ahuston-0/flake-update-diff
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

remove wheel preference, add CI #7

Merged
ahuston-0 merged 1 commits from feature/wheel into main 2025-03-18 15:32:26 -04:00
Conversation 0 Commits 1 Files Changed 19 +552 -11
19 changed files with 552 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
.github/workflows/flake-health-checks.yml vendored Normal file
View File

@ -0,0 +1,47 @@
name: "Check Nix flake"
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
jobs:
health-check:
name: "Perform Nix flake checks"
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest]
steps:
- uses: DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- uses: actions/checkout@v4
- run: nix flake check --accept-flake-config
- run: nix ./utils/attic-push.bash
build-checks:
name: "Build nix outputs"
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest]
steps:
- uses: DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- uses: actions/checkout@v4
- name: Build all outputs
run: nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --build .
- name: Push to Attic
run: nix ./utils/attic-push.bash
continue-on-error: true

112
.github/workflows/flake-update.yml vendored Normal file
View File

@ -0,0 +1,112 @@
name: "Update flakes"
on:
repository_dispatch:
workflow_dispatch:
schedule:
- cron: "00 12 * * *"
jobs:
update_lockfile:
runs-on: ubuntu-latest
#if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- name: Get pre-snapshot of evaluations
run: nix ./utils/eval-to-drv.sh pre
- name: Update flake.lock
id: update
run: |
nix flake update 2> >(tee /dev/stderr) | awk '
/^• Updated input/ {in_update = 1; print; next}
in_update && !/^warning:/ {print}
/^$/ {in_update = 0}
' > update.log
echo "UPDATE_LOG<<EOF" >> $GITHUB_ENV
cat update.log >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
rm update.log
- name: Get post-snapshot of evaluations
run: nix ./utils/eval-to-drv.sh post
- name: Calculate diff
run: nix ./utils/diff-evals.sh
- name: Read file contents
id: read_file
uses: guibranco/github-file-reader-action-v2@latest
with:
path: "post-diff"
- name: Write PR body template
uses: https://github.com/DamianReeves/write-file-action@v1.3
with:
path: pr_body.template
contents: |
- The following Nix Flake inputs were updated:
```
${{ env.UPDATE_LOG }}
```
```
${{ steps.read_file.outputs.contents }}
```
Auto-generated by [update.yml][1] with the help of
[create-pull-request][2].
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
[2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
- name: Generate PR body
uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0
with:
files: "pr_body.template"
output-filename: "pr_body.md"
- name: Save PR body
id: pr_body
uses: juliangruber/read-file-action@v1
with:
path: "pr_body.md"
- name: Remove temporary files
run: |
rm pr_body.template
rm pr_body.md
rm pre.json
rm post.json
rm post-diff
- name: Create Pull Request
id: create-pull-request
# uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
uses: https://nayeonie.com/ahuston-0/create-pull-request@main
with:
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
body: ${{ steps.pr_body.outputs.content }}
author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
title: 'automated: Update `flake.lock`'
commit-message: |
automated: Update `flake.lock`
${{ steps.pr_body.outputs.content }}
branch: update-flake-lock
delete-branch: true
pr-labels: | # Labels to be set on the PR
dependencies
automated
- name: Push to Attic
run: nix ./utils/attic-push.bash
continue-on-error: true
- name: Print PR number
run: |
echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}."
echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
permissions:
pull-requests: write
contents: write

16
.github/workflows/lock-health-checks.yml vendored Normal file
View File

@ -0,0 +1,16 @@
name: "Check flake.lock"
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
jobs:
health-check:
name: "Check health of `flake.lock`"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/flake-checker-action@main
with:
fail-mode: true

25
.github/workflows/nix-fmt.yml vendored Normal file
View File

@ -0,0 +1,25 @@
name: "Check Nix formatting"
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
jobs:
health-check:
name: "Perform Nix format checks"
runs-on: ubuntu-latest
steps:
- uses: DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- uses: actions/checkout@v4
- run: nix fmt -- --check .
- name: Push to Attic
run: nix ./utils/attic-push.bash
continue-on-error: true

10
flake.lock generated
View File

@ -96,15 +96,15 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1741455743,
"narHash": "sha256-raXtjhD9mmNrVdCoJkYoUo0X2lhEyIZYQ6M7uUp/Uuc=",
"owner": "NixOS",
"lastModified": 1742276595,
"narHash": "sha256-bsg9y3NoMGu0jgTI5XbxvzQFc9JtZB51i500WlVws80=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "c1ee2620296430ac1e3ee72583ad0191463a9d60",
"rev": "2b3795787eba0066a2bc8bba7362422e5713840f",
"type": "github"
},
"original": {
"owner": "NixOS",
"owner": "nixos",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"

12
flake.nix
View File

@ -21,7 +21,7 @@
inputs = {
flake-utils.url = "github:numtide/flake-utils";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
poetry2nix = {
url = "github:nix-community/poetry2nix";
inputs.nixpkgs.follows = "nixpkgs";
@ -51,13 +51,13 @@
pkgs = nixpkgs.legacyPackages.${system}.extend poetry2nix.overlays.default;
overrides = pkgs.poetry2nix.overrides.withDefaults (
_final: prev: {
_final: _prev: {
# prefer binary wheels instead of source distributions for rust based dependencies
# avoids needing to build them from source. technically a security risk
polars = prev.polars.override { preferWheel = true; };
ruff = prev.ruff.override { preferWheel = true; };
greenlet = prev.greenlet.override { preferWheel = true; };
sqlalchemy = prev.sqlalchemy.override { preferWheel = true; };
#polars = prev.polars.override { preferWheel = true; };
#ruff = prev.ruff.override { preferWheel = true; };
#greenlet = prev.greenlet.override { preferWheel = true; };
#sqlalchemy = prev.sqlalchemy.override { preferWheel = true; };
}
);

26
utils/attic-push.bash Executable file
View File

@ -0,0 +1,26 @@
#!/usr/bin/env nix
#! nix shell nixpkgs#bash nixpkgs#jq nixpkgs#gnused nixpkgs#nixVersions.latest nixpkgs#attic-client --command bash
#set -x
#set -v
set -e
# retrieve all paths under 2G
# nix_paths=$(nix path-info --json --all --closure-size \
# | jq 'map_values(.closureSize | select(. < 2e9)) | to_entries | sort_by(.value)' \
# | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
# retrieve all paths
nix_paths=$(nix path-info --json --all --closure-size |
jq 'map_values(.closureSize | select(true)) | to_entries | sort_by(.value)' |
jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
readarray -t nix_path_array < <(echo "$nix_paths")
batchsize=1000
for ((i = 0; i < ${#nix_path_array[@]}; i += batchsize)); do
part=("${nix_path_array[@]:i:batchsize}")
attic push nix-cache "${part[@]}"
done

36
utils/attic-token.bash Executable file
View File

@ -0,0 +1,36 @@
#!/usr/bin/env bash
if (($# != 3)); then
echo "usage: $0 <cache/cache group> <cache pattern> <token type>"
exit 1
fi
cache="$1"
cache_pattern="$2"
token_type="$3"
case $token_type in
"cache-creator")
atticd-atticadm make-token --sub "$cache-cache-creator" --validity "1y" \
--pull "$cache_pattern" --push "$cache_pattern" --delete "$cache_pattern" \
--create-cache "$cache_pattern" --configure-cache "$cache_pattern" \
--configure-cache-retention "$cache_pattern" --destroy-cache "$cache_pattern"
;;
"admin")
atticd-atticadm make-token --sub "$cache-admin" --validity "1y" --pull "$cache_pattern" \
--push "$cache_pattern" --configure-cache "$cache_pattern" \
--configure-cache-retention "$cache_pattern"
;;
"writer")
atticd-atticadm make-token --sub "$cache-writer" --validity "1y" --pull "$cache_pattern" \
--push "$cache_pattern"
;;
"reader")
atticd-atticadm make-token --sub "$cache-reader" --validity "1y" --pull "$cache_pattern"
;;
*)
echo "invalid token type: $token_type"
echo "available options: cache-creator, admin, writer, reader"
exit 1
;;
esac

13
utils/attic-utils.bash Normal file
View File

@ -0,0 +1,13 @@
#!/usr/bin/env bash
cache_name=""
action=""
case "$action" in
"login")
;;
*)
echo ""
exit 1
;;
esac

13
utils/diff-evals.sh Executable file
View File

@ -0,0 +1,13 @@
#!/usr/bin/env nix
#! nix shell nixpkgs#bash nixpkgs#gnugrep nixpkgs#nvd --command bash
# diffs each derivation
set -x
set -v
set -e
script_path=$(dirname "$(readlink -f $0)")
parent_path=$(dirname "$script_path")
nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --compare-drvs --compare-output-to-file "$parent_path"

19
utils/eval-to-drv.sh Executable file
View File

@ -0,0 +1,19 @@
#!/usr/bin/env nix
#! nix shell nixpkgs#bash nixpkgs#gnugrep nixpkgs#nixVersions.latest --command bash
# diffs each derivation
set -x
set -v
set -e
if [ "$#" -ne 1 ]; then
echo "$0 (pre|post)"
exit 1
fi
script_path=$(dirname "$(readlink -f $0)")
parent_path=$(dirname "$script_path")
out_path="$parent_path/$1.json"
nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --evaluate --json "$out_path" "$parent_path"

23
utils/fetch-docker.sh Executable file
View File

@ -0,0 +1,23 @@
#!/usr/bin/env nix
#! nix shell nixpkgs#bash nixpkgs#nix-prefetch-docker --command bash
# retrieves the latest image tags
set -x
set -v
set -e
script_path=$(dirname "$(readlink -f $0)")
parent_path=$(dirname "$script_path")
# a list of images to pull
# relpath is the relative path to the parent_path where you want the file written
# format: <image name>,<image tag>,<image architecture>,<os>,<relpath>
images=(
"nextcloud,apache,amd64,linux,/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix"
)
IFS=","
while read -r name tag arch os relpath; do
nix-prefetch-docker --image-name "$name" --image-tag "$tag" --arch "$arch" --os "$os" --quiet >"$parent_path/$relpath"
git --no-pager diff "$parent_path/$relpath"
done <<<"${images[@]}"

11
utils/manual-update.sh Executable file
View File

@ -0,0 +1,11 @@
#!/usr/bin/env bash
set -e
set -v
set -x
git checkout main
git branch -D update_flake_lock_action || true
git checkout -b update_flake_lock_action
nix flake update
nix flake check

14
utils/new.yaml Normal file
View File

@ -0,0 +1,14 @@
network:
ethernets:
addresses:
- 155.128.134.198/23
- 2002:18f0:b009:f84:5200:03ff:fdf7:d0c2/64
- abc
dhcp4: false
ens3: null
gateway4: 155.128.134.198
nameservers:
addresses:
- 108.61.10.10
renderer: networkd
version: 2

10
utils/old.yaml Normal file
View File

@ -0,0 +1,10 @@
network:
version: 2
renderer: networkd
ethernets:
ens3:
dhcp4: no
addresses: [155.128.134.198/23,'2002:18f0:b009:f84:5200:03ff:fdf7:d0c2/64']
gateway4: 155.128.134.198
nameservers:
addresses: [108.61.10.10]

1
utils/requirements.txt Normal file
View File

@ -0,0 +1 @@
pyyaml

20
utils/sops-add-machine.py Executable file
View File

@ -0,0 +1,20 @@
#!/usr/bin/env nix
#! nix shell nixpkgs#python312 nixpkgs#python312Packages.pyyaml --command python
import yaml
import pprint
with open('.sops.yaml','r') as in_yamlfile:
cur_yaml = yaml.safe_load(in_yamlfile)
cur_yaml['keys'].append('&test testkey')
pprint.pprint(cur_yaml)
# with open('new.yaml','w') as out_yamlfile:
# yaml.safe_dump(cur_yaml, out_yamlfile)
# with open('new.yaml','r') as inn_yamlfile:
# new_yaml = yaml.safe_load(inn_yamlfile)
# assert(cur_yaml == new_yaml)

67
utils/sops-mergetool-new.sh Executable file
View File

@ -0,0 +1,67 @@
#!/usr/bin/env bash
# Rename CLI parameters to friendlier names
# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
base="$1"
local_="$2"
remote="$3"
merged="$4"
# Load the mergetool scripts
TOOL_MODE=merge
source "$(git --exec-path)/git-mergetool--lib"
mergetool=$(get_merge_tool)
setup_tool "${mergetool}"
# Create file names for decrypted contents
# example_LOCAL_2823.yaml -> example_LOCAL_2823.decrypted.yaml
extension=".${base##*.}"
base_decrypted="${base/$extension/.decrypted$extension}"
local_decrypted="${local_/$extension/.decrypted$extension}"
remote_decrypted="${remote/$extension/.decrypted$extension}"
merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
# If anything goes wrong, then delete our decrypted files
handle_trap_exit() {
rm $base_decrypted || true
rm $local_decrypted || true
rm $remote_decrypted || true
rm $merged_decrypted || true
rm $backup_decrypted || true
}
trap handle_trap_exit EXIT
# Decrypt our file contents
sops --decrypt --show-master-keys "$base" >"$base_decrypted"
sops --decrypt --show-master-keys "$local_" >"$local_decrypted"
sops --decrypt --show-master-keys "$remote" >"$remote_decrypted"
# Create a merge-diff to compare against
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted"
cp "$merged_decrypted" "$backup_decrypted"
# Set up variables for the mergetool
# https://github.com/git/git/blob/v2.8.2/mergetools/meld
# https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L95-L111
LOCAL="$local_decrypted"
BASE="$base_decrypted"
REMOTE="$remote_decrypted"
MERGED="$merged_decrypted"
BACKUP="$backup_decrypted"
# Override `check_unchanged` with a custom script
check_unchanged() {
# If the contents haven't changed, then fail
if test "$MERGED" -nt "$BACKUP"; then
return 0
else
exit 1
fi
}
# Run the mergetool
run_merge_tool "${mergetool}" true
# Re-encrypt content
sops --encrypt "$merged_decrypted" >"$merged"

88
utils/sops-mergetool.sh Executable file
View File

@ -0,0 +1,88 @@
#!/usr/bin/env bash
# Exit on first error and verify variables have been set/passed via CLI
#set -eu
set -v
set -x
# Rename our variables to friendlier equivalents
# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
base="$1"
local_="$2"
remote="$3"
merged="$4"
echo "$base"
echo "$local_"
echo "$remote"
echo "$merged"
# Resolve our default mergetool
# https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L3
mergetool="$(git config --get merge.tool)"
GIT_DIR="$(git --exec-path)"
if test "$mergetool" = ""; then
echo 'No default `merge.tool` was set for `git`. Please set one via `git config --set merge.tool <tool>`' 1>&2
exit 1
fi
# Create file names for our decrypted contents
# example_LOCAL_2823.yaml -> example_LOCAL_2823.decrypted.yaml
extension=".${base##*.}"
base_decrypted="${base/$extension/.decrypted$extension}"
local_decrypted="${local_/$extension/.decrypted$extension}"
remote_decrypted="${remote/$extension/.decrypted$extension}"
merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
# If anything goes wrong, then delete our decrypted files
handle_trap_exit() {
rm $base_decrypted || true
rm $local_decrypted || true
rm $remote_decrypted || true
rm $merged_decrypted || true
rm $backup_decrypted || true
}
trap handle_trap_exit EXIT
# Decrypt our file contents
sops --decrypt --show-master-keys "$base" >"$base_decrypted"
sops --decrypt --show-master-keys "$local_" >"$local_decrypted"
sops --decrypt --show-master-keys "$remote" >"$remote_decrypted"
# Create a merge-diff to compare against
set +e
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted"
set -e
cp "$merged_decrypted" "$backup_decrypted"
# Set up variables for our mergetool
# https://github.com/git/git/blob/v2.8.2/mergetools/meld
# https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L95-L111
export LOCAL="$local_decrypted"
export BASE="$base_decrypted"
export REMOTE="$remote_decrypted"
export MERGED="$merged_decrypted"
export BACKUP="$backup_decrypted"
# Load our mergetool scripts
source "$GIT_DIR/git-mergetool--lib"
source "$GIT_DIR/mergetools/$mergetool"
# Override `check_unchanged` with a custom script
check_unchanged() {
# If the contents haven't changed, then fail
if test "$MERGED" -nt "$BACKUP"; then
return 0
else
exit 1
fi
}
# Run our mergetool
set +eu
export merge_tool_path="$(get_merge_tool_path "$mergetool")"
merge_cmd
set -eu
# Re-encrypt content
sops --encrypt "$merged_decrypted" >"$merged"