build(deps-dev): bump rollup from 4.18.0 to 4.22.4

Bumps [rollup](https://github.com/rollup/rollup) from 4.18.0 to 4.22.4. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](https://github.com/rollup/rollup/compare/v4.18.0...v4.22.4) --- updated-dependencies: - dependency-name: rollup dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
build(deps-dev): bump vite from 5.2.12 to 5.4.6 (#131 )
2024-09-24 01:23:54 +00:00 · 2024-09-19 16:42:07 +00:00 · 2024-09-04 14:14:50 -04:00 · 2024-09-04 18:05:28 +00:00 · 2024-08-26 19:46:57 -04:00 · 2024-08-26 15:26:03 +00:00
7 changed files with 3124 additions and 2734 deletions
--- a/README.md
+++ b/README.md
@ -185,7 +185,7 @@ git push origin update_flake_lock_action --force
 ### With a Personal Authentication Token

 By providing a Personal Authentication Token, the PR will be submitted in a way that bypasses this limitation (GitHub will essentially think it is the owner of the PAT submitting the PR, and not an Action).
-You can create a token by visiting https://github.com/settings/tokens and select at least the `repo` scope. Then, store this token in your repository secrets (i.e. `https://github.com/<USER>/<REPO>/settings/secrets/actions`) as `GH_TOKEN_FOR_UPDATES` and set up your workflow file like the following:
+You can create a token by visiting https://github.com/settings/tokens and select at least the `repo` scope. For the new fine-grained tokens, you need to enable read and write access for "Contents" and "Pull Requests" permissions. Then, store this token in your repository secrets (i.e. `https://github.com/<USER>/<REPO>/settings/secrets/actions`) as `GH_TOKEN_FOR_UPDATES` and set up your workflow file like the following:

 ```yaml
 name: update-flake-lock
--- a/action.yml
+++ b/action.yml
@ -115,7 +115,7 @@ runs:
    - name: Import bot's GPG key for signing commits
      if: ${{ inputs.sign-commits == 'true' }}
      id: import-gpg
-      uses: crazy-max/ghaction-import-gpg@v6
+      uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
      with:
        gpg_private_key: ${{ inputs.gpg-private-key }}
        fingerprint: ${{ inputs.gpg-fingerprint }}
@ -190,7 +190,7 @@ runs:
        echo "$DELIMITER" >> $GITHUB_ENV
        echo "GIT_COMMIT_MESSAGE is: ${COMMIT_MESSAGE}"
    - name: Interpolate PR Body
-      uses: pedrolamas/handlebars-action@v2.4.0
+      uses: pedrolamas/handlebars-action@2995d7eadacbc8f2f6ab8431a01d84a5fa3b8bb4 # v2.4.0
      with:
        files: "pr_body.template"
        output-filename: "pr_body.txt"
@ -207,7 +207,7 @@ runs:
      run: rm -f pr_body.txt pr_body.template
    - name: Create PR
      id: create-pr
-      uses: peter-evans/create-pull-request@v6
+      uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
      with:
        base: ${{ inputs.base }}
        branch: ${{ inputs.branch }}
--- a/dist/index.js
+++ b/dist/index.js
@ -95086,8 +95086,13 @@ function makeNixCommandArgs(nixOptions, flakeInputs, commitMessage) {
    "--update-input",
    input
  ]);
+  const lockfileSummaryFlags = [
+    "--option",
+    "commit-lockfile-summary",
+    commitMessage
+  ];
  const updateLockMechanism = flakeInputFlags.length === 0 ? "update" : "lock";
-  return nixOptions.concat(["flake", updateLockMechanism]).concat(flakeInputFlags).concat(["--commit-lock-file", "--commit-lockfile-summary", commitMessage]);
+  return nixOptions.concat(["flake", updateLockMechanism]).concat(flakeInputFlags).concat(["--commit-lock-file"]).concat(lockfileSummaryFlags);
 }

 // src/index.ts
--- a/dist/index.js.map
+++ b/dist/index.js.map
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
--- a/src/nix.test.ts
+++ b/src/nix.test.ts
@ -24,7 +24,8 @@ test("Nix command arguments", () => {
        "flake",
        "update",
        "--commit-lock-file",
-        "--commit-lockfile-summary",
+        "--option",
+        "commit-lockfile-summary",
        "just testing",
      ],
    },
@ -42,7 +43,8 @@ test("Nix command arguments", () => {
        "--update-input",
        "rust-overlay",
        "--commit-lock-file",
-        "--commit-lockfile-summary",
+        "--option",
+        "commit-lockfile-summary",
        "just testing",
      ],
    },
@ -57,7 +59,8 @@ test("Nix command arguments", () => {
        "flake",
        "update",
        "--commit-lock-file",
-        "--commit-lockfile-summary",
+        "--option",
+        "commit-lockfile-summary",
        "just testing",
      ],
    },
--- a/src/nix.ts
+++ b/src/nix.ts
@ -9,10 +9,23 @@ export function makeNixCommandArgs(
    input,
  ]);

+  // NOTE(cole-h): In Nix versions 2.23.0 and later, `commit-lockfile-summary` became an alias to
+  // the setting `commit-lock-file-summary` (https://github.com/NixOS/nix/pull/10691), and Nix does
+  // not treat aliases the same as their "real" setting by requiring setting aliases to be
+  // configured via `--option <alias name> <option value>`
+  // (https://github.com/NixOS/nix/issues/10989).
+  // So, we go the long way so that we can support versions both before and after Nix 2.23.0.
+  const lockfileSummaryFlags = [
+    "--option",
+    "commit-lockfile-summary",
+    commitMessage,
+  ];
+
  const updateLockMechanism = flakeInputFlags.length === 0 ? "update" : "lock";

  return nixOptions
    .concat(["flake", updateLockMechanism])
    .concat(flakeInputFlags)
-    .concat(["--commit-lock-file", "--commit-lockfile-summary", commitMessage]);
+    .concat(["--commit-lock-file"])
+    .concat(lockfileSummaryFlags);
 }
Author	SHA1	Message	Date
dependabot[bot]	83d2d712f0	build(deps-dev): bump rollup from 4.18.0 to 4.22.4 Bumps [rollup](https://github.com/rollup/rollup) from 4.18.0 to 4.22.4. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](https://github.com/rollup/rollup/compare/v4.18.0...v4.22.4) --- updated-dependencies: - dependency-name: rollup dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2024-09-24 01:23:54 +00:00
dependabot[bot]	965531f332	build(deps-dev): bump vite from 5.2.12 to 5.4.6 (#131 ) * build(deps-dev): bump vite from 5.2.12 to 5.4.6 Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 5.2.12 to 5.4.6. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v5.4.6/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v5.4.6/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * pnpm i --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Cole Helbling <cole.helbling@determinate.systems>	2024-09-19 16:42:07 +00:00
Graham Christensen	a2bbe0274e	Merge pull request #128 from detsys-pr-bot/detsys-ts-update-65dd73c562ac60a068340f8e0c040bdcf2c59afe Update `detsys-ts`: Merge pull request #63 from DeterminateSystems/retry-streams	2024-09-04 14:14:50 -04:00
grahamc	802501548e	Update `detsys-ts` for: `Merge pull request` `#63 from DeterminateSystems/retry-streams` (`65dd73c562ac60a068340f8e0c040bdcf2c59afe`)	2024-09-04 18:05:28 +00:00
Graham Christensen	7d80c329b4	Merge pull request #126 from detsys-pr-bot/detsys-ts-update-817e4d4123b6fb4eae5aa557658f25f8539e7240 Update `detsys-ts`: Merge pull request #62 from DeterminateSystems/dont-pull-microstackshots	2024-08-26 19:46:57 -04:00
grahamc	7bc6ec59cc	Update `detsys-ts` for: `Merge pull request` `#62 from DeterminateSystems/dont-pull-microstackshots` (`817e4d4123b6fb4eae5aa557658f25f8539e7240`)	2024-08-26 15:26:03 +00:00
Graham Christensen	4cf6b19203	Merge pull request #125 from detsys-pr-bot/detsys-ts-update-e8f6e8f54d85aa0fd3d0b694dd3279a21497a33b Update `detsys-ts`: Merge pull request #61 from DeterminateSystems/use-coalesce-for-array	2024-08-26 10:09:12 -04:00
grahamc	73ba0ca899	Update `detsys-ts` for: `Merge pull request` `#61 from DeterminateSystems/use-coalesce-for-array` (`e8f6e8f54d85aa0fd3d0b694dd3279a21497a33b`)	2024-08-26 14:05:27 +00:00
Graham Christensen	24f53daa86	Merge pull request #124 from detsys-pr-bot/detsys-ts-update-cf1897a891edc164a8240f469cd56d14364e6be1 Update `detsys-ts`: Merge pull request #58 from DeterminateSystems/collect-crash-logs	2024-08-26 09:41:53 -04:00
grahamc	420fb2aaf7	Update `detsys-ts` for: `Merge pull request` `#58 from DeterminateSystems/collect-crash-logs` (`cf1897a891edc164a8240f469cd56d14364e6be1`)	2024-08-26 13:31:25 +00:00
Cole Helbling	db4ee38117	Fixup support for Nix 2.23.0 and later	2024-06-28 14:11:30 -07:00
Pierre Penninckx	b0723e0fae	Add instructions for new fine grained GitHub PAT	2024-06-18 09:23:51 -07:00
Arian van Putten	af9a980c7d	Lock third-party actions A caller of this action can lock this action to a specific commit. However because the action itself does not lock its dependent actions to a specific commit this opens the end-user up to possible supply-chain attacks if the dependent actions rewrite their tags. This PR changes all third party actions to be explicitly locked. Dependabot will still work and update these hashes for you I also suggest installing https://github.com/ossf/scorecard in this repo. It will report about these kind of issues. Note that you should in turn have to audit all the third party deps of the actions that your action depends on. In general this is all a bit of a mess and GitHub's security model is very meh e.g. see https://github.com/ossf/scorecard/issues/2189	2024-06-18 09:17:15 -07:00