Merge pull request #113 from DeterminateSystems/update-detsys-ts-status-page

Update detsys-ts (status page changes)

.editorconfig

@@ -1,15 +1,10 @@
-# EditorConfig helps developers define and maintain consistent
-# coding styles between different editors and IDEs
-# editorconfig.org
-
+# https://editorconfig.org
 root = true
 
 [*]
-charset = utf-8
-end_of_line = lf
-insert_final_newline = true
-trim_trailing_whitespace = true
 indent_style = space
-
-[*.{yml,yaml}]
 indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true

.envrc

@@ -0,0 +1 @@
+use flake

.eslintrc.json

@@ -0,0 +1,74 @@
+{
+  "plugins": ["@typescript-eslint"],
+  "extends": ["plugin:github/recommended"],
+  "parser": "@typescript-eslint/parser",
+  "parserOptions": {
+    "ecmaVersion": 9,
+    "sourceType": "module",
+    "project": "./tsconfig.json"
+  },
+  "settings": {
+    "import/resolver": {
+      "typescript": {}
+    }
+  },
+  "rules": {
+    "i18n-text/no-en": "off",
+    "eslint-comments/no-use": "off",
+    "import/no-namespace": "off",
+    "no-unused-vars": "off",
+    "@typescript-eslint/no-unused-vars": [
+      "error",
+      {
+        "argsIgnorePattern": "^_"
+      }
+    ],
+    "@typescript-eslint/explicit-member-accessibility": [
+      "error",
+      {
+        "accessibility": "no-public"
+      }
+    ],
+    "@typescript-eslint/no-base-to-string": "error",
+    "@typescript-eslint/no-require-imports": "error",
+    "@typescript-eslint/array-type": "error",
+    "@typescript-eslint/await-thenable": "error",
+    "@typescript-eslint/ban-ts-comment": "error",
+    "camelcase": "error",
+    "@typescript-eslint/consistent-type-assertions": "error",
+    "@typescript-eslint/explicit-function-return-type": [
+      "error",
+      {
+        "allowExpressions": true
+      }
+    ],
+    "@typescript-eslint/func-call-spacing": ["error", "never"],
+    "@typescript-eslint/no-array-constructor": "error",
+    "@typescript-eslint/no-empty-interface": "error",
+    "@typescript-eslint/no-explicit-any": "error",
+    "@typescript-eslint/no-floating-promises": "error",
+    "@typescript-eslint/no-extraneous-class": "error",
+    "@typescript-eslint/no-for-in-array": "error",
+    "@typescript-eslint/no-inferrable-types": "error",
+    "@typescript-eslint/no-misused-new": "error",
+    "@typescript-eslint/no-namespace": "error",
+    "@typescript-eslint/no-non-null-assertion": "warn",
+    "@typescript-eslint/no-unnecessary-qualifier": "error",
+    "@typescript-eslint/no-unnecessary-type-assertion": "error",
+    "@typescript-eslint/no-useless-constructor": "error",
+    "@typescript-eslint/no-var-requires": "error",
+    "@typescript-eslint/prefer-for-of": "warn",
+    "@typescript-eslint/prefer-function-type": "warn",
+    "@typescript-eslint/prefer-includes": "error",
+    "@typescript-eslint/prefer-string-starts-ends-with": "error",
+    "@typescript-eslint/promise-function-async": "error",
+    "@typescript-eslint/require-array-sort-compare": "error",
+    "@typescript-eslint/restrict-plus-operands": "error",
+    "@typescript-eslint/type-annotation-spacing": "error",
+    "@typescript-eslint/unbound-method": "error"
+  },
+  "env": {
+    "node": true,
+    "es6": true
+  }
+}

.github/workflows/ci.yml

@@ -5,13 +5,29 @@ on:
     branches: [main]
 
 jobs:
-  shellcheck:
-    runs-on: ubuntu-latest
+  typescript-action:
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Install Nix
-        uses: cachix/install-nix-action@v17
-      - name: Shellcheck
-        run: nix-shell --run 'shellcheck $(find . -type f -name "*.sh" -executable)'
+        uses: DeterminateSystems/nix-installer-action@main
+      - name: Enable magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+      - name: Install pnpm dependencies
+        run: nix develop --command pnpm install
+      - name: Check formatting
+        run: nix develop --command pnpm run check-fmt
+      - name: Lint
+        run: nix develop --command pnpm run lint
+      - name: Build
+        run: nix develop --command pnpm run build
+      - name: Run test suite
+        run: nix develop --command pnpm run test
+      - name: Package
+        run: nix develop --command pnpm run package
+      - name: Check git status
+        run: git status --porcelain=v1
+      - name: Ensure no staged changes
+        run: git diff --exit-code

.github/workflows/update.yml

@@ -2,18 +2,21 @@ name: update-flake-lock
 on:
   workflow_dispatch:
   schedule:
-    - cron: '0 0 * * 0'
+    - cron: "0 0 * * 0"
 
 jobs:
   lockfile:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@v4
       - name: Install Nix
-        uses: cachix/install-nix-action@v17
-        with:
-          extra_nix_config: |
-            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+        uses: DeterminateSystems/nix-installer-action@main
+      - name: Enable magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+      - name: Check flake
+        uses: DeterminateSystems/flake-checker-action@main
       - name: Update flake.lock
         uses: ./.
+        with:
+          _internal-strict-mode: true

.github/workflows/validate.yml

@@ -6,13 +6,13 @@ on:
 
 jobs:
   validate:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Validate YAML
-        uses: nwisbeta/validate-yaml-schema@v1.0.3
+        uses: nwisbeta/validate-yaml-schema@v2.0.0
         with:
           yamlSchemasJson: |
             {

.gitignore

@@ -0,0 +1,2 @@
+# JS dependencies
+node_modules/

.prettierignore

@@ -0,0 +1,5 @@
+dist/
+lib/
+node_modules/
+pnpm-lock.yaml
+README.md

README.md

@@ -20,14 +20,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Install Nix
-        uses: cachix/install-nix-action@v16
-        with:
-          extra_nix_config: |
-            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+        uses: DeterminateSystems/nix-installer-action@main
       - name: Update flake.lock
-        uses: DeterminateSystems/update-flake-lock@vX
+        uses: DeterminateSystems/update-flake-lock@main
         with:
           pr-title: "Update flake.lock" # Title of PR to be created
           pr-labels: |                  # Labels to be set on the PR
@@ -53,18 +50,40 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Install Nix
-        uses: cachix/install-nix-action@v16
-        with:
-          extra_nix_config: |
-            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+        uses: DeterminateSystems/nix-installer-action@v1
       - name: Update flake.lock
         uses: DeterminateSystems/update-flake-lock@vX
         with:
           inputs: input1 input2 input3
 ```
 
+## Example adding options to nix command
+
+It is also possible to use specific options to the nix command in a space separated list:
+
+```yaml
+name: update-flake-lock
+on:
+  workflow_dispatch: # allows manual triggering
+  schedule:
+    - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00
+
+jobs:
+  lockfile:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v1
+      - name: Update flake.lock
+        uses: DeterminateSystems/update-flake-lock@vX
+        with:
+          nix-options: --debug --log-format raw
+```
+
 ## Example that prints the number of the created PR
 
 ```yaml
@@ -79,12 +98,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Install Nix
-        uses: cachix/install-nix-action@v16
-        with:
-          extra_nix_config: |
-            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+        uses: DeterminateSystems/nix-installer-action@v1
       - name: Update flake.lock
         id: update
         uses: DeterminateSystems/update-flake-lock@vX
@@ -111,12 +127,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Install Nix
-        uses: cachix/install-nix-action@v16
-        with:
-          extra_nix_config: |
-            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+        uses: DeterminateSystems/nix-installer-action@v1
       - name: Update flake.lock
         if: ${{ github.event_name != 'pull_request' }}
         uses: DeterminateSystems/update-flake-lock@vX
@@ -141,12 +154,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Install Nix
-        uses: cachix/install-nix-action@v16
-        with:
-          extra_nix_config: |
-            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+        uses: DeterminateSystems/nix-installer-action@v1
       - name: Update flake.lock
         uses: DeterminateSystems/update-flake-lock@vX
         with:
@@ -189,9 +199,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Install Nix
-        uses: cachix/install-nix-action@v16
+        uses: DeterminateSystems/nix-installer-action@v1
       - name: Update flake.lock
         uses: DeterminateSystems/update-flake-lock@vX
         with:
@@ -224,9 +234,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Install Nix
-        uses: cachix/install-nix-action@v16
+        uses: DeterminateSystems/nix-installer-action@v1
       - name: Update flake.lock
         uses: DeterminateSystems/update-flake-lock@vX
         with:
@@ -286,9 +296,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Install Nix
-        uses: cachix/install-nix-action@v16
+        uses: DeterminateSystems/nix-installer-action@v1
       - name: Update flake.lock
         uses: DeterminateSystems/update-flake-lock@vX
         with:

action.yml

@@ -1,32 +1,34 @@
-name: 'Update flake.lock'
-description: 'Update your flake.lock and send a PR'
+name: "Update Nix Flake Lock"
+description: "Update your Nix flake.lock and send a PR"
 inputs:
   inputs:
-    description: 'A space-separated list of inputs to update. Leave empty to update all inputs.'
+    description: "A space-separated list of inputs to update. Leave empty to update all inputs."
     required: false
-    default: ''
+    default: ""
   token:
-    description: 'GITHUB_TOKEN or a `repo` scoped Personal Access Token (PAT)'
+    description: "GITHUB_TOKEN or a `repo` scoped Personal Access Token (PAT)"
     required: false
     default: ${{ github.token }}
   commit-msg:
-    description: 'The message provided with the commit'
+    description: "The message provided with the commit"
     required: false
     default: "flake.lock: Update"
+  base:
+    description: "Sets the pull request base branch. Defaults to the branch checked out in the workflow."
+    required: false
   branch:
-    description: 'The branch of the PR to be created'
+    description: "The branch of the PR to be created"
     required: false
     default: "update_flake_lock_action"
   path-to-flake-dir:
-    description: 'The path of the directory containing `flake.nix` file within your repository. Useful when `flake.nix` cannot reside at the root of your repository.'
+    description: "The path of the directory containing `flake.nix` file within your repository. Useful when `flake.nix` cannot reside at the root of your repository."
     required: false
-    default: ''
   pr-title:
-    description: 'The title of the PR to be created'
+    description: "The title of the PR to be created"
     required: false
     default: "flake.lock: Update"
   pr-body:
-    description: 'The body of the PR to be created'
+    description: "The body of the PR to be created"
     required: false
     default: |
       Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
@@ -50,62 +52,73 @@ inputs:
       ```
 
   pr-labels:
-    description: 'A comma or newline separated list of labels to set on the Pull Request to be created'
+    description: "A comma or newline separated list of labels to set on the Pull Request to be created"
     required: false
-    default: ''
+    default: ""
   pr-assignees:
-    description: 'A comma or newline separated list of assignees (GitHub usernames).'
+    description: "A comma or newline separated list of assignees (GitHub usernames)."
     required: false
-    default: ''
+    default: ""
   pr-reviewers:
-    description: 'A comma or newline separated list of reviewers (GitHub usernames) to request a review from.'
+    description: "A comma or newline separated list of reviewers (GitHub usernames) to request a review from."
     required: false
-    default: ''
+    default: ""
   git-author-name:
-    description: 'Author name used for commit. Only used if sign-commits is false.'
+    description: "Author name used for commit. Only used if sign-commits is false."
     required: false
-    default: 'github-actions[bot]'
+    default: "github-actions[bot]"
   git-author-email:
-    description: 'Author email used for commit. Only used if sign-commits is false.'
+    description: "Author email used for commit. Only used if sign-commits is false."
     required: false
-    default: 'github-actions[bot]@users.noreply.github.com'
+    default: "github-actions[bot]@users.noreply.github.com"
   git-committer-name:
-    description: 'Committer name used for commit. Only used if sign-commits is false.'
+    description: "Committer name used for commit. Only used if sign-commits is false."
     required: false
-    default: 'github-actions[bot]'
+    default: "github-actions[bot]"
   git-committer-email:
-    description: 'Committer email used for commit. Only used if sign-commits is false.'
+    description: "Committer email used for commit. Only used if sign-commits is false."
     required: false
-    default: 'github-actions[bot]@users.noreply.github.com'
+    default: "github-actions[bot]@users.noreply.github.com"
   sign-commits:
-    description: 'Set to true if the action should sign the commit with GPG'
+    description: "Set to true if the action should sign the commit with GPG"
     required: false
-    default: 'false'
+    default: "false"
   gpg-private-key:
-    description: 'GPG Private Key with which to sign the commits in the PR to be created'
+    description: "GPG Private Key with which to sign the commits in the PR to be created"
     required: false
-    default: ''
+    default: ""
   gpg-fingerprint:
-    description: 'Fingerprint of specific GPG subkey to use'
+    description: "Fingerprint of specific GPG subkey to use"
     required: false
   gpg-passphrase:
-    description: 'GPG Private Key Passphrase for the GPG Private Key with which to sign the commits in the PR to be created'
+    description: "GPG Private Key Passphrase for the GPG Private Key with which to sign the commits in the PR to be created"
     required: false
-    default: ''
+    default: ""
+  nix-options:
+    description: "A space-separated list of options to pass to the nix command"
+    required: false
+    default: ""
+  _internal-strict-mode:
+    description: Whether to fail when any errors are thrown. Used only to test the Action; do not set this in your own workflows.
+    required: false
+    default: false
 outputs:
   pull-request-number:
-    description: 'The number of the opened pull request'
+    description: "The number of the opened pull request"
     value: ${{ steps.create-pr.outputs.pull-request-number }}
+  pull-request-operation:
+    description: "The pull request operation performed by the action, `created`, `updated` or `closed`."
+    value: ${{ steps.create-pr.outputs.pull-request-operation }}
 runs:
   using: "composite"
   steps:
     - name: Import bot's GPG key for signing commits
       if: ${{ inputs.sign-commits == 'true' }}
       id: import-gpg
-      uses: crazy-max/ghaction-import-gpg@v5
+      uses: crazy-max/ghaction-import-gpg@v6
       with:
         gpg_private_key: ${{ inputs.gpg-private-key }}
-        fingerprint: ${{ inputs.gpg-fingerprint }}
+        fingerprint: ${{ inputs.gpg-fingerprint }}
         passphrase: ${{ inputs.gpg-passphrase }}
         git_config_global: true
         git_user_signingkey: true
@@ -132,19 +145,37 @@ runs:
         echo "GIT_AUTHOR_EMAIL=<${{ inputs.git-author-email }}>" >> $GITHUB_ENV
         echo "GIT_COMMITTER_NAME=${{ inputs.git-committer-name }}" >> $GITHUB_ENV
         echo "GIT_COMMITTER_EMAIL=<${{ inputs.git-committer-email }}>" >> $GITHUB_ENV
-    - name: Run update-flake-lock.sh
-      run: $GITHUB_ACTION_PATH/update-flake-lock.sh
+    - name: Run update-flake-lock
       shell: bash
+      run: node "$GITHUB_ACTION_PATH/dist/index.js"
       env:
-        GIT_AUTHOR_NAME: ${{ env.GIT_AUTHOR_NAME }}
-        GIT_AUTHOR_EMAIL: ${{ env.GIT_AUTHOR_EMAIL }}
-        GIT_COMMITTER_NAME: ${{ env.GIT_COMMITTER_NAME }}
-        GIT_COMMITTER_EMAIL: ${{ env.GIT_COMMITTER_EMAIL }}
-        TARGETS: ${{ inputs.inputs }}
-        COMMIT_MSG: ${{ inputs.commit-msg }}
-        PATH_TO_FLAKE_DIR: ${{ inputs.path-to-flake-dir }}
+        # The following manually exposes all of the action inputs into INPUT_ environment variables so actionsCore.getInput works:
+        # https://github.com/actions/toolkit/blob/ae38557bb0dba824cdda26ce787bd6b66cf07a83/packages/core/src/core.ts#L126
+        INPUT_BASE: ${{ inputs.base }}
+        INPUT_BRANCH: ${{ inputs.branch }}
+        INPUT_COMMIT-MSG: ${{ inputs.commit-msg }}
+        INPUT_GIT-AUTHOR-EMAIL: ${{ inputs.git-author-email }}
+        INPUT_GIT-AUTHOR-NAME: ${{ inputs.git-author-name }}
+        INPUT_GIT-COMMITTER-EMAIL: ${{ inputs.git-committer-email }}
+        INPUT_GIT-COMMITTER-NAME: ${{ inputs.git-committer-name }}
+        INPUT_GPG-FINGERPRINT: ${{ inputs.gpg-fingerprint }}
+        INPUT_GPG-PASSPHRASE: ${{ inputs.gpg-passphrase }}
+        INPUT_GPG-PRIVATE-KEY: ${{ inputs.gpg-private-key }}
+        INPUT_INPUTS: ${{ inputs.inputs }}
+        INPUT_NIX-OPTIONS: ${{ inputs.nix-options }}
+        INPUT_PATH-TO-FLAKE-DIR: ${{ inputs.path-to-flake-dir }}
+        INPUT_PR-ASSIGNEES: ${{ inputs.pr-assignees }}
+        INPUT_PR-BODY: ${{ inputs.pr-body }}
+        INPUT_PR-LABELS: ${{ inputs.pr-labels }}
+        INPUT_PR-REVIEWERS: ${{ inputs.pr-reviewers }}
+        INPUT_PR-TITLE: ${{ inputs.pr-title }}
+        INPUT_PULL-REQUEST-NUMBER: ${{ inputs.pull-request-number }}
+        INPUT_PULL-REQUEST-OPERATION: ${{ inputs.pull-request-operation }}
+        INPUT_SIGN-COMMITS: ${{ inputs.sign-commits }}
+        INPUT_TOKEN: ${{ inputs.token }}
+        INPUT__INTERNAL-STRICT-MODE: ${{ inputs._internal-strict-mode }}
     - name: Save PR Body as file
-      uses: DamianReeves/write-file-action@v1.1
+      uses: DamianReeves/write-file-action@v1.3
       with:
         path: pr_body.template
         contents: ${{ inputs.pr-body }}
@@ -152,20 +183,20 @@ runs:
     - name: Set additional env variables (GIT_COMMIT_MESSAGE)
       shell: bash
       run: |
-        GIT_COMMIT_MESSAGE="$(git log --format=%b -n 1)"
-        GIT_COMMIT_MESSAGE="${GIT_COMMIT_MESSAGE//'%'/'%25'}"
-        GIT_COMMIT_MESSAGE="${GIT_COMMIT_MESSAGE//$'\n'/'%0A'}"
-        GIT_COMMIT_MESSAGE="${GIT_COMMIT_MESSAGE//$'\r'/'%0D'}"
-        echo "GIT_COMMIT_MESSAGE=$GIT_COMMIT_MESSAGE" >> $GITHUB_ENV
-        echo "GIT_COMMIT_MESSAGE is: ${GIT_COMMIT_MESSAGE}"
+        DELIMITER=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
+        COMMIT_MESSAGE="$(git log --format=%b -n 1)"
+        echo "GIT_COMMIT_MESSAGE<<$DELIMITER" >> $GITHUB_ENV
+        echo "$COMMIT_MESSAGE" >> $GITHUB_ENV
+        echo "$DELIMITER" >> $GITHUB_ENV
+        echo "GIT_COMMIT_MESSAGE is: ${COMMIT_MESSAGE}"
     - name: Interpolate PR Body
-      uses: pedrolamas/handlebars-action@v2.0.0
+      uses: pedrolamas/handlebars-action@v2.4.0
       with:
-        files: 'pr_body.template'
-        output-filename: 'pr_body.txt'
+        files: "pr_body.template"
+        output-filename: "pr_body.txt"
     - name: Read pr_body.txt
       id: pr_body
-      uses: andstor/file-reader-action@v1
+      uses: juliangruber/read-file-action@v1
       with:
         path: "pr_body.txt"
     # We need to remove the pr_body files so that the
@@ -176,8 +207,9 @@ runs:
       run: rm -f pr_body.txt pr_body.template
     - name: Create PR
       id: create-pr
-      uses: peter-evans/create-pull-request@v3
+      uses: peter-evans/create-pull-request@v6
       with:
+        base: ${{ inputs.base }}
         branch: ${{ inputs.branch }}
         delete-branch: true
         committer: ${{ env.GIT_COMMITTER_NAME }} ${{ env.GIT_COMMITTER_EMAIL }}
@@ -187,4 +219,4 @@ runs:
         assignees: ${{ inputs.pr-assignees }}
         labels: ${{ inputs.pr-labels }}
         reviewers: ${{ inputs.pr-reviewers }}
-        body: ${{ steps.pr_body.outputs.contents }}
+        body: ${{ steps.pr_body.outputs.content }}

dist/index.d.ts

@@ -0,0 +1,2 @@
+
+export {  }

dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/nix.ts","../src/index.ts"],"sourcesContent":["// Build the Nix args out of inputs from the Actions environment\nexport function makeNixCommandArgs(\n  nixOptions: string[],\n  flakeInputs: string[],\n  commitMessage: string,\n): string[] {\n  const flakeInputFlags = flakeInputs.flatMap((input) => [\n    \"--update-input\",\n    input,\n  ]);\n\n  const updateLockMechanism = flakeInputFlags.length === 0 ? \"update\" : \"lock\";\n\n  return nixOptions\n    .concat([\"flake\", updateLockMechanism])\n    .concat(flakeInputFlags)\n    .concat([\"--commit-lock-file\", \"--commit-lockfile-summary\", commitMessage]);\n}\n","import { makeNixCommandArgs } from \"./nix.js\";\nimport * as actionsCore from \"@actions/core\";\nimport * as actionsExec from \"@actions/exec\";\nimport { DetSysAction, inputs } from \"detsys-ts\";\n\nconst EVENT_EXECUTION_FAILURE = \"execution_failure\";\n\nclass UpdateFlakeLockAction extends DetSysAction {\n  private commitMessage: string;\n  private nixOptions: string[];\n  private flakeInputs: string[];\n  private pathToFlakeDir: string | null;\n\n  constructor() {\n    super({\n      name: \"update-flake-lock\",\n      fetchStyle: \"universal\",\n      requireNix: \"fail\",\n    });\n\n    this.commitMessage = inputs.getString(\"commit-msg\");\n    this.flakeInputs = inputs.getArrayOfStrings(\"inputs\", \"space\");\n    this.nixOptions = inputs.getArrayOfStrings(\"nix-options\", \"space\");\n    this.pathToFlakeDir = inputs.getStringOrNull(\"path-to-flake-dir\");\n  }\n\n  async main(): Promise<void> {\n    await this.update();\n  }\n\n  // No post phase\n  async post(): Promise<void> {}\n\n  async update(): Promise<void> {\n    // Nix command of this form:\n    // nix ${maybe nix options} flake ${\"update\" or \"lock\"} ${maybe --update-input flags} --commit-lock-file --commit-lockfile-summary ${commit message}\n    // Example commands:\n    // nix --extra-substituters https://example.com flake lock --update-input nixpkgs --commit-lock-file --commit-lockfile-summary \"updated flake.lock\"\n    // nix flake update --commit-lock-file --commit-lockfile-summary \"updated flake.lock\"\n    const nixCommandArgs: string[] = makeNixCommandArgs(\n      this.nixOptions,\n      this.flakeInputs,\n      this.commitMessage,\n    );\n\n    actionsCore.debug(\n      JSON.stringify({\n        options: this.nixOptions,\n        inputs: this.flakeInputs,\n        message: this.commitMessage,\n        args: nixCommandArgs,\n      }),\n    );\n\n    const execOptions: actionsExec.ExecOptions = {\n      cwd: this.pathToFlakeDir !== null ? this.pathToFlakeDir : undefined,\n    };\n\n    const exitCode = await actionsExec.exec(\"nix\", nixCommandArgs, execOptions);\n\n    if (exitCode !== 0) {\n      this.recordEvent(EVENT_EXECUTION_FAILURE, {\n        exitCode,\n      });\n      actionsCore.setFailed(`non-zero exit code of ${exitCode} detected`);\n    } else {\n      actionsCore.info(`flake.lock file was successfully updated`);\n    }\n  }\n}\n\nfunction main(): void {\n  new UpdateFlakeLockAction().execute();\n}\n\nmain();\n"],"mappings":";AACO,SAAS,mBACd,YACA,aACA,eACU;AACV,QAAM,kBAAkB,YAAY,QAAQ,CAAC,UAAU;AAAA,IACrD;AAAA,IACA;AAAA,EACF,CAAC;AAED,QAAM,sBAAsB,gBAAgB,WAAW,IAAI,WAAW;AAEtE,SAAO,WACJ,OAAO,CAAC,SAAS,mBAAmB,CAAC,EACrC,OAAO,eAAe,EACtB,OAAO,CAAC,sBAAsB,6BAA6B,aAAa,CAAC;AAC9E;;;AChBA,YAAY,iBAAiB;AAC7B,YAAY,iBAAiB;AAC7B,SAAS,cAAc,cAAc;AAErC,IAAM,0BAA0B;AAEhC,IAAM,wBAAN,cAAoC,aAAa;AAAA,EAM/C,cAAc;AACZ,UAAM;AAAA,MACJ,MAAM;AAAA,MACN,YAAY;AAAA,MACZ,YAAY;AAAA,IACd,CAAC;AAED,SAAK,gBAAgB,OAAO,UAAU,YAAY;AAClD,SAAK,cAAc,OAAO,kBAAkB,UAAU,OAAO;AAC7D,SAAK,aAAa,OAAO,kBAAkB,eAAe,OAAO;AACjE,SAAK,iBAAiB,OAAO,gBAAgB,mBAAmB;AAAA,EAClE;AAAA,EAEA,MAAM,OAAsB;AAC1B,UAAM,KAAK,OAAO;AAAA,EACpB;AAAA;AAAA,EAGA,MAAM,OAAsB;AAAA,EAAC;AAAA,EAE7B,MAAM,SAAwB;AAM5B,UAAM,iBAA2B;AAAA,MAC/B,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAEA,IAAY;AAAA,MACV,KAAK,UAAU;AAAA,QACb,SAAS,KAAK;AAAA,QACd,QAAQ,KAAK;AAAA,QACb,SAAS,KAAK;AAAA,QACd,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,UAAM,cAAuC;AAAA,MAC3C,KAAK,KAAK,mBAAmB,OAAO,KAAK,iBAAiB;AAAA,IAC5D;AAEA,UAAM,WAAW,MAAkB,iBAAK,OAAO,gBAAgB,WAAW;AAE1E,QAAI,aAAa,GAAG;AAClB,WAAK,YAAY,yBAAyB;AAAA,QACxC;AAAA,MACF,CAAC;AACD,MAAY,sBAAU,yBAAyB,QAAQ,WAAW;AAAA,IACpE,OAAO;AACL,MAAY,iBAAK,0CAA0C;AAAA,IAC7D;AAAA,EACF;AACF;AAEA,SAAS,OAAa;AACpB,MAAI,sBAAsB,EAAE,QAAQ;AACtC;AAEA,KAAK;","names":[]}

dist/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "module"
+}

flake.lock

@@ -2,18 +2,16 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1659131907,
-        "narHash": "sha256-8bz4k18M/FuVC+EVcI4aREN2PsEKT7LGmU2orfjnpCg=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "8d435fca5c561da8168abb30270788d2da2a7951",
-        "type": "github"
+        "lastModified": 1713537308,
+        "narHash": "sha256-XtTSSIB2DA6tOv+l0FhvfDMiyCmhoRbNB+0SeInZkbk=",
+        "rev": "5c24cf2f0a12ad855f444c30b2421d044120c66f",
+        "revCount": 614481,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.1.614481%2Brev-5c24cf2f0a12ad855f444c30b2421d044120c66f/018efa00-a443-7f41-b371-ce568b5c7e9f/source.tar.gz"
       },
       "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
+        "type": "tarball",
+        "url": "https://flakehub.com/f/NixOS/nixpkgs/0.1.%2A.tar.gz"
       }
     },
     "root": {

flake.nix

@@ -1,30 +1,23 @@
 {
   description = "update-flake-lock";
 
-  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+  inputs.nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0.1.*.tar.gz";
 
-  outputs =
-    { self
-    , nixpkgs
-    }:
+  outputs = { self, nixpkgs }:
     let
-      nameValuePair = name: value: { inherit name value; };
-      genAttrs = names: f: builtins.listToAttrs (map (n: nameValuePair n (f n)) names);
-
-      allSystems = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ];
-      forAllSystems = f: genAttrs allSystems
-        (system: f {
-          inherit system;
+      supportedSystems = [ "x86_64-linux" "aarch64-darwin" "aarch64-linux" "x86_64-darwin" ];
+      forEachSupportedSystem = f: nixpkgs.lib.genAttrs supportedSystems (system: f {
         pkgs = import nixpkgs { inherit system; };
       });
     in
     {
-      devShell = forAllSystems
-        ({ system, pkgs, ... }:
-          pkgs.stdenv.mkDerivation {
-            name = "update-flake-lock-devshell";
-            buildInputs = [ pkgs.shellcheck ];
-            src = self;
+      devShells = forEachSupportedSystem ({ pkgs }: {
+        default = pkgs.mkShell {
+          packages = with pkgs; [
+            nodejs_latest
+            nodePackages_latest.pnpm
+          ];
+        };
       });
     };
 }

package.json

@@ -0,0 +1,47 @@
+{
+  "name": "update-flake-lock",
+  "version": "1.0.0",
+  "description": "",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "type": "module",
+  "scripts": {
+    "build": "tsup",
+    "format": "prettier --write .",
+    "check-fmt": "prettier --check .",
+    "lint": "eslint src/**/*.ts --ignore-pattern *.test.ts",
+    "package": "ncc build",
+    "test": "vitest --watch false",
+    "all": "pnpm run format && pnpm run lint && pnpm run build && pnpm run package"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/DeterminateSystems/update-flake-lock.git"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/DeterminateSystems/update-flake-lock/issues"
+  },
+  "homepage": "https://github.com/DeterminateSystems/update-flake-lock#readme",
+  "dependencies": {
+    "@actions/core": "^1.10.1",
+    "@actions/exec": "^1.1.1",
+    "detsys-ts": "github:DeterminateSystems/detsys-ts"
+  },
+  "devDependencies": {
+    "@trivago/prettier-plugin-sort-imports": "^4.3.0",
+    "@typescript-eslint/eslint-plugin": "^7.11.0",
+    "@vercel/ncc": "^0.38.1",
+    "eslint": "^8.57.0",
+    "eslint-import-resolver-typescript": "^3.6.1",
+    "eslint-plugin-github": "^4.10.2",
+    "eslint-plugin-import": "^2.29.1",
+    "eslint-plugin-prettier": "^5.1.3",
+    "prettier": "^3.2.5",
+    "tsup": "^8.0.2",
+    "typescript": "^5.4.5",
+    "vitest": "^1.6.0"
+  }
+}

prettier.config.cjs

@@ -0,0 +1,12 @@
+/** @type {import('prettier').Config} */
+module.exports = {
+  plugins: [require.resolve("@trivago/prettier-plugin-sort-imports")],
+  semi: true,
+  singleQuote: false,
+  tabWidth: 2,
+  trailingComma: "all",
+  useTabs: false,
+  // Import sorting
+  importOrderSeparation: true,
+  importOrderSortSpecifiers: true,
+};

src/index.ts

@@ -0,0 +1,76 @@
+import { makeNixCommandArgs } from "./nix.js";
+import * as actionsCore from "@actions/core";
+import * as actionsExec from "@actions/exec";
+import { DetSysAction, inputs } from "detsys-ts";
+
+const EVENT_EXECUTION_FAILURE = "execution_failure";
+
+class UpdateFlakeLockAction extends DetSysAction {
+  private commitMessage: string;
+  private nixOptions: string[];
+  private flakeInputs: string[];
+  private pathToFlakeDir: string | null;
+
+  constructor() {
+    super({
+      name: "update-flake-lock",
+      fetchStyle: "universal",
+      requireNix: "fail",
+    });
+
+    this.commitMessage = inputs.getString("commit-msg");
+    this.flakeInputs = inputs.getArrayOfStrings("inputs", "space");
+    this.nixOptions = inputs.getArrayOfStrings("nix-options", "space");
+    this.pathToFlakeDir = inputs.getStringOrNull("path-to-flake-dir");
+  }
+
+  async main(): Promise<void> {
+    await this.update();
+  }
+
+  // No post phase
+  async post(): Promise<void> {}
+
+  async update(): Promise<void> {
+    // Nix command of this form:
+    // nix ${maybe nix options} flake ${"update" or "lock"} ${maybe --update-input flags} --commit-lock-file --commit-lockfile-summary ${commit message}
+    // Example commands:
+    // nix --extra-substituters https://example.com flake lock --update-input nixpkgs --commit-lock-file --commit-lockfile-summary "updated flake.lock"
+    // nix flake update --commit-lock-file --commit-lockfile-summary "updated flake.lock"
+    const nixCommandArgs: string[] = makeNixCommandArgs(
+      this.nixOptions,
+      this.flakeInputs,
+      this.commitMessage,
+    );
+
+    actionsCore.debug(
+      JSON.stringify({
+        options: this.nixOptions,
+        inputs: this.flakeInputs,
+        message: this.commitMessage,
+        args: nixCommandArgs,
+      }),
+    );
+
+    const execOptions: actionsExec.ExecOptions = {
+      cwd: this.pathToFlakeDir !== null ? this.pathToFlakeDir : undefined,
+    };
+
+    const exitCode = await actionsExec.exec("nix", nixCommandArgs, execOptions);
+
+    if (exitCode !== 0) {
+      this.recordEvent(EVENT_EXECUTION_FAILURE, {
+        exitCode,
+      });
+      actionsCore.setFailed(`non-zero exit code of ${exitCode} detected`);
+    } else {
+      actionsCore.info(`flake.lock file was successfully updated`);
+    }
+  }
+}
+
+function main(): void {
+  new UpdateFlakeLockAction().execute();
+}
+
+main();

src/nix.test.ts

@@ -0,0 +1,74 @@
+import { makeNixCommandArgs } from "./nix.js";
+import { expect, test } from "vitest";
+
+type TestCase = {
+  inputs: {
+    nixOptions: string[];
+    flakeInputs: string[];
+    commitMessage: string;
+  };
+  expected: string[];
+};
+
+test("Nix command arguments", () => {
+  const testCases: TestCase[] = [
+    {
+      inputs: {
+        nixOptions: ["--log-format", "raw"],
+        flakeInputs: [],
+        commitMessage: "just testing",
+      },
+      expected: [
+        "--log-format",
+        "raw",
+        "flake",
+        "update",
+        "--commit-lock-file",
+        "--commit-lockfile-summary",
+        "just testing",
+      ],
+    },
+    {
+      inputs: {
+        nixOptions: [],
+        flakeInputs: ["nixpkgs", "rust-overlay"],
+        commitMessage: "just testing",
+      },
+      expected: [
+        "flake",
+        "lock",
+        "--update-input",
+        "nixpkgs",
+        "--update-input",
+        "rust-overlay",
+        "--commit-lock-file",
+        "--commit-lockfile-summary",
+        "just testing",
+      ],
+    },
+    {
+      inputs: {
+        nixOptions: ["--debug"],
+        flakeInputs: [],
+        commitMessage: "just testing",
+      },
+      expected: [
+        "--debug",
+        "flake",
+        "update",
+        "--commit-lock-file",
+        "--commit-lockfile-summary",
+        "just testing",
+      ],
+    },
+  ];
+
+  testCases.forEach(({ inputs, expected }) => {
+    const args = makeNixCommandArgs(
+      inputs.nixOptions,
+      inputs.flakeInputs,
+      inputs.commitMessage,
+    );
+    expect(args).toStrictEqual(expected);
+  });
+});

src/nix.ts

@@ -0,0 +1,18 @@
+// Build the Nix args out of inputs from the Actions environment
+export function makeNixCommandArgs(
+  nixOptions: string[],
+  flakeInputs: string[],
+  commitMessage: string,
+): string[] {
+  const flakeInputFlags = flakeInputs.flatMap((input) => [
+    "--update-input",
+    input,
+  ]);
+
+  const updateLockMechanism = flakeInputFlags.length === 0 ? "update" : "lock";
+
+  return nixOptions
+    .concat(["flake", updateLockMechanism])
+    .concat(flakeInputFlags)
+    .concat(["--commit-lock-file", "--commit-lockfile-summary", commitMessage]);
+}

tsconfig.json

@@ -0,0 +1,15 @@
+{
+  "compilerOptions": {
+    "target": "ES2020" /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */,
+    "module": "Node16",
+    "moduleResolution": "NodeNext",
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "strict": true /* Enable all strict type-checking options. */,
+    "noImplicitAny": true /* Raise error on expressions and declarations with an implied 'any' type. */,
+    "esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */,
+    "resolveJsonModule": true,
+    "declaration": true
+  },
+  "exclude": ["node_modules", "**/*.test.ts", "dist"]
+}

tsup.config.ts

@@ -0,0 +1,16 @@
+import { name } from "./package.json";
+import { defineConfig } from "tsup";
+
+export default defineConfig({
+  name,
+  entry: ["src/index.ts"],
+  format: ["esm"],
+  target: "node20",
+  bundle: true,
+  splitting: false,
+  sourcemap: true,
+  clean: true,
+  dts: {
+    resolve: true,
+  },
+});

update-flake-lock.sh

@@ -1,16 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-if [[ -n "$PATH_TO_FLAKE_DIR" ]]; then
-  cd "$PATH_TO_FLAKE_DIR"
-fi
-
-if [[ -n "$TARGETS" ]]; then
-    inputs=()
-    for input in $TARGETS; do
-        inputs+=("--update-input" "$input")
-    done
-    nix flake lock "${inputs[@]}" --commit-lock-file --commit-lockfile-summary "$COMMIT_MSG"
-else
-    nix flake update --commit-lock-file --commit-lockfile-summary "$COMMIT_MSG"
-fi