diff options
| author | seth <[email protected]> | 2024-09-30 07:29:05 -0400 |
|---|---|---|
| committer | seth <[email protected]> | 2024-09-30 07:34:19 -0400 |
| commit | 363b6b64855ea6a239022593e097b7a2370bac66 (patch) | |
| tree | 2bea2daf15c24cf46aa4e43fa275e379499fe6e1 /.github/workflows | |
| parent | 0ae97fa5408f89a67a42d8d7989cdfbda3b5bd3b (diff) | |
ci: use github app for flake.lock PRs
Diffstat (limited to '.github/workflows')
| -rw-r--r-- | .github/workflows/update-inputs.yaml | 6 | ||||
| -rw-r--r-- | .github/workflows/update-lock.yaml | 47 | ||||
| -rw-r--r-- | .github/workflows/update-nixpkgs.yaml | 8 |
3 files changed, 41 insertions, 20 deletions
diff --git a/.github/workflows/update-inputs.yaml b/.github/workflows/update-inputs.yaml index bd106a3..02144f4 100644 --- a/.github/workflows/update-inputs.yaml +++ b/.github/workflows/update-inputs.yaml @@ -10,5 +10,7 @@ jobs: update: uses: ./.github/workflows/update-lock.yaml with: - commit-msg: "flake: update all inputs" - secrets: inherit + commit-message: "flake: update all inputs" + secrets: + APP_ID: ${{ secrets.APP_ID }} + PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }} diff --git a/.github/workflows/update-lock.yaml b/.github/workflows/update-lock.yaml index bcafc11..4ab4932 100644 --- a/.github/workflows/update-lock.yaml +++ b/.github/workflows/update-lock.yaml @@ -3,18 +3,21 @@ name: Update flake.lock on: workflow_call: inputs: - commit-msg: + commit-message: description: "Summary for lockfile commit" required: true type: string - inputs: + flake-inputs: description: "Flake inputs to update" required: false default: "" type: string secrets: - MERGE_TOKEN: - description: PAT to create and merge PR + APP_ID: + description: GitHub Bot Application ID + required: true + PRIVATE_KEY: + description: GitHub Bot Application client secret required: true jobs: @@ -24,27 +27,41 @@ jobs: runs-on: ubuntu-latest steps: + - name: Generate GitHub App token + uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.PRIVATE_KEY }} + - name: Checkout repository uses: actions/checkout@v4 + with: + token: ${{ steps.app-token.outputs.token }} - name: Install Nix uses: DeterminateSystems/nix-installer-action@v14 with: diagnostic-endpoint: "" - - name: Update lockfile & make PR - uses: DeterminateSystems/update-flake-lock@v24 - id: update + - name: Update flake.lock + run: | + nix flake update ${{ inputs.flake-inputs }} + + - name: Create Pull request + id: pull-request + uses: peter-evans/create-pull-request@v7 with: - commit-msg: ${{ inputs.commit-msg }} - inputs: ${{ inputs.inputs }} - pr-title: ${{ inputs.commit-msg }} - token: ${{ secrets.MERGE_TOKEN }} + branch: update-flake-lock + commit-message: ${{ inputs.commit-message }} + title: ${{ inputs.commit-message }} + token: ${{ steps.app-token.outputs.token }} + sign-commits: true - name: Enable auto-merge shell: bash - if: steps.update.outputs.pull-request-number != '' - run: gh pr merge --auto --rebase "$PR_ID" + if: ${{ env.PR_ID != '' }} + run: gh pr merge --auto --squash "$PR_ID" env: - GH_TOKEN: ${{ secrets.MERGE_TOKEN }} - PR_ID: ${{ steps.update.outputs.pull-request-number }} + PR_ID: ${{ steps.pull-request.outputs.pull-request-number }} + GH_TOKEN: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/update-nixpkgs.yaml b/.github/workflows/update-nixpkgs.yaml index db6bf63..785f56f 100644 --- a/.github/workflows/update-nixpkgs.yaml +++ b/.github/workflows/update-nixpkgs.yaml @@ -10,6 +10,8 @@ jobs: update: uses: ./.github/workflows/update-lock.yaml with: - commit-msg: "flake: update nixpkgs" - inputs: "nixpkgs nixpkgs-stable" - secrets: inherit + commit-message: "flake: update nixpkgs" + flake-inputs: "nixpkgs nixpkgs-stable" + secrets: + APP_ID: ${{ secrets.APP_ID }} + PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }} |