Fix conflicts with main

Update `detsys-ts`:

.editorconfig

@@ -1,15 +1,10 @@
-# EditorConfig helps developers define and maintain consistent
+# https://editorconfig.org
-# coding styles between different editors and IDEs
-# editorconfig.org
-
 root = true
 
 [*]
-charset = utf-8
-end_of_line = lf
-insert_final_newline = true
-trim_trailing_whitespace = true
 indent_style = space
-
-[*.{yml,yaml}]
 indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true

.envrc

@@ -0,0 +1 @@
+use flake

.eslintrc.json

@@ -0,0 +1,74 @@
+{
+  "plugins": ["@typescript-eslint"],
+  "extends": ["plugin:github/recommended"],
+  "parser": "@typescript-eslint/parser",
+  "parserOptions": {
+    "ecmaVersion": 9,
+    "sourceType": "module",
+    "project": "./tsconfig.json"
+  },
+  "settings": {
+    "import/resolver": {
+      "typescript": {}
+    }
+  },
+  "rules": {
+    "i18n-text/no-en": "off",
+    "eslint-comments/no-use": "off",
+    "import/no-namespace": "off",
+    "no-unused-vars": "off",
+    "@typescript-eslint/no-unused-vars": [
+      "error",
+      {
+        "argsIgnorePattern": "^_"
+      }
+    ],
+    "@typescript-eslint/explicit-member-accessibility": [
+      "error",
+      {
+        "accessibility": "no-public"
+      }
+    ],
+    "@typescript-eslint/no-base-to-string": "error",
+    "@typescript-eslint/no-require-imports": "error",
+    "@typescript-eslint/array-type": "error",
+    "@typescript-eslint/await-thenable": "error",
+    "@typescript-eslint/ban-ts-comment": "error",
+    "camelcase": "error",
+    "@typescript-eslint/consistent-type-assertions": "error",
+    "@typescript-eslint/explicit-function-return-type": [
+      "error",
+      {
+        "allowExpressions": true
+      }
+    ],
+    "@typescript-eslint/func-call-spacing": ["error", "never"],
+    "@typescript-eslint/no-array-constructor": "error",
+    "@typescript-eslint/no-empty-interface": "error",
+    "@typescript-eslint/no-explicit-any": "error",
+    "@typescript-eslint/no-floating-promises": "error",
+    "@typescript-eslint/no-extraneous-class": "error",
+    "@typescript-eslint/no-for-in-array": "error",
+    "@typescript-eslint/no-inferrable-types": "error",
+    "@typescript-eslint/no-misused-new": "error",
+    "@typescript-eslint/no-namespace": "error",
+    "@typescript-eslint/no-non-null-assertion": "warn",
+    "@typescript-eslint/no-unnecessary-qualifier": "error",
+    "@typescript-eslint/no-unnecessary-type-assertion": "error",
+    "@typescript-eslint/no-useless-constructor": "error",
+    "@typescript-eslint/no-var-requires": "error",
+    "@typescript-eslint/prefer-for-of": "warn",
+    "@typescript-eslint/prefer-function-type": "warn",
+    "@typescript-eslint/prefer-includes": "error",
+    "@typescript-eslint/prefer-string-starts-ends-with": "error",
+    "@typescript-eslint/promise-function-async": "error",
+    "@typescript-eslint/require-array-sort-compare": "error",
+    "@typescript-eslint/restrict-plus-operands": "error",
+    "@typescript-eslint/type-annotation-spacing": "error",
+    "@typescript-eslint/unbound-method": "error"
+  },
+  "env": {
+    "node": true,
+    "es6": true
+  }
+}

.github/workflows/ci.yml

@@ -5,13 +5,29 @@ on:
     branches: [main]
 
 jobs:
-  shellcheck:
+  typescript-action:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Install Nix
-        uses: cachix/install-nix-action@v17
+        uses: DeterminateSystems/nix-installer-action@main
-      - name: Shellcheck
+      - name: Enable magic Nix cache
-        run: nix-shell --run 'shellcheck $(find . -type f -name "*.sh" -executable)'
+        uses: DeterminateSystems/magic-nix-cache-action@main
+      - name: Install pnpm dependencies
+        run: nix develop --command pnpm install
+      - name: Check formatting
+        run: nix develop --command pnpm run check-fmt
+      - name: Lint
+        run: nix develop --command pnpm run lint
+      - name: Build
+        run: nix develop --command pnpm run build
+      - name: Run test suite
+        run: nix develop --command pnpm run test
+      - name: Package
+        run: nix develop --command pnpm run package
+      - name: Check git status
+        run: git status --porcelain=v1
+      - name: Ensure no staged changes
+        run: git diff --exit-code

.github/workflows/update.yml

@@ -2,18 +2,21 @@ name: update-flake-lock
 on:
   workflow_dispatch:
   schedule:
-    - cron: '0 0 * * 0'
+    - cron: "0 0 * * 0"
 
 jobs:
   lockfile:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
-      - name: Checkout repository
+      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Install Nix
-        uses: cachix/install-nix-action@v17
+        uses: DeterminateSystems/nix-installer-action@main
-        with:
+      - name: Enable magic Nix cache
-          extra_nix_config: |
+        uses: DeterminateSystems/magic-nix-cache-action@main
-            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+      - name: Check flake
+        uses: DeterminateSystems/flake-checker-action@main
       - name: Update flake.lock
         uses: ./.
+        with:
+          _internal-strict-mode: true

.github/workflows/validate.yml

@@ -6,13 +6,13 @@ on:
 
 jobs:
   validate:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Validate YAML
-        uses: nwisbeta/validate-yaml-schema@v1.0.3
+        uses: nwisbeta/validate-yaml-schema@v2.0.0
         with:
           yamlSchemasJson: |
             {

.gitignore

@@ -0,0 +1,2 @@
+# JS dependencies
+node_modules/

.prettierignore

@@ -0,0 +1,5 @@
+dist/
+lib/
+node_modules/
+pnpm-lock.yaml
+README.md

README.md

@@ -20,14 +20,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Install Nix
-        uses: cachix/install-nix-action@v16
+        uses: DeterminateSystems/nix-installer-action@main
-        with:
-          extra_nix_config: |
-            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
       - name: Update flake.lock
-        uses: DeterminateSystems/update-flake-lock@vX
+        uses: DeterminateSystems/update-flake-lock@main
         with:
           pr-title: "Update flake.lock" # Title of PR to be created
           pr-labels: |                  # Labels to be set on the PR
@@ -53,18 +50,40 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Install Nix
-        uses: cachix/install-nix-action@v16
+        uses: DeterminateSystems/nix-installer-action@v1
-        with:
-          extra_nix_config: |
-            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
       - name: Update flake.lock
         uses: DeterminateSystems/update-flake-lock@vX
         with:
           inputs: input1 input2 input3
 ```
 
+## Example adding options to nix command
+
+It is also possible to use specific options to the nix command in a space separated list:
+
+```yaml
+name: update-flake-lock
+on:
+  workflow_dispatch: # allows manual triggering
+  schedule:
+    - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00
+
+jobs:
+  lockfile:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v1
+      - name: Update flake.lock
+        uses: DeterminateSystems/update-flake-lock@vX
+        with:
+          nix-options: --debug --log-format raw
+```
+
 ## Example that prints the number of the created PR
 
 ```yaml
@@ -79,12 +98,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Install Nix
-        uses: cachix/install-nix-action@v16
+        uses: DeterminateSystems/nix-installer-action@v1
-        with:
-          extra_nix_config: |
-            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
       - name: Update flake.lock
         id: update
         uses: DeterminateSystems/update-flake-lock@vX
@@ -111,12 +127,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Install Nix
-        uses: cachix/install-nix-action@v16
+        uses: DeterminateSystems/nix-installer-action@v1
-        with:
-          extra_nix_config: |
-            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
       - name: Update flake.lock
         if: ${{ github.event_name != 'pull_request' }}
         uses: DeterminateSystems/update-flake-lock@vX
@@ -125,6 +138,23 @@ jobs:
           path-to-flake-dir: 'nix/' # in this example our flake doesn't sit at the root of the repository, it sits under 'nix/flake.nix'
 ```
 
+You can also run the update operation in multiple directories, provided that each directory is a valid flake:
+
+```yaml
+- name: Update flake.lock
+  uses: DeterminateSystems/update-flake-lock@vX
+  with:
+    flake-dirs: |
+      flake1
+      flake2
+      flake3
+```
+
+> **Warning**: If you choose multiple directories, `update-flake-lock` can only update all flake inputs,
+> meaning that you can't set the `inputs` parameter. This is due to limitations in input handling in
+> GitHub Actions, which only allows for strings, numbers, Booleans, and arrays but not objects, which
+> would be the much preferred data type for expressing per-directory inputs.
+
 ## Example using a different Git user
 
 If you want to change the author and / or committer of the flake.lock update commit, you can tweak the `git-{author,committer}-{name,email}` options:
@@ -141,12 +171,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Install Nix
-        uses: cachix/install-nix-action@v16
+        uses: DeterminateSystems/nix-installer-action@v1
-        with:
-          extra_nix_config: |
-            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
       - name: Update flake.lock
         uses: DeterminateSystems/update-flake-lock@vX
         with:
@@ -189,9 +216,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Install Nix
-        uses: cachix/install-nix-action@v16
+        uses: DeterminateSystems/nix-installer-action@v1
       - name: Update flake.lock
         uses: DeterminateSystems/update-flake-lock@vX
         with:
@@ -206,7 +233,7 @@ You can follow [Github's guide on creating and/or adding a new GPG key to an use
 
 For the bot to produce signed commits, you will have to provide the GPG private keys to this action's input parameters. You can safely do that with [Github secrets as explained here](https://github.com/crazy-max/ghaction-import-gpg#prerequisites).
 
-When using commit signing, the commit author name and email for the commits produced by this bot would correspond to the ones associated to the GPG Public Key. 
+When using commit signing, the commit author name and email for the commits produced by this bot would correspond to the ones associated to the GPG Public Key.
 
 If you want to sign using a subkey, you must specify the subkey fingerprint using the `gpg-fingerprint` input parameter.
 
@@ -224,9 +251,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Install Nix
-        uses: cachix/install-nix-action@v16
+        uses: DeterminateSystems/nix-installer-action@v1
       - name: Update flake.lock
         uses: DeterminateSystems/update-flake-lock@vX
         with:
@@ -269,6 +296,33 @@ However you can customize it, with variable interpolation performed with [Handle
 - env.GIT_COMMITTER_EMAIL
 - env.GIT_COMMIT_MESSAGE
 
+## Add assignees or reviewers
+
+You can assign the PR to or request a review from one or more GitHub users with `pr-assignees` and `pr-reviewers`, respectively.
+These properties expect a comma or newline separated list of GitHub usernames:
+
+```yaml
+name: update-flake-lock
+on:
+  workflow_dispatch: # allows manual triggering
+  schedule:
+    - cron: '0 0 * * 1,4' # Run twice a week
+
+jobs:
+  lockfile:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v1
+      - name: Update flake.lock
+        uses: DeterminateSystems/update-flake-lock@vX
+        with:
+          pr-assignees: SomeGitHubUsername
+          pr-reviewers: SomeOtherGitHubUsername,SomeThirdGitHubUsername
+```
+
 ## Contributing
 
 Feel free to send a PR or open an issue if you find something functions unexpectedly! Please make sure to test your changes and update any related documentation before submitting your PR.

action.yml

@@ -1,32 +1,65 @@
-name: 'Update flake.lock'
+name: "Update Nix Flake Lock"
-description: 'Update your flake.lock and send a PR'
+description: "Update your Nix flake.lock and send a PR"
 inputs:
   inputs:
-    description: 'A space-separated list of inputs to update. Leave empty to update all inputs.'
+    description: "A space-separated list of inputs to update. Leave empty to update all inputs."
     required: false
-    default: ''
+    default: ""
   token:
-    description: 'GITHUB_TOKEN or a `repo` scoped Personal Access Token (PAT)'
+    description: "GITHUB_TOKEN or a `repo` scoped Personal Access Token (PAT)"
     required: false
     default: ${{ github.token }}
-  commit-msg:
+  commit-msg-template:
-    description: 'The message provided with the commit'
+    description: |
+      The commit message template to use. You can use these variables in your template:
+
+      * `{{ flake_dot_lock }}` is the path to the `flake.lock` file being updated
+      * `{{ flake_dot_lock_dir }}` is the `flake.lock` file's directory
+
+      If you set both this and `commit-msg`, the `commit-msg` setting is used (it does not support templating).
+    required: false
+    default: |
+      flake.lock: Updated in {{ flake_dot_lock_dir }}
+  commit-msg:
+    description: |
+      The message provided with the commit.
+    required: false
+  base:
+    description: "Sets the pull request base branch. Defaults to the branch checked out in the workflow."
     required: false
-    default: "flake.lock: Update"
   branch:
-    description: 'The branch of the PR to be created'
+    description: "The branch of the PR to be created"
     required: false
     default: "update_flake_lock_action"
   path-to-flake-dir:
-    description: 'The path of the directory containing `flake.nix` file within your repository. Useful when `flake.nix` cannot reside at the root of your repository.'
+    description: |
+      The path of the directory containing `flake.nix` file within your repository.
+      Useful when `flake.nix` cannot reside at the root of your repository.
     required: false
-    default: ''
+  flake-dirs:
+    description: |
+      A space-separated list of directories containing `flake.nix` files within your repository.
+      Useful when you have multiple flakes in your repository.
+    required: false
+    default: ""
   pr-title:
-    description: 'The title of the PR to be created'
+    description: "The title of the PR to be created"
     required: false
     default: "flake.lock: Update"
+  pr-body-template:
+    description: |
+      The pull request body template to use. You can use these variables in your template:
+
+      * `{{ comma_separated_dirs }}` is the flake directories that were updated separated by comma
+      * `{{ space_separated_dirs }}` is the flake directories that were updated separated by space
+      * `{{ updated_dirs_list }}` is the flake directories that were updated as a Markdown list
+
+      If you set both this and `pr-body`, the `pr-body` setting is used (it does not support templating).
+    required: false
+    default: |
+      Just testing.
   pr-body:
-    description: 'The body of the PR to be created'
+    description: "The body of the PR to be created"
     required: false
     default: |
       Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
@@ -50,54 +83,73 @@ inputs:
       ```
 
   pr-labels:
-    description: 'A comma or newline separated list of labels to set on the Pull Request to be created'
+    description: "A comma or newline separated list of labels to set on the Pull Request to be created"
     required: false
-    default: ''
+    default: ""
+  pr-assignees:
+    description: "A comma or newline separated list of assignees (GitHub usernames)."
+    required: false
+    default: ""
+  pr-reviewers:
+    description: "A comma or newline separated list of reviewers (GitHub usernames) to request a review from."
+    required: false
+    default: ""
   git-author-name:
-    description: 'Author name used for commit. Only used if sign-commits is false.'
+    description: "Author name used for commit. Only used if sign-commits is false."
     required: false
-    default: 'github-actions[bot]'
+    default: "github-actions[bot]"
   git-author-email:
-    description: 'Author email used for commit. Only used if sign-commits is false.'
+    description: "Author email used for commit. Only used if sign-commits is false."
     required: false
-    default: 'github-actions[bot]@users.noreply.github.com'
+    default: "github-actions[bot]@users.noreply.github.com"
   git-committer-name:
-    description: 'Committer name used for commit. Only used if sign-commits is false.'
+    description: "Committer name used for commit. Only used if sign-commits is false."
     required: false
-    default: 'github-actions[bot]'
+    default: "github-actions[bot]"
   git-committer-email:
-    description: 'Committer email used for commit. Only used if sign-commits is false.'
+    description: "Committer email used for commit. Only used if sign-commits is false."
     required: false
-    default: 'github-actions[bot]@users.noreply.github.com'
+    default: "github-actions[bot]@users.noreply.github.com"
   sign-commits:
-    description: 'Set to true if the action should sign the commit with GPG'
+    description: "Set to true if the action should sign the commit with GPG"
     required: false
-    default: 'false'
+    default: "false"
   gpg-private-key:
-    description: 'GPG Private Key with which to sign the commits in the PR to be created'
+    description: "GPG Private Key with which to sign the commits in the PR to be created"
     required: false
-    default: ''
+    default: ""
   gpg-fingerprint:
-    description: 'Fingerprint of specific GPG subkey to use'
+    description: "Fingerprint of specific GPG subkey to use"
     required: false
   gpg-passphrase:
-    description: 'GPG Private Key Passphrase for the GPG Private Key with which to sign the commits in the PR to be created'
+    description: "GPG Private Key Passphrase for the GPG Private Key with which to sign the commits in the PR to be created"
     required: false
-    default: ''
+    default: ""
+  nix-options:
+    description: "A space-separated list of options to pass to the nix command"
+    required: false
+    default: ""
+  _internal-strict-mode:
+    description: Whether to fail when any errors are thrown. Used only to test the Action; do not set this in your own workflows.
+    required: false
+    default: false
 outputs:
   pull-request-number:
-    description: 'The number of the opened pull request'
+    description: "The number of the opened pull request"
     value: ${{ steps.create-pr.outputs.pull-request-number }}
+  pull-request-operation:
+    description: "The pull request operation performed by the action, `created`, `updated` or `closed`."
+    value: ${{ steps.create-pr.outputs.pull-request-operation }}
 runs:
   using: "composite"
   steps:
     - name: Import bot's GPG key for signing commits
       if: ${{ inputs.sign-commits == 'true' }}
       id: import-gpg
-      uses: crazy-max/ghaction-import-gpg@v5
+      uses: crazy-max/ghaction-import-gpg@v6
       with:
         gpg_private_key: ${{ inputs.gpg-private-key }}
-        fingerprint: ${{ inputs.gpg-fingerprint }}
+        fingerprint: ${{ inputs.gpg-fingerprint }}
         passphrase: ${{ inputs.gpg-passphrase }}
         git_config_global: true
         git_user_signingkey: true
@@ -124,40 +176,62 @@ runs:
         echo "GIT_AUTHOR_EMAIL=<${{ inputs.git-author-email }}>" >> $GITHUB_ENV
         echo "GIT_COMMITTER_NAME=${{ inputs.git-committer-name }}" >> $GITHUB_ENV
         echo "GIT_COMMITTER_EMAIL=<${{ inputs.git-committer-email }}>" >> $GITHUB_ENV
-    - name: Run update-flake-lock.sh
+    - name: Run update-flake-lock
-      run: $GITHUB_ACTION_PATH/update-flake-lock.sh
+      id: update-flake-lock
       shell: bash
+      run: node "$GITHUB_ACTION_PATH/dist/index.js"
       env:
-        GIT_AUTHOR_NAME: ${{ env.GIT_AUTHOR_NAME }}
+        # The following manually exposes all of the action inputs into INPUT_ environment variables so actionsCore.getInput works:
-        GIT_AUTHOR_EMAIL: ${{ env.GIT_AUTHOR_EMAIL }}
+        # https://github.com/actions/toolkit/blob/ae38557bb0dba824cdda26ce787bd6b66cf07a83/packages/core/src/core.ts#L126
-        GIT_COMMITTER_NAME: ${{ env.GIT_COMMITTER_NAME }}
+        INPUT_BASE: ${{ inputs.base }}
-        GIT_COMMITTER_EMAIL: ${{ env.GIT_COMMITTER_EMAIL }}
+        INPUT_BRANCH: ${{ inputs.branch }}
-        TARGETS: ${{ inputs.inputs }}
+        INPUT_COMMIT-MSG: ${{ inputs.commit-msg }}
-        COMMIT_MSG: ${{ inputs.commit-msg }}
+        INPUT_COMMIT-MSG-TEMPLATE: ${{ inputs.commit-msg-template }}
-        PATH_TO_FLAKE_DIR: ${{ inputs.path-to-flake-dir }}
+        INPUT_GIT-AUTHOR-EMAIL: ${{ inputs.git-author-email }}
+        INPUT_GIT-AUTHOR-NAME: ${{ inputs.git-author-name }}
+        INPUT_GIT-COMMITTER-EMAIL: ${{ inputs.git-committer-email }}
+        INPUT_GIT-COMMITTER-NAME: ${{ inputs.git-committer-name }}
+        INPUT_GPG-FINGERPRINT: ${{ inputs.gpg-fingerprint }}
+        INPUT_GPG-PASSPHRASE: ${{ inputs.gpg-passphrase }}
+        INPUT_GPG-PRIVATE-KEY: ${{ inputs.gpg-private-key }}
+        INPUT_INPUTS: ${{ inputs.inputs }}
+        INPUT_NIX-OPTIONS: ${{ inputs.nix-options }}
+        INPUT_PATH-TO-FLAKE-DIR: ${{ inputs.path-to-flake-dir }}
+        INPUT_FLAKE-DIRS: ${{ inputs.flake-dirs }}
+        INPUT_PR-ASSIGNEES: ${{ inputs.pr-assignees }}
+        INPUT_PR-BODY: ${{ inputs.pr-body }}
+        INPUT_PR-BODY-TEMPLATE: ${{ inputs.pr-body-template }}
+        INPUT_PR-LABELS: ${{ inputs.pr-labels }}
+        INPUT_PR-REVIEWERS: ${{ inputs.pr-reviewers }}
+        INPUT_PR-TITLE: ${{ inputs.pr-title }}
+        INPUT_PULL-REQUEST-NUMBER: ${{ inputs.pull-request-number }}
+        INPUT_PULL-REQUEST-OPERATION: ${{ inputs.pull-request-operation }}
+        INPUT_SIGN-COMMITS: ${{ inputs.sign-commits }}
+        INPUT_TOKEN: ${{ inputs.token }}
+        INPUT__INTERNAL-STRICT-MODE: ${{ inputs._internal-strict-mode }}
     - name: Save PR Body as file
-      uses: DamianReeves/write-file-action@v1.1
+      uses: DamianReeves/write-file-action@v1.3
       with:
         path: pr_body.template
-        contents: ${{ inputs.pr-body }}
+        contents: ${{ steps.update-flake-lock.outputs.pr-body }}
       env: {}
     - name: Set additional env variables (GIT_COMMIT_MESSAGE)
       shell: bash
       run: |
-        GIT_COMMIT_MESSAGE="$(git log --format=%b -n 1)"
+        DELIMITER=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
-        GIT_COMMIT_MESSAGE="${GIT_COMMIT_MESSAGE//'%'/'%25'}"
+        COMMIT_MESSAGE="$(git log --format=%b -n 1)"
-        GIT_COMMIT_MESSAGE="${GIT_COMMIT_MESSAGE//$'\n'/'%0A'}"
+        echo "GIT_COMMIT_MESSAGE<<$DELIMITER" >> $GITHUB_ENV
-        GIT_COMMIT_MESSAGE="${GIT_COMMIT_MESSAGE//$'\r'/'%0D'}"
+        echo "$COMMIT_MESSAGE" >> $GITHUB_ENV
-        echo "GIT_COMMIT_MESSAGE=$GIT_COMMIT_MESSAGE" >> $GITHUB_ENV
+        echo "$DELIMITER" >> $GITHUB_ENV
-        echo "GIT_COMMIT_MESSAGE is: ${GIT_COMMIT_MESSAGE}"
+        echo "GIT_COMMIT_MESSAGE is: ${COMMIT_MESSAGE}"
     - name: Interpolate PR Body
-      uses: pedrolamas/handlebars-action@v2.0.0
+      uses: pedrolamas/handlebars-action@v2.4.0
       with:
-        files: 'pr_body.template'
+        files: "pr_body.template"
-        output-filename: 'pr_body.txt'
+        output-filename: "pr_body.txt"
     - name: Read pr_body.txt
       id: pr_body
-      uses: andstor/file-reader-action@v1
+      uses: juliangruber/read-file-action@v1
       with:
         path: "pr_body.txt"
     # We need to remove the pr_body files so that the
@@ -168,13 +242,16 @@ runs:
       run: rm -f pr_body.txt pr_body.template
     - name: Create PR
       id: create-pr
-      uses: peter-evans/create-pull-request@v3
+      uses: peter-evans/create-pull-request@v6
       with:
+        base: ${{ inputs.base }}
         branch: ${{ inputs.branch }}
         delete-branch: true
         committer: ${{ env.GIT_COMMITTER_NAME }} ${{ env.GIT_COMMITTER_EMAIL }}
         author: ${{ env.GIT_AUTHOR_NAME }} ${{ env.GIT_AUTHOR_EMAIL }}
         title: ${{ inputs.pr-title }}
         token: ${{ inputs.token }}
+        assignees: ${{ inputs.pr-assignees }}
         labels: ${{ inputs.pr-labels }}
-        body: ${{ steps.pr_body.outputs.contents }}
+        reviewers: ${{ inputs.pr-reviewers }}
+        body: ${{ steps.pr_body.outputs.content }}

dist/index.d.ts

@@ -0,0 +1,2 @@
+
+export {  }

dist/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "module"
+}

flake.lock

@@ -2,18 +2,16 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1659131907,
+        "lastModified": 1713537308,
-        "narHash": "sha256-8bz4k18M/FuVC+EVcI4aREN2PsEKT7LGmU2orfjnpCg=",
+        "narHash": "sha256-XtTSSIB2DA6tOv+l0FhvfDMiyCmhoRbNB+0SeInZkbk=",
-        "owner": "nixos",
+        "rev": "5c24cf2f0a12ad855f444c30b2421d044120c66f",
-        "repo": "nixpkgs",
+        "revCount": 614481,
-        "rev": "8d435fca5c561da8168abb30270788d2da2a7951",
+        "type": "tarball",
-        "type": "github"
+        "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.1.614481%2Brev-5c24cf2f0a12ad855f444c30b2421d044120c66f/018efa00-a443-7f41-b371-ce568b5c7e9f/source.tar.gz"
       },
       "original": {
-        "owner": "nixos",
+        "type": "tarball",
-        "ref": "nixos-unstable",
+        "url": "https://flakehub.com/f/NixOS/nixpkgs/0.1.%2A.tar.gz"
-        "repo": "nixpkgs",
-        "type": "github"
       }
     },
     "root": {

flake.nix

@@ -1,30 +1,23 @@
 {
   description = "update-flake-lock";
 
-  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+  inputs.nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0.1.*.tar.gz";
 
-  outputs =
+  outputs = { self, nixpkgs }:
-    { self
-    , nixpkgs
-    }:
     let
-      nameValuePair = name: value: { inherit name value; };
+      supportedSystems = [ "x86_64-linux" "aarch64-darwin" "aarch64-linux" "x86_64-darwin" ];
-      genAttrs = names: f: builtins.listToAttrs (map (n: nameValuePair n (f n)) names);
+      forEachSupportedSystem = f: nixpkgs.lib.genAttrs supportedSystems (system: f {
-
+        pkgs = import nixpkgs { inherit system; };
-      allSystems = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ];
+      });
-      forAllSystems = f: genAttrs allSystems
-        (system: f {
-          inherit system;
-          pkgs = import nixpkgs { inherit system; };
-        });
     in
     {
-      devShell = forAllSystems
+      devShells = forEachSupportedSystem ({ pkgs }: {
-        ({ system, pkgs, ... }:
+        default = pkgs.mkShell {
-          pkgs.stdenv.mkDerivation {
+          packages = with pkgs; [
-            name = "update-flake-lock-devshell";
+            nodejs_latest
-            buildInputs = [ pkgs.shellcheck ];
+            nodePackages_latest.pnpm
-            src = self;
+          ];
-          });
+        };
+      });
     };
 }

package.json

@@ -0,0 +1,49 @@
+{
+  "name": "update-flake-lock",
+  "version": "1.0.0",
+  "description": "",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "type": "module",
+  "scripts": {
+    "build": "tsup",
+    "format": "prettier --write .",
+    "check-fmt": "prettier --check .",
+    "lint": "eslint src/**/*.ts --ignore-pattern *.test.ts",
+    "package": "ncc build",
+    "test": "vitest --watch false",
+    "test-dev": "vitest",
+    "all": "pnpm run format && pnpm run lint && pnpm run build && pnpm run package"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/DeterminateSystems/update-flake-lock.git"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/DeterminateSystems/update-flake-lock/issues"
+  },
+  "homepage": "https://github.com/DeterminateSystems/update-flake-lock#readme",
+  "dependencies": {
+    "@actions/core": "^1.10.1",
+    "@actions/exec": "^1.1.1",
+    "detsys-ts": "github:DeterminateSystems/detsys-ts",
+    "handlebars": "^4.7.8"
+  },
+  "devDependencies": {
+    "@trivago/prettier-plugin-sort-imports": "^4.3.0",
+    "@typescript-eslint/eslint-plugin": "^7.11.0",
+    "@vercel/ncc": "^0.38.1",
+    "eslint": "^8.57.0",
+    "eslint-import-resolver-typescript": "^3.6.1",
+    "eslint-plugin-github": "^4.10.2",
+    "eslint-plugin-import": "^2.29.1",
+    "eslint-plugin-prettier": "^5.1.3",
+    "prettier": "^3.2.5",
+    "tsup": "^8.0.2",
+    "typescript": "^5.4.5",
+    "vitest": "^1.6.0"
+  }
+}

prettier.config.cjs

@@ -0,0 +1,12 @@
+/** @type {import('prettier').Config} */
+module.exports = {
+  plugins: [require.resolve("@trivago/prettier-plugin-sort-imports")],
+  semi: true,
+  singleQuote: false,
+  tabWidth: 2,
+  trailingComma: "all",
+  useTabs: false,
+  // Import sorting
+  importOrderSeparation: true,
+  importOrderSortSpecifiers: true,
+};

src/index.ts

@@ -0,0 +1,184 @@
+import { makeNixCommandArgs } from "./nix.js";
+import { renderCommitMessage, renderPullRequestBody } from "./template.js";
+import * as actionsCore from "@actions/core";
+import * as actionsExec from "@actions/exec";
+import { DetSysAction, inputs } from "detsys-ts";
+import * as fs from "fs";
+
+const DEFAULT_FLAKE_DIR = ".";
+
+const PR_BODY_OUTPUT_KEY = "pr-body";
+
+const EVENT_EXECUTION_FAILURE = "execution_failure";
+
+class UpdateFlakeLockAction extends DetSysAction {
+  private commitMessage: string;
+  private commitMessageTemplate: string;
+  private prBody: string;
+  private prBodyTemplate: string;
+  private nixOptions: string[];
+  private flakeInputs: string[];
+  private pathToFlakeDir: string | null;
+  private flakeDirsInput: string[] | null;
+  private flakeDirs: string[];
+
+  constructor() {
+    super({
+      name: "update-flake-lock",
+      fetchStyle: "universal",
+      requireNix: "fail",
+    });
+
+    this.commitMessage = inputs.getString("commit-msg");
+    this.commitMessageTemplate = inputs.getString("commit-msg-template");
+    this.prBody = inputs.getString("pr-body");
+    this.prBodyTemplate = inputs.getString("pr-body-template");
+    this.flakeInputs = inputs.getArrayOfStrings("inputs", "space");
+    this.nixOptions = inputs.getArrayOfStrings("nix-options", "space");
+    this.pathToFlakeDir = inputs.getStringOrNull("path-to-flake-dir");
+    this.flakeDirsInput = inputs.getArrayOfStringsOrNull("flake-dirs", "space");
+
+    this.validateInputs();
+
+    if (this.flakeDirsInput !== null && this.flakeDirsInput.length > 0) {
+      this.flakeDirs = this.flakeDirsInput;
+    } else {
+      this.flakeDirs = [this.pathToFlakeDir ?? DEFAULT_FLAKE_DIR];
+    }
+  }
+
+  async main(): Promise<void> {
+    for (const directory of this.flakeDirs) {
+      await this.updateFlakeInDirectory(directory);
+    }
+
+    const prBody =
+      this.prBody !== ""
+        ? this.prBody
+        : renderPullRequestBody(this.prBodyTemplate, this.flakeDirs);
+
+    actionsCore.setOutput(PR_BODY_OUTPUT_KEY, prBody);
+  }
+
+  // No post phase
+  async post(): Promise<void> {}
+
+  private async updateFlakeInDirectory(flakeDir: string): Promise<void> {
+    this.ensureDirectoryExists(flakeDir);
+    this.ensureDirectoryIsFlake(flakeDir);
+
+    actionsCore.debug(`Running flake lock update in directory \`${flakeDir}\``);
+
+    const flakeDotLock = `${flakeDir}/flake.lock`;
+    const commitMessage =
+      this.commitMessage !== ""
+        ? this.commitMessage
+        : renderCommitMessage(
+            this.commitMessageTemplate,
+            flakeDir,
+            flakeDotLock,
+          );
+
+    // Nix command of this form:
+    // nix ${maybe nix options} flake ${"update" or "lock"} ${maybe --update-input flags} --commit-lock-file --commit-lockfile-summary ${commit message}
+    // Example commands:
+    // nix --extra-substituters https://example.com flake lock --update-input nixpkgs --commit-lock-file --commit-lockfile-summary "updated flake.lock"
+    // nix flake update --commit-lock-file --commit-lockfile-summary "updated flake.lock"
+    const nixCommandArgs: string[] = makeNixCommandArgs(
+      this.nixOptions,
+      this.flakeInputs,
+      commitMessage,
+    );
+
+    actionsCore.debug(
+      JSON.stringify({
+        directory: flakeDir,
+        options: this.nixOptions,
+        inputs: this.flakeInputs,
+        message: this.commitMessage,
+        args: nixCommandArgs,
+      }),
+    );
+
+    const execOptions: actionsExec.ExecOptions = {
+      cwd: flakeDir,
+    };
+
+    const exitCode = await actionsExec.exec("nix", nixCommandArgs, execOptions);
+
+    if (exitCode !== 0) {
+      this.recordEvent(EVENT_EXECUTION_FAILURE, {
+        exitCode,
+      });
+      actionsCore.setFailed(
+        `non-zero exit code of ${exitCode} detected while updating directory \`${flakeDir}\``,
+      );
+    } else {
+      actionsCore.info(
+        `flake.lock file in \`${flakeDir}\` was successfully updated`,
+      );
+    }
+  }
+
+  private validateInputs(): void {
+    // Ensure that either `path-to-flake-dir` or `flake-dirs` is set to a meaningful value but not both
+    if (
+      this.flakeDirsInput !== null &&
+      this.flakeDirsInput.length > 0 &&
+      this.pathToFlakeDir !== null &&
+      this.pathToFlakeDir !== ""
+    ) {
+      throw new Error(
+        "Both `path-to-flake-dir` and `flake-dirs` are set, whereas only one can be",
+      );
+    }
+
+    // Ensure that `flake-dirs` isn't an empty array if set
+    if (this.flakeDirsInput !== null && this.flakeDirsInput.length === 0) {
+      throw new Error(
+        "The `flake-dirs` input is set to an empty array; it must contain at least one directory",
+      );
+    }
+
+    // Ensure that both `flake-dirs` and `inputs` aren't set at the same time
+    if (
+      this.flakeDirsInput !== null &&
+      this.flakeDirsInput.length > 0 &&
+      this.flakeInputs.length > 0
+    ) {
+      throw new Error(
+        `You've set both \`flake-dirs\` and \`inputs\` but you can only set one`,
+      );
+    }
+  }
+
+  private ensureDirectoryExists(flakeDir: string): void {
+    actionsCore.debug(`Checking that flake directory \`${flakeDir}\` exists`);
+
+    // Ensure the directory exists
+    fs.access(flakeDir, fs.constants.F_OK, (err) => {
+      if (err !== null) {
+        throw new Error(`Directory \`${flakeDir}\` doesn't exist`);
+      } else {
+        actionsCore.debug(`Flake directory \`${flakeDir}\` exists`);
+      }
+    });
+  }
+
+  private ensureDirectoryIsFlake(flakeDir: string): void {
+    const flakeDotNix = `${flakeDir}/flake.nix`;
+    if (!fs.existsSync(flakeDotNix)) {
+      throw new Error(
+        `Directory \`${flakeDir}\` is not a valid flake as it doesn't contain a \`flake.nix\``,
+      );
+    } else {
+      actionsCore.debug(`Directory \`${flakeDir}\` is a valid flake`);
+    }
+  }
+}
+
+function main(): void {
+  new UpdateFlakeLockAction().execute();
+}
+
+main();

src/nix.ts

@@ -0,0 +1,18 @@
+// Build the Nix args out of inputs from the Actions environment
+export function makeNixCommandArgs(
+  nixOptions: string[],
+  flakeInputs: string[],
+  commitMessage: string,
+): string[] {
+  const flakeInputFlags = flakeInputs.flatMap((input) => [
+    "--update-input",
+    input,
+  ]);
+
+  const updateLockMechanism = flakeInputFlags.length === 0 ? "update" : "lock";
+
+  return nixOptions
+    .concat(["flake", updateLockMechanism])
+    .concat(flakeInputFlags)
+    .concat(["--commit-lock-file", "--commit-lockfile-summary", commitMessage]);
+}

src/template.test.ts

@@ -0,0 +1,75 @@
+import { renderCommitMessage, renderPullRequestBody } from "./template.js";
+import { template } from "handlebars";
+import { Test, describe, expect, test } from "vitest";
+
+describe("templating", () => {
+  test("commit message", () => {
+    type TestCase = {
+      template: string;
+      flakeDotLockDir: string;
+      flakeDotLock: string;
+      expected: string;
+    };
+
+    const testCases: TestCase[] = [
+      {
+        template: "Updating flake.lock in dir {{ flake_dot_lock_dir }}",
+        flakeDotLockDir: ".",
+        flakeDotLock: "./flake.lock",
+        expected: "Updating flake.lock in dir .",
+      },
+      {
+        template:
+          "Here I go doing some updating of my pristine flake.lock at {{ flake_dot_lock }}",
+        flakeDotLockDir: "subflake",
+        flakeDotLock: "subflake/flake.lock",
+        expected:
+          "Here I go doing some updating of my pristine flake.lock at subflake/flake.lock",
+      },
+      {
+        template: "This variable doesn't exist: {{ foo }}",
+        flakeDotLockDir: ".",
+        flakeDotLock: "./flake.lock",
+        expected: "This variable doesn't exist: ",
+      },
+    ];
+
+    testCases.forEach(
+      ({ template, flakeDotLockDir, flakeDotLock, expected }) => {
+        expect(
+          renderCommitMessage(template, flakeDotLockDir, flakeDotLock),
+        ).toEqual(expected);
+      },
+    );
+  });
+
+  test("pull request body", () => {
+    type TestCase = {
+      template: string;
+      dirs: string[];
+      expected: string;
+    };
+
+    const testCases: TestCase[] = [
+      {
+        template: "Updated inputs: {{ comma_separated_dirs }}",
+        dirs: ["."],
+        expected: "Updated inputs: .",
+      },
+      {
+        template: "Updated inputs: {{ space_separated_dirs }}",
+        dirs: ["subflake", "subflake2"],
+        expected: "Updated inputs: subflake subflake2",
+      },
+      {
+        template: "Updated inputs:\n{{ updated_dirs_list }}",
+        dirs: ["flake1", "flake2"],
+        expected: `Updated inputs:\n* flake1\n* flake2`,
+      },
+    ];
+
+    testCases.forEach(({ template, dirs, expected }) => {
+      expect(renderPullRequestBody(template, dirs)).toEqual(expected);
+    });
+  });
+});

src/template.ts

@@ -0,0 +1,39 @@
+import Handlebars from "handlebars";
+
+export function renderPullRequestBody(
+  template: string,
+  dirs: string[],
+): string {
+  const commaSeparated = dirs.join(", ");
+  const spaceSeparated = dirs.join(" ");
+  const dirsList = dirs.map((d: string) => `* ${d}`).join("\n");
+
+  const tpl = Handlebars.compile(template);
+
+  return tpl({
+    // eslint-disable-next-line camelcase
+    comma_separated_dirs: commaSeparated,
+    // eslint-disable-next-line camelcase
+    space_separated_dirs: spaceSeparated,
+    // eslint-disable-next-line camelcase
+    updated_dirs_list: dirsList,
+  });
+}
+
+export function renderCommitMessage(
+  template: string,
+  flakeDotLockDir: string,
+  flakeDotLock: string,
+): string {
+  return render(template, {
+    // eslint-disable-next-line camelcase
+    flake_dot_lock_dir: flakeDotLockDir,
+    // eslint-disable-next-line camelcase
+    flake_dot_lock: flakeDotLock,
+  });
+}
+
+function render(template: string, inputs: Record<string, string>): string {
+  const tpl = Handlebars.compile(template);
+  return tpl(inputs);
+}

src/update-flake-lock.test.ts

@@ -0,0 +1,74 @@
+import { makeNixCommandArgs } from "./nix.js";
+import { expect, test } from "vitest";
+
+test("Nix command arguments", () => {
+  type TestCase = {
+    inputs: {
+      nixOptions: string[];
+      flakeInputs: string[];
+      commitMessage: string;
+    };
+    expected: string[];
+  };
+
+  const testCases: TestCase[] = [
+    {
+      inputs: {
+        nixOptions: ["--log-format", "raw"],
+        flakeInputs: [],
+        commitMessage: "just testing",
+      },
+      expected: [
+        "--log-format",
+        "raw",
+        "flake",
+        "update",
+        "--commit-lock-file",
+        "--commit-lockfile-summary",
+        "just testing",
+      ],
+    },
+    {
+      inputs: {
+        nixOptions: [],
+        flakeInputs: ["nixpkgs", "rust-overlay"],
+        commitMessage: "just testing",
+      },
+      expected: [
+        "flake",
+        "lock",
+        "--update-input",
+        "nixpkgs",
+        "--update-input",
+        "rust-overlay",
+        "--commit-lock-file",
+        "--commit-lockfile-summary",
+        "just testing",
+      ],
+    },
+    {
+      inputs: {
+        nixOptions: ["--debug"],
+        flakeInputs: [],
+        commitMessage: "just testing",
+      },
+      expected: [
+        "--debug",
+        "flake",
+        "update",
+        "--commit-lock-file",
+        "--commit-lockfile-summary",
+        "just testing",
+      ],
+    },
+  ];
+
+  testCases.forEach(({ inputs, expected }) => {
+    const args = makeNixCommandArgs(
+      inputs.nixOptions,
+      inputs.flakeInputs,
+      inputs.commitMessage,
+    );
+    expect(args).toStrictEqual(expected);
+  });
+});

tsconfig.json

@@ -0,0 +1,15 @@
+{
+  "compilerOptions": {
+    "target": "ES2020" /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */,
+    "module": "Node16",
+    "moduleResolution": "NodeNext",
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "strict": true /* Enable all strict type-checking options. */,
+    "noImplicitAny": true /* Raise error on expressions and declarations with an implied 'any' type. */,
+    "esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */,
+    "resolveJsonModule": true,
+    "declaration": true
+  },
+  "exclude": ["node_modules", "**/*.test.ts", "dist"]
+}

tsup.config.ts

@@ -0,0 +1,16 @@
+import { name } from "./package.json";
+import { defineConfig } from "tsup";
+
+export default defineConfig({
+  name,
+  entry: ["src/index.ts"],
+  format: ["esm"],
+  target: "node20",
+  bundle: true,
+  splitting: false,
+  sourcemap: true,
+  clean: true,
+  dts: {
+    resolve: true,
+  },
+});

update-flake-lock.sh

@@ -1,16 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-if [[ -n "$PATH_TO_FLAKE_DIR" ]]; then
-  cd "$PATH_TO_FLAKE_DIR"
-fi
-
-if [[ -n "$TARGETS" ]]; then
-    inputs=()
-    for input in $TARGETS; do
-        inputs+=("--update-input" "$input")
-    done
-    nix flake lock "${inputs[@]}" --commit-lock-file --commit-lockfile-summary "$COMMIT_MSG"
-else
-    nix flake update --commit-lock-file --commit-lockfile-summary "$COMMIT_MSG"
-fi