make action rely on gitea CPR

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
add upstream sync
2025-02-01 16:45:41 -05:00 · 2025-02-01 16:41:46 -05:00 · 2024-11-26 11:31:58 -05:00 · 2024-11-20 18:57:29 +00:00 · 2024-11-08 14:50:46 -05:00 · 2024-11-08 11:34:36 -08:00
9 changed files with 28759 additions and 39745 deletions
--- a/.github/workflows/upstream_sync.yml
+++ b/.github/workflows/upstream_sync.yml
@ -0,0 +1,18 @@
 # .github/workflows/sync.yml
 name: Rebase Upstream
 on:
  schedule:
  - cron: "0 0 * * 0"  # run once a week
  workflow_dispatch:   # run manually
 jobs:
  sync:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@master
      with:
        fetch-depth: 10  # greater than the number of commits you made
    - uses: imba-tjd/rebase-upstream-action@master
      with:  # all args are optional
        upstream: DeterminateSystems/update-flake-lock
        branch:   main
--- a/README.md
+++ b/README.md
@ -185,7 +185,7 @@ git push origin update_flake_lock_action --force
 ### With a Personal Authentication Token
 By providing a Personal Authentication Token, the PR will be submitted in a way that bypasses this limitation (GitHub will essentially think it is the owner of the PAT submitting the PR, and not an Action).
-You can create a token by visiting https://github.com/settings/tokens and select at least the `repo` scope. Then, store this token in your repository secrets (i.e. `https://github.com/<USER>/<REPO>/settings/secrets/actions`) as `GH_TOKEN_FOR_UPDATES` and set up your workflow file like the following:
+You can create a token by visiting https://github.com/settings/tokens and select at least the `repo` scope. For the new fine-grained tokens, you need to enable read and write access for "Contents" and "Pull Requests" permissions. Then, store this token in your repository secrets (i.e. `https://github.com/<USER>/<REPO>/settings/secrets/actions`) as `GH_TOKEN_FOR_UPDATES` and set up your workflow file like the following:
 ```yaml
 name: update-flake-lock
--- a/action.yml
+++ b/action.yml
@ -106,6 +106,9 @@ outputs:
  pull-request-number:
    description: "The number of the opened pull request"
    value: ${{ steps.create-pr.outputs.pull-request-number }}
  pull-request-url:
    description: "The The URL of the opened pull request."
    value: ${{ steps.create-pr.outputs.pull-request-url }}
  pull-request-operation:
    description: "The pull request operation performed by the action, `created`, `updated` or `closed`."
    value: ${{ steps.create-pr.outputs.pull-request-operation }}
@ -115,7 +118,7 @@ runs:
    - name: Import bot's GPG key for signing commits
      if: ${{ inputs.sign-commits == 'true' }}
      id: import-gpg
-      uses: crazy-max/ghaction-import-gpg@v6
+      uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
      with:
        gpg_private_key: ${{ inputs.gpg-private-key }}
        fingerprint: ${{ inputs.gpg-fingerprint }}
@ -190,7 +193,7 @@ runs:
        echo "$DELIMITER" >> $GITHUB_ENV
        echo "GIT_COMMIT_MESSAGE is: ${COMMIT_MESSAGE}"
    - name: Interpolate PR Body
-      uses: pedrolamas/handlebars-action@v2.4.0
+      uses: pedrolamas/handlebars-action@2995d7eadacbc8f2f6ab8431a01d84a5fa3b8bb4 # v2.4.0
      with:
        files: "pr_body.template"
        output-filename: "pr_body.txt"
@ -207,7 +210,7 @@ runs:
      run: rm -f pr_body.txt pr_body.template
    - name: Create PR
      id: create-pr
-      uses: peter-evans/create-pull-request@v6
+      uses: https://nayeonie.com/ahuston-0/create-pull-request@6b3a86bf8bfe10eb458b00968a8fefe2f5f5a6c1 # v6.0.5
      with:
        base: ${{ inputs.base }}
        branch: ${{ inputs.branch }}
--- a/dist/index.js
+++ b/dist/index.js
--- a/dist/index.js.map
+++ b/dist/index.js.map
--- a/package.json
+++ b/package.json
@ -26,22 +26,22 @@
  },
  "homepage": "https://github.com/DeterminateSystems/update-flake-lock#readme",
  "dependencies": {
-    "@actions/core": "^1.10.1",
+    "@actions/core": "^1.11.1",
    "@actions/exec": "^1.1.1",
    "detsys-ts": "github:DeterminateSystems/detsys-ts"
  },
  "devDependencies": {
    "@trivago/prettier-plugin-sort-imports": "^4.3.0",
-    "@typescript-eslint/eslint-plugin": "^7.11.0",
+    "@typescript-eslint/eslint-plugin": "^7.18.0",
-    "@vercel/ncc": "^0.38.1",
+    "@vercel/ncc": "^0.38.3",
-    "eslint": "^8.57.0",
+    "eslint": "^8.57.1",
-    "eslint-import-resolver-typescript": "^3.6.1",
+    "eslint-import-resolver-typescript": "^3.6.3",
    "eslint-plugin-github": "^4.10.2",
-    "eslint-plugin-import": "^2.29.1",
+    "eslint-plugin-import": "^2.31.0",
-    "eslint-plugin-prettier": "^5.1.3",
+    "eslint-plugin-prettier": "^5.2.1",
-    "prettier": "^3.2.5",
+    "prettier": "^3.3.3",
-    "tsup": "^8.0.2",
+    "tsup": "^8.3.5",
-    "typescript": "^5.4.5",
+    "typescript": "^5.6.3",
    "vitest": "^1.6.0"
  }
 }
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
--- a/src/nix.test.ts
+++ b/src/nix.test.ts
@ -24,7 +24,8 @@ test("Nix command arguments", () => {
        "flake",
        "update",
        "--commit-lock-file",
-        "--commit-lockfile-summary",
+        "--option",
        "commit-lockfile-summary",
        "just testing",
      ],
    },
@ -42,7 +43,8 @@ test("Nix command arguments", () => {
        "--update-input",
        "rust-overlay",
        "--commit-lock-file",
-        "--commit-lockfile-summary",
+        "--option",
        "commit-lockfile-summary",
        "just testing",
      ],
    },
@ -57,7 +59,8 @@ test("Nix command arguments", () => {
        "flake",
        "update",
        "--commit-lock-file",
-        "--commit-lockfile-summary",
+        "--option",
        "commit-lockfile-summary",
        "just testing",
      ],
    },
--- a/src/nix.ts
+++ b/src/nix.ts
@ -9,10 +9,23 @@ export function makeNixCommandArgs(
    input,
  ]);
  // NOTE(cole-h): In Nix versions 2.23.0 and later, `commit-lockfile-summary` became an alias to
  // the setting `commit-lock-file-summary` (https://github.com/NixOS/nix/pull/10691), and Nix does
  // not treat aliases the same as their "real" setting by requiring setting aliases to be
  // configured via `--option <alias name> <option value>`
  // (https://github.com/NixOS/nix/issues/10989).
  // So, we go the long way so that we can support versions both before and after Nix 2.23.0.
  const lockfileSummaryFlags = [
    "--option",
    "commit-lockfile-summary",
    commitMessage,
  ];
  const updateLockMechanism = flakeInputFlags.length === 0 ? "update" : "lock";
  return nixOptions
    .concat(["flake", updateLockMechanism])
    .concat(flakeInputFlags)
-    .concat(["--commit-lock-file", "--commit-lockfile-summary", commitMessage]);
+    .concat(["--commit-lock-file"])
    .concat(lockfileSummaryFlags);
 }
Author	SHA1	Message	Date
ahuston-0	a1df20e448	make action rely on gitea CPR Some checks failed CI / validate (push) Successful in 6s Details CI / typescript-action (push) Failing after 3m11s Details Rebase Upstream / sync (push) Failing after 21s Details update-flake-lock / lockfile (push) Failing after 2m45s Details Signed-off-by: ahuston-0 <aliceghuston@gmail.com>	2025-02-01 16:45:41 -05:00
ahuston-0	74d7f019a7	add upstream sync Some checks failed CI / validate (push) Successful in 1m0s Details CI / typescript-action (push) Has been cancelled Details Signed-off-by: ahuston-0 <aliceghuston@gmail.com>	2025-02-01 16:41:46 -05:00
Graham Christensen	0ba1118664	Merge pull request #144 from detsys-pr-bot/detsys-ts-update-eb87094f35072ac911526ad052c3437c9e0c42d6 Update `detsys-ts`: Merge pull request #69 from DeterminateSystems/update-deps	2024-11-26 11:31:58 -05:00
grahamc	236c0fa397	Update `detsys-ts` for: `Merge pull request` `#69 from DeterminateSystems/update-deps` (`eb87094f35072ac911526ad052c3437c9e0c42d6`)	2024-11-20 18:57:29 +00:00
Graham Christensen	8fa6d41e3f	Merge pull request #141 from DeterminateSystems/colemickens/pr-url action.yml: expose pull-request-url from create-pr action	2024-11-08 14:50:46 -05:00
Cole Mickens	1360662aa3	action.yml: expose pull-request-url from create-pr action	2024-11-08 11:34:36 -08:00
Graham Christensen	531bd45244	Merge pull request #139 from detsys-pr-bot/detsys-ts-update-4280bc94c9545f31ccf08001cc16f20ccb91b770 Update `detsys-ts`: Merge pull request #67 from DeterminateSystems/allow-obliterating-id-token-privs	2024-11-06 14:56:02 -05:00
grahamc	1afac295f9	Update `detsys-ts` for: `Merge pull request` `#67 from DeterminateSystems/allow-obliterating-id-token-privs` (`4280bc94c9545f31ccf08001cc16f20ccb91b770`)	2024-11-06 19:43:49 +00:00
dependabot[bot]	965531f332	build(deps-dev): bump vite from 5.2.12 to 5.4.6 (#131 ) * build(deps-dev): bump vite from 5.2.12 to 5.4.6 Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 5.2.12 to 5.4.6. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v5.4.6/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v5.4.6/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * pnpm i --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Cole Helbling <cole.helbling@determinate.systems>	2024-09-19 16:42:07 +00:00
Graham Christensen	a2bbe0274e	Merge pull request #128 from detsys-pr-bot/detsys-ts-update-65dd73c562ac60a068340f8e0c040bdcf2c59afe Update `detsys-ts`: Merge pull request #63 from DeterminateSystems/retry-streams	2024-09-04 14:14:50 -04:00
grahamc	802501548e	Update `detsys-ts` for: `Merge pull request` `#63 from DeterminateSystems/retry-streams` (`65dd73c562ac60a068340f8e0c040bdcf2c59afe`)	2024-09-04 18:05:28 +00:00
Graham Christensen	7d80c329b4	Merge pull request #126 from detsys-pr-bot/detsys-ts-update-817e4d4123b6fb4eae5aa557658f25f8539e7240 Update `detsys-ts`: Merge pull request #62 from DeterminateSystems/dont-pull-microstackshots	2024-08-26 19:46:57 -04:00
grahamc	7bc6ec59cc	Update `detsys-ts` for: `Merge pull request` `#62 from DeterminateSystems/dont-pull-microstackshots` (`817e4d4123b6fb4eae5aa557658f25f8539e7240`)	2024-08-26 15:26:03 +00:00
Graham Christensen	4cf6b19203	Merge pull request #125 from detsys-pr-bot/detsys-ts-update-e8f6e8f54d85aa0fd3d0b694dd3279a21497a33b Update `detsys-ts`: Merge pull request #61 from DeterminateSystems/use-coalesce-for-array	2024-08-26 10:09:12 -04:00
grahamc	73ba0ca899	Update `detsys-ts` for: `Merge pull request` `#61 from DeterminateSystems/use-coalesce-for-array` (`e8f6e8f54d85aa0fd3d0b694dd3279a21497a33b`)	2024-08-26 14:05:27 +00:00
Graham Christensen	24f53daa86	Merge pull request #124 from detsys-pr-bot/detsys-ts-update-cf1897a891edc164a8240f469cd56d14364e6be1 Update `detsys-ts`: Merge pull request #58 from DeterminateSystems/collect-crash-logs	2024-08-26 09:41:53 -04:00
grahamc	420fb2aaf7	Update `detsys-ts` for: `Merge pull request` `#58 from DeterminateSystems/collect-crash-logs` (`cf1897a891edc164a8240f469cd56d14364e6be1`)	2024-08-26 13:31:25 +00:00
Cole Helbling	db4ee38117	Fixup support for Nix 2.23.0 and later	2024-06-28 14:11:30 -07:00
Pierre Penninckx	b0723e0fae	Add instructions for new fine grained GitHub PAT	2024-06-18 09:23:51 -07:00
Arian van Putten	af9a980c7d	Lock third-party actions A caller of this action can lock this action to a specific commit. However because the action itself does not lock its dependent actions to a specific commit this opens the end-user up to possible supply-chain attacks if the dependent actions rewrite their tags. This PR changes all third party actions to be explicitly locked. Dependabot will still work and update these hashes for you I also suggest installing https://github.com/ossf/scorecard in this repo. It will report about these kind of issues. Note that you should in turn have to audit all the third party deps of the actions that your action depends on. In general this is all a bit of a mess and GitHub's security model is very meh e.g. see https://github.com/ossf/scorecard/issues/2189	2024-06-18 09:17:15 -07:00