From 563c1df3bb7bd3d677c892fba28255488ed40d05 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Mon, 26 May 2025 13:16:03 -0400 Subject: [PATCH] add initial determinate nix update action Signed-off-by: ahuston-0 --- .github/settings.yml | 170 +++++++++++++++++++++++++++++ .github/workflows/flake-update.yml | 158 +++++++++++++++++++++++++++ 2 files changed, 328 insertions(+) create mode 100644 .github/settings.yml create mode 100644 .github/workflows/flake-update.yml diff --git a/.github/settings.yml b/.github/settings.yml new file mode 100644 index 0000000..33e8c11 --- /dev/null +++ b/.github/settings.yml @@ -0,0 +1,170 @@ +# Have borrowed this config from nix-community/infra +repository: + # See https://developer.github.com/v3/repos/#edit for all available settings. + + # The name of the repository. Changing this will rename the repository + name: determinate-nix-mirror + # A short description of the repository that will show up on GitHub + description: Pulls a local copy of the Determinate Nix installer + # A URL with more information about the repository + # homepage: "https://nix-community.org" + + # A comma-separated list of topics to set on the repository + topics: "nixos" + # Either `true` to make the repository private, or `false` to make it public. + private: true + # Either `true` to enable issues for this repository, `false` to disable them. + has_issues: true + # Either `true` to enable projects for this repository, or `false` to disable them. + # If projects are disabled for the organization, passing `true` will cause an API error. + has_projects: false + # Either `true` to enable the wiki for this repository, `false` to disable it. + has_wiki: false + # Either `true` to enable downloads for this repository, `false` to disable them. + has_downloads: true + # Updates the default branch for this repository. + default_branch: main + # Either `true` to allow squash-merging pull requests, or `false` to prevent + # squash-merging. + allow_squash_merge: true + # Either `true` to allow merging pull requests with a merge commit, or `false` + # to prevent merging pull requests with merge commits. + allow_merge_commit: false + # Either `true` to allow rebase-merging pull requests, or `false` to prevent + # rebase-merging. + allow_rebase_merge: true + # Either `true` to enable automatic deletion of branches on merge, or `false` to disable + delete_branch_on_merge: true + # Either `true` to enable automated security fixes, or `false` to disable + # automated security fixes. + enable_automated_security_fixes: true + # Either `true` to enable vulnerability alerts, or `false` to disable + # vulnerability alerts. + enable_vulnerability_alerts: true + allow_auto_merge: true +# Labels: define labels for Issues and Pull Requests +# +labels: + - name: bug + color: '#d73a4a' + description: Something isn't working + - name: CI/CD + # If including a `#`, make sure to wrap it with quotes! + color: '#0e8a16' + description: Related to GH Actions or Hydra + - name: documentation + color: '#0075ca' + description: Improvements or additions to documentation + - name: duplicate + color: '#cfd3d7' + description: This issue or pull request already exists + - name: enhancement + color: '#a2eeef' + description: New feature or request + - name: good first issue + color: '#7057ff' + description: Good for newcomers + - name: help wanted + color: '#008672' + description: Extra attention is needed + - name: high priority + color: '#BF480A' + description: A major vurnability was detected + - name: invalid + color: '#e4e669' + description: This doesn't seem right + - name: new user + color: '#C302A1' + description: A new user was added to the Flake + - name: question + color: '#d876e3' + description: Further information is requested + - name: wontfix + color: '#ffffff' + description: This will not be worked on + - name: dependencies + color: '#cb4ed5' + description: Used for PR's related to flake.lock updates + - name: automated + color: '#42b528' + description: PR was automatically generated (through a bot or CI/CD) +# Milestones: define milestones for Issues and Pull Requests +milestones: + #- title: Go-Live + # description: >- + # All requirements for official go-live: - Automated testing via Hydra/Actions - Automated deployments via Hydra/Actions - 90+% testing coverage - Functional formatter with custom rules - palatine-hill is fully stable, enough so that jeeves can be migrated + # # The state of the milestone. Either `open` or `closed` + # state: open +# Collaborators: give specific users access to this repository. +# See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options +collaborators: +# - username: numtide-bot +# Note: `permission` is only valid on organization-owned repositories. +# The permission to grant the collaborator. Can be one of: +# * `pull` - can pull, but not push to or administer this repository. +# * `push` - can pull and push, but not administer this repository. +# * `admin` - can pull, push and administer this repository. +# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions. +# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access. +# permission: push + +# See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options +teams: +# - name: admin +# The permission to grant the team. Can be one of: +# * `pull` - can pull, but not push to or administer this repository. +# * `push` - can pull and push, but not administer this repository. +# * `admin` - can pull, push and administer this repository. +# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions. +# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access. +# permission: admin +branches: + # gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection + + # not available in the api yet + # `Require merge queue`: true + # `Merge method`: Rebase and merge + # `Maximum pull requests to build`: 1 + # `Maximum pull requests to merge`: 1 + # defaults: + # `Maximum pull requests to build`: 5 + # `Minimum pull requests to merge`: 1 or 5 minutes + # `Maximum pull requests to merge`: 5 + # `Only merge non-failing pull requests`: true + # `Consider check failed after`: 60 minutes + - name: main + # https://docs.github.com/en/rest/reference/repos#update-branch-protection + # Branch Protection settings. Set to null to disable + protection: + # Required. Require at least one approving review on a pull request, before merging. Set to null to disable. + + # these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions + required_pull_request_reviews: + # # The number of approvals required. (1-6) + required_approving_review_count: 1 + # # Dismiss approved reviews automatically when a new commit is pushed. + dismiss_stale_reviews: true + # # Blocks merge until code owners have reviewed. + require_code_owner_reviews: false + # # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories. + # dismissal_restrictions: + # users: [] + # teams: [] + require_last_push_approval: false + # Required. Require status checks to pass before merging. Set to null to disable + # required_status_checks: + # Required. Require branches to be up to date before merging. + # strict: false + # Required. The list of status checks to require in order to merge into this branch + # contexts: + # - buildbot/nix-eval + # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable. + enforce_admins: true + # Disabled for bors to work + required_linear_history: true + # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable. + restrictions: + apps: [] + # TODO: make a buildbot instance + # users: ["nix-infra-bot"] + teams: [] diff --git a/.github/workflows/flake-update.yml b/.github/workflows/flake-update.yml new file mode 100644 index 0000000..2c079e2 --- /dev/null +++ b/.github/workflows/flake-update.yml @@ -0,0 +1,158 @@ +name: "Update Determinate Nix binary" +on: + repository_dispatch: + workflow_dispatch: + schedule: + - cron: "00 12 * * *" +jobs: + update_lockfile: + runs-on: ubuntu-latest + #if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Get metadata + run: | + url=https://us-east-2.swim.install.determinate.systems/nix-installer/stable/x86_64-linux + while redirect_url=$( + curl -I -s -S -f -w "%{redirect_url}\n" -o /dev/null "$url" + ); do + echo "$url" + url=$redirect_url + [[ -z "$url" ]] && break + final_url=$url + done + echo "DETERMINATE_URL=$(echo $final_url)" >> $GITHUB_ENV + + determinate_version=$(echo $final_url | sed -E -e 's/.*(v[0-9.]+).*/\1/g') + echo "DETERMINATE_VESION=$(echo $determinate_version)" >> $GITHUB_ENV + + binary_name=$(echo $final_url | sed -E -e 's/.*\/(.*)/\1/g') + echo "DETERMINATE_BINARY=$(echo $binary_name)" >> $GITHUB_ENV + + - name: Download binary + run: | + wget --content-disposition "$DETERMINATE_URL" + env: + DETERMINATE_URL: ${{ vars.DETERMINATE_URL }} + - name: Git config + run: | + git config user.name github-actions + git config user.email github-actions@github.com + - name: Commit binary + run: | + git add . + git commit -m "automated download workflow" + commit_id=$(git rev-parse HEAD) + echo "COMMIT_ID=$(echo $commit_id)" >> $GITHUB_ENV + - name: Tag new target + run: | + git tag -f "$DETERMINATE_VERSION" "$COMMIT_ID" + env: + DETERMINATE_URL: ${{ vars.DETERMINATE_URL }} + COMMIT_ID: ${{ vars.COMMIT_ID }} + - name: Push new tag + run: git push origin "$DETERMINATE_VERSION" --force + env: + DETERMINATE_URL: ${{ vars.DETERMINATE_URL }} + - name: Publish release + uses: akkuman/gitea-release-action@v1 + env: + NODE_OPTIONS: '--experimental-fetch' # if nodejs < 18 + with: + files: ${{ vars.DETERMINATE_BINARY }} + name: ${{ vars.DETERMINATE_VERSION }} + tag_name: ${{ vars.DETERMINATE_VERSION }} + target_commitish_value: ${{ vars.COMMIT_ID }} + sha256sum: true + md5sum: false + + #- name: Update flake.lock + # id: update + # run: | + # nix flake update 2> >(tee /dev/stderr) | awk ' + # /^• Updated input/ {in_update = 1; print; next} + # in_update && !/^warning:/ {print} + # /^$/ {in_update = 0} + # ' > update.log + + # echo "UPDATE_LOG<> $GITHUB_ENV + # cat update.log >> $GITHUB_ENV + # echo "EOF" >> $GITHUB_ENV + + # rm update.log + #- name: Get post-snapshot of evaluations + # run: nix ./utils/eval-to-drv.sh post + #- name: Calculate diff + # run: nix ./utils/diff-evals.sh + #- name: Read file contents + # id: read_file + # uses: guibranco/github-file-reader-action-v2@latest + # with: + # path: "post-diff" + #- name: Write PR body template + # uses: https://github.com/DamianReeves/write-file-action@v1.3 + # with: + # path: pr_body.template + # contents: | + # - The following Nix Flake inputs were updated: + + # ``` + # ${{ env.UPDATE_LOG }} + # ``` + + # ``` + # ${{ steps.read_file.outputs.contents }} + # ``` + + # Auto-generated by [update.yml][1] with the help of + # [create-pull-request][2]. + + # [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml + # [2]: https://forgejo.stefka.eu/jiriks74/create-pull-request + #- name: Generate PR body + # uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0 + # with: + # files: "pr_body.template" + # output-filename: "pr_body.md" + #- name: Save PR body + # id: pr_body + # uses: juliangruber/read-file-action@v1 + # with: + # path: "pr_body.md" + #- name: Remove temporary files + # run: | + # rm pr_body.template + # rm pr_body.md + # rm pre.json + # rm post.json + # rm post-diff + #- name: Create Pull Request + # id: create-pull-request + # # uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645 + # uses: https://nayeonie.com/ahuston-0/create-pull-request@main + # with: + # token: ${{ secrets.GH_TOKEN_FOR_UPDATES }} + # body: ${{ steps.pr_body.outputs.content }} + # author: '"github-actions[bot]" ' + # title: 'automated: Update `flake.lock`' + # commit-message: | + # automated: Update `flake.lock` + + # ${{ steps.pr_body.outputs.content }} + # branch: update-flake-lock + # delete-branch: true + # pr-labels: | # Labels to be set on the PR + # dependencies + # automated + #- name: Push to Attic + # run: nix ./utils/attic-push.bash + # continue-on-error: true + #- name: Print PR number + # run: | + # echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}." + # echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" +permissions: + pull-requests: write + contents: write + packages: write