From 9518d623730a362a2cf558cb77d020be8ce50bc8 Mon Sep 17 00:00:00 2001 From: seth Date: Thu, 7 Sep 2023 16:19:07 -0400 Subject: flake/actions: replace some crane checks with pre-commit --- .github/workflows/audit.yaml | 20 -------------------- .github/workflows/clippy.yaml | 5 +++++ .github/workflows/update-flake.yaml | 33 --------------------------------- .github/workflows/update-lock.yaml | 34 ++++++++++++++++++++++++++++++++++ 4 files changed, 39 insertions(+), 53 deletions(-) delete mode 100644 .github/workflows/audit.yaml delete mode 100644 .github/workflows/update-flake.yaml create mode 100644 .github/workflows/update-lock.yaml (limited to '.github') diff --git a/.github/workflows/audit.yaml b/.github/workflows/audit.yaml deleted file mode 100644 index ebf88d0..0000000 --- a/.github/workflows/audit.yaml +++ /dev/null @@ -1,20 +0,0 @@ -name: audit crates -# this checks our dependencies for -# security advisories every saturday - -on: - schedule: - - cron: "0 0 * * 6" - workflow_dispatch: - -jobs: - audit: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v4 - - uses: DeterminateSystems/nix-installer-action@main - - - name: run audit - run: | - nix build --accept-flake-config -L .#checks.x86_64-linux.audit diff --git a/.github/workflows/clippy.yaml b/.github/workflows/clippy.yaml index 48b1bd6..cb35d14 100644 --- a/.github/workflows/clippy.yaml +++ b/.github/workflows/clippy.yaml @@ -11,6 +11,10 @@ jobs: clippy: runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: - uses: actions/checkout@v4 - uses: DeterminateSystems/nix-installer-action@main @@ -23,6 +27,7 @@ jobs: - name: run clippy run: | + mkdir -p /tmp cargo clippy --all --all-targets --message-format=json | clippy-sarif > /tmp/clippy.sarif - name: upload results diff --git a/.github/workflows/update-flake.yaml b/.github/workflows/update-flake.yaml deleted file mode 100644 index 7e0d992..0000000 --- a/.github/workflows/update-flake.yaml +++ /dev/null @@ -1,33 +0,0 @@ -name: update nix flake -# this is to make sure we can build against a -# recent version of nixos-unstable - -on: - schedule: - - cron: "0 0 * * 6" - workflow_dispatch: - -permissions: - contents: write - pull-requests: write - -jobs: - update-flake: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v4 - - uses: DeterminateSystems/nix-installer-action@main - - - uses: DeterminateSystems/update-flake-lock@v20 - id: update - with: - commit-msg: "deps(flake): update inputs" - pr-title: "deps(flake): update inputs" - - - name: auto-merge pull request - shell: bash - run: gh pr merge --auto --rebase "$PR_ID" - env: - GITHUB_TOKEN: ${{ github.token }} - PR_ID: ${{ steps.update.outputs.pull-request-number }} diff --git a/.github/workflows/update-lock.yaml b/.github/workflows/update-lock.yaml new file mode 100644 index 0000000..9e3301d --- /dev/null +++ b/.github/workflows/update-lock.yaml @@ -0,0 +1,34 @@ +name: update flake lock + +on: + schedule: + # run every saturday + - cron: "0 0 * * 6" + workflow_dispatch: + +permissions: + contents: write + pull-requests: write + +jobs: + update: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + - uses: DeterminateSystems/nix-installer-action@main + + - name: update lockfile + uses: DeterminateSystems/update-flake-lock@v20 + id: update + with: + commit-msg: "flake: update inputs" + pr-title: "flake: update inputs" + token: ${{ github.token }} + + - name: enable auto-merge + shell: bash + run: gh pr merge --auto --rebase "$PR_ID" + env: + GITHUB_TOKEN: ${{ github.token }} + PR_ID: ${{ steps.update.outputs.pull-request-number }} -- cgit v1.2.3