `true` to enable automated security fixes, or `false` to disable
# automated security fixes.
enable_automated_security_fixes: true
# Either `true` to enable vulnerability alerts, or `false` to disable
# vulnerability alerts.
enable_vulnerability_alerts: true
allow_auto_merge: true
# Labels: define labels for Issues and Pull Requests
#
labels:
- name: bug
color: '#d73a4a'
description: Something isn't working
- name: CI/CD
# If including a `#`, make sure to wrap it with quotes!
color: '#0e8a16'
description: Related to GH Actions or Hydra
- name: documentation
color: '#0075ca'
description: Improvements or additions to documentation
- name: duplicate
color: '#cfd3d7'
description: This issue or pull request already exists
- name: enhancement
color: '#a2eeef'
description: New feature or request
- name: good first issue
color: '#7057ff'
description: Good for newcomers
- name: help wanted
color: '#008672'
description: Extra attention is needed
- name: high priority
color: '#BF480A'
description: A major vurnability was detected
- name: invalid
color: '#e4e669'
description: This doesn't seem right
- name: new user
color: '#C302A1'
description: A new user was added to the Flake
- name: question
color: '#d876e3'
description: Further information is requested
- name: wontfix
color: '#ffffff'
description: This will not be worked on
- name: dependencies
color: '#cb4ed5'
description: Used for PR's related to flake.lock updates
- name: automated
color: '#42b528'
description: PR was automatically generated (through a bot or CI/CD)
# Milestones: define milestones for Issues and Pull Requests
milestones:
#- title: Go-Live
# description: >-
# All requirements for official go-live: - Automated testing via Hydra/Actions - Automated deployments via Hydra/Actions - 90+% testing coverage - Functional formatter with custom rules - palatine-hill is fully stable, enough so that jeeves can be migrated
# # The state of the milestone. Either `open` or `closed`
# state: open
# Collaborators: give specific users access to this repository.
# See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options
collaborators:
# - username: numtide-bot
# Note: `permission` is only valid on organization-owned repositories.
# The permission to grant the collaborator. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: push
# See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options
teams:
# - name: admin
# The permission to grant the team. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: admin
branches:
# gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
# not available in the api yet
# `Require merge queue`: true
# `Merge method`: Rebase and merge
# `Maximum pull requests to build`: 1
# `Maximum pull requests to merge`: 1
# defaults:
# `Maximum pull requests to build`: 5
# `Minimum pull requests to merge`: 1 or 5 minutes
# `Maximum pull requests to merge`: 5
# `Only merge non-failing pull requests`: true
# `Consider check failed after`: 60 minutes
- name: main
# https://docs.github.com/en/rest/reference/repos#update-branch-protection
# Branch Protection settings. Set to null to disable
protection:
# Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
# these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions
required_pull_request_reviews:
# # The number of approvals required. (1-6)
required_approving_review_count: 1
# # Dismiss approved reviews automatically when a new commit is pushed.
dismiss_stale_reviews: true
# # Blocks merge until code owners have reviewed.
require_code_owner_reviews: false
# # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
# dismissal_restrictions:
# users: []
# teams: []
require_last_push_approval: false
# Required. Require status checks to pass before merging. Set to null to disable
# required_status_checks:
# Required. Require branches to be up to date before merging.
# strict: false
# Required. The list of status checks to require in order to merge into this branch
# contexts:
# - buildbot/nix-eval
# Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
enforce_admins: true
# Disabled for bors to work
required_linear_history: true
# Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
restrictions:
apps: []
# TODO: make a buildbot instance
# users: ["nix-infra-bot"]
teams: []

158
.github/workflows/flake-update.yml vendored Normal file
View File

@ -0,0 +1,158 @@
name: "Update Determinate Nix binary"
on:
repository_dispatch:
workflow_dispatch:
schedule:
- cron: "00 12 * * *"
jobs:
update_lockfile:
runs-on: ubuntu-latest
#if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Get metadata
run: |
url=https://us-east-2.swim.install.determinate.systems/nix-installer/stable/x86_64-linux
while redirect_url=$(
curl -I -s -S -f -w "%{redirect_url}\n" -o /dev/null "$url"
); do
echo "$url"
url=$redirect_url
[[ -z "$url" ]] && break
final_url=$url
done
echo "DETERMINATE_URL=$(echo $final_url)" >> $GITHUB_ENV
determinate_version=$(echo $final_url | sed -E -e 's/.*(v[0-9.]+).*/\1/g')
echo "DETERMINATE_VESION=$(echo $determinate_version)" >> $GITHUB_ENV
binary_name=$(echo $final_url | sed -E -e 's/.*\/(.*)/\1/g')
echo "DETERMINATE_BINARY=$(echo $binary_name)" >> $GITHUB_ENV
- name: Download binary
run: |
wget --content-disposition "$DETERMINATE_URL"
env:
DETERMINATE_URL: ${{ vars.DETERMINATE_URL }}
- name: Git config
run: |
git config user.name github-actions
git config user.email github-actions@github.com
- name: Commit binary
run: |
git add .
git commit -m "automated download workflow"
commit_id=$(git rev-parse HEAD)
echo "COMMIT_ID=$(echo $commit_id)" >> $GITHUB_ENV
- name: Tag new target
run: |
git tag -f "$DETERMINATE_VERSION" "$COMMIT_ID"
env:
DETERMINATE_URL: ${{ vars.DETERMINATE_URL }}
COMMIT_ID: ${{ vars.COMMIT_ID }}
- name: Push new tag
run: git push origin "$DETERMINATE_VERSION" --force
env:
DETERMINATE_URL: ${{ vars.DETERMINATE_URL }}
- name: Publish release
uses: akkuman/gitea-release-action@v1
env:
NODE_OPTIONS: '--experimental-fetch' # if nodejs < 18
with:
files: ${{ vars.DETERMINATE_BINARY }}
name: ${{ vars.DETERMINATE_VERSION }}
tag_name: ${{ vars.DETERMINATE_VERSION }}
target_commitish_value: ${{ vars.COMMIT_ID }}
sha256sum: true
md5sum: false
#- name: Update flake.lock
# id: update
# run: |
# nix flake update 2> >(tee /dev/stderr) | awk '
# /^• Updated input/ {in_update = 1; print; next}
# in_update && !/^warning:/ {print}
# /^$/ {in_update = 0}
# ' > update.log
# echo "UPDATE_LOG<<EOF" >> $GITHUB_ENV
# cat update.log >> $GITHUB_ENV
# echo "EOF" >> $GITHUB_ENV
# rm update.log
#- name: Get post-snapshot of evaluations
# run: nix ./utils/eval-to-drv.sh post
#- name: Calculate diff
# run: nix ./utils/diff-evals.sh
#- name: Read file contents
# id: read_file
# uses: guibranco/github-file-reader-action-v2@latest
# with:
# path: "post-diff"
#- name: Write PR body template
# uses: https://github.com/DamianReeves/write-file-action@v1.3
# with:
# path: pr_body.template
# contents: |
# - The following Nix Flake inputs were updated:
# ```
# ${{ env.UPDATE_LOG }}
# ```
# ```
# ${{ steps.read_file.outputs.contents }}
# ```
# Auto-generated by [update.yml][1] with the help of
# [create-pull-request][2].
# [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
# [2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
#- name: Generate PR body
# uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0
# with:
# files: "pr_body.template"
# output-filename: "pr_body.md"
#- name: Save PR body
# id: pr_body
# uses: juliangruber/read-file-action@v1
# with:
# path: "pr_body.md"
#- name: Remove temporary files
# run: |
# rm pr_body.template
# rm pr_body.md
# rm pre.json
# rm post.json
# rm post-diff
#- name: Create Pull Request
# id: create-pull-request
# # uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
# uses: https://nayeonie.com/ahuston-0/create-pull-request@main
# with:
# token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
# body: ${{ steps.pr_body.outputs.content }}
# author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
# title: 'automated: Update `flake.lock`'
# commit-message: |
# automated: Update `flake.lock`
# ${{ steps.pr_body.outputs.content }}
# branch: update-flake-lock
# delete-branch: true
# pr-labels: | # Labels to be set on the PR
# dependencies
# automated
#- name: Push to Attic
# run: nix ./utils/attic-push.bash
# continue-on-error: true
#- name: Print PR number
# run: |
# echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}."
# echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
permissions:
pull-requests: write
contents: write
packages: write