Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: add Nix Flake Update GitHub workflow to keep flake inputs updated #520

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ci: add Nix Flake Update GitHub workflow to keep flake inputs updated #520

wants to merge 1 commit into from

Conversation

trueNAHO
Copy link
Collaborator

@trueNAHO trueNAHO commented Aug 22, 2024
edited
Loading

This change requires GitHub workflows to have read and write permissions 1 2.

This PR is stacked on top of the pending patchset #519 ("treewide: add developer shell and pre-commit hooks and simplify GitHub workflows") and should only be merged after it. Although ready for review, this PR will remain in Draft status until patchset "treewide: add developer shell and pre-commit hooks and simplify GitHub workflows" is merged.

NAHO (1):
  ci: add Nix Flake Update GitHub workflow to keep flake inputs updated

 .github/workflows/nix_flake_update.yml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 .github/workflows/nix_flake_update.yml

@trueNAHO trueNAHO changed the title ci: add nix flake update GitHub workflow to keep flake inputs updated ci: add Nix Flake Update GitHub workflow to keep flake inputs updated Aug 22, 2024
@trueNAHO trueNAHO force-pushed the ci-add-nix-flake-update-github-workflow-to-keep-flake-inputs-updated branch from 8793f7e to 29d97f4 Compare August 22, 2024 21:19
trueNAHO added a commit to trueNAHO/stylix that referenced this pull request Aug 22, 2024
@trueNAHO
ci: add Nix Flake Update GitHub workflow to keep flake inputs updated
29d97f4 
This change requires GitHub workflows to have read and write permissions
[1] [2].

[1]: DeterminateSystems/update-flake-lock#75
[2]: DeterminateSystems/update-flake-lock#88

Link: danth#520
@trueNAHO trueNAHO mentioned this pull request Aug 26, 2024
Merged
@trueNAHO
Copy link
Collaborator Author

trueNAHO commented Sep 10, 2024
edited
Loading 

From 29d97f487312d3b56c4dd3da40cb43af858a02d4 Mon Sep 17 00:00:00 2001
From: NAHO <[email protected]>
Date: Thu, 22 Aug 2024 23:07:22 +0200
Subject: [PATCH] ci: add Nix Flake Update GitHub workflow to keep flake
 inputs updated

This change requires GitHub workflows to have read and write permissions
[1] [2].

[1]: https://github.com/DeterminateSystems/update-flake-lock/issues/75
[2]: https://github.com/DeterminateSystems/update-flake-lock/issues/88

Link: https://github.com/danth/stylix/pull/520
---
 .github/workflows/nix_flake_update.yml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 .github/workflows/nix_flake_update.yml

diff --git a/.github/workflows/nix_flake_update.yml b/.github/workflows/nix_flake_update.yml
new file mode 100644
index 00000000..74c285d0
--- /dev/null
+++ b/.github/workflows/nix_flake_update.yml
@@ -0,0 +1,26 @@
+---
+name: Nix Flake Update
+
+on:  # yamllint disable-line rule:truthy
+  workflow_dispatch:
+
+  schedule:
+    - cron: "0 0 1 * *"
+
+jobs:
+  nix-flake-update:
+    runs-on: ubuntu-22.04
+
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@v13
+      - uses: DeterminateSystems/magic-nix-cache-action@v6
+
+      - uses: DeterminateSystems/update-flake-lock@v23
+        with:
+          pr-labels: dependencies
+          pr-title: "stylix: update all flake inputs"

Bump dependencies:

  • magic-nix-cache-action: v6 -> v8
  • nix-installer-action: v13 -> v14
  • update-flake-lock: v23 -> v24

trueNAHO added a commit to trueNAHO/stylix that referenced this pull request Sep 11, 2024
@trueNAHO
ci: add Nix Flake Update GitHub workflow to keep flake inputs updated
706c8ef 
This change requires GitHub workflows to have read and write permissions
[1] [2].

[1]: DeterminateSystems/update-flake-lock#75
[2]: DeterminateSystems/update-flake-lock#88

Link: danth#520
@trueNAHO trueNAHO force-pushed the ci-add-nix-flake-update-github-workflow-to-keep-flake-inputs-updated branch from 29d97f4 to 706c8ef Compare September 11, 2024 15:39
@trueNAHO
Copy link
Collaborator Author

Changelog

v1: 706c8ef

v0: 29d97f4

@trueNAHO trueNAHO force-pushed the ci-add-nix-flake-update-github-workflow-to-keep-flake-inputs-updated branch from 706c8ef to 4be09d0 Compare November 26, 2024 07:10
@trueNAHO
Copy link
Collaborator Author

Changelog

v2: 4be09d0

  • Bump nix-installer-action GitHub Action: v14 -> v16

v1: 706c8ef

v0: 29d97f4

@trueNAHO trueNAHO marked this pull request as ready for review November 26, 2024 07:19
@trueNAHO
Copy link
Collaborator Author

This PR is stacked on top of the pending patchset #519 ("treewide: add developer shell and pre-commit hooks and simplify GitHub workflows") and should only be merged after it. Although ready for review, this PR will remain in Draft status until patchset "treewide: add developer shell and pre-commit hooks and simplify GitHub workflows" is merged.

Considering that #519 is taking longer than expected to get merged, we might want to already merge this PR. Consequently, I moved this PR out of draft mode.

@trueNAHO trueNAHO requested a review from danth November 26, 2024 07:20
danth
danth requested changes Dec 10, 2024
View reviewed changes
Copy link
Owner

@danth danth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should use the GitHub App from #664 to allow GitHub Actions to run on the created pull request.

trueNAHO added a commit to trueNAHO/stylix that referenced this pull request Dec 18, 2024
@trueNAHO
ci: add Nix Flake Update GitHub workflow to keep flake inputs updated
1bec876 
This change requires GitHub workflows to have read and write permissions
[1] [2].

[1]: DeterminateSystems/update-flake-lock#75
[2]: DeterminateSystems/update-flake-lock#88

Link: danth#520
trueNAHO
trueNAHO commented Dec 18, 2024
View reviewed changes
.github/workflows/nix_flake_update.yml
- uses: DeterminateSystems/update-flake-lock@v24
with:
pr-labels: dependencies
pr-title: "stylix: update all flake inputs"
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should use the GitHub App from #664 to allow GitHub Actions to run on the created pull request.

-- #520 (review)

Upstream suggests adding an authentication token:

With a Personal Authentication Token

By providing a Personal Authentication Token, the PR will be submitted in a way that bypasses this limitation (GitHub will essentially think it is the owner of the PAT submitting the PR, and not an Action).
You can create a token by visiting https://github.com/settings/tokens and select at least the repo scope. For the new fine-grained tokens, you need to enable read and write access for "Contents" and "Pull Requests" permissions. Then, store this token in your repository secrets (i.e. https://github.com/<USER>/<REPO>/settings/secrets/actions) as GH_TOKEN_FOR_UPDATES and set up your workflow file like the following:

name: update-flake-lock
on:
  workflow_dispatch: # allows manual triggering
  schedule:
    - cron: '0 0 * * 1,4' # Run twice a week

jobs:
  lockfile:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v1
      - name: Update flake.lock
        uses: DeterminateSystems/update-flake-lock@vX
        with:
          token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}

-- https://github.com/DeterminateSystems/update-flake-lock/blob/0ba11186640dde09ade3e5599aabb2a57f28d8aa/README.md?plain=1#L185-L209

I assume we have to add the following and properly setup secrets.GH_TOKEN_UPDATE_FLAKE_LOCK:

Suggested change
pr-title: "stylix: update all flake inputs"
pr-title: "stylix: update all flake inputs"
token: ${{ secrets.GH_TOKEN_UPDATE_FLAKE_LOCK }}

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe the app token functions the same as a PAT, except that any actions taken by it use the identity of the app rather than a personal account.

Copy link
Collaborator Author

@trueNAHO trueNAHO Dec 31, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe the app token functions the same as a PAT, except that any actions taken by it use the identity of the app rather than a personal account.

Which of the two approaches should we use? I assume following upstream instructions might be more reliable.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I prefer the app approach as otherwise, the flake update pull requests would appear as if I created them myself, which I think is misleading. That might skew the contributors chart as well.

For reference, the app currently has the following permissions on the repository:

Metadata
Contents
Pull Requests

@trueNAHO trueNAHO mentioned this pull request Dec 31, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danth danth danth requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@trueNAHO @danth