summaryrefslogtreecommitdiffhomepage
path: root/.github/workflows/update-nix-hashes.yml
blob: d2c60b08f010b0f4e7f917369db644f1156456c1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
name: Update Nix Hashes

permissions:
  contents: write

on:
  workflow_dispatch:
  push:
    paths:
      - "bun.lock"
      - "package.json"
      - "packages/*/package.json"
  pull_request:
    paths:
      - "bun.lock"
      - "package.json"
      - "packages/*/package.json"

jobs:
  update:
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
    runs-on: blacksmith-4vcpu-ubuntu-2404
    env:
      SYSTEM: x86_64-linux

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          fetch-depth: 0
          ref: ${{ github.head_ref || github.ref_name }}
          repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}

      - name: Setup Nix
        uses: DeterminateSystems/nix-installer-action@v20

      - name: Configure git
        run: |
          git config --global user.email "[email protected]"
          git config --global user.name "Github Action"

      - name: Update flake.lock
        run: |
          set -euo pipefail
          echo "📦 Updating flake.lock..."
          nix flake update
          echo "✅ flake.lock updated successfully"

      - name: Update node_modules hash
        run: |
          set -euo pipefail
          echo "🔄 Updating node_modules hash..."
          nix/scripts/update-hashes.sh
          echo "✅ node_modules hash updated successfully"

      - name: Commit hash changes
        env:
          TARGET_BRANCH: ${{ github.head_ref || github.ref_name }}
        run: |
          set -euo pipefail

          echo "🔍 Checking for changes in tracked Nix files..."

          summarize() {
            local status="$1"
            {
              echo "### Nix Hash Update"
              echo ""
              echo "- ref: ${GITHUB_REF_NAME}"
              echo "- status: ${status}"
            } >> "$GITHUB_STEP_SUMMARY"
            if [ -n "${GITHUB_SERVER_URL:-}" ] && [ -n "${GITHUB_REPOSITORY:-}" ] && [ -n "${GITHUB_RUN_ID:-}" ]; then
              echo "- run: ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" >> "$GITHUB_STEP_SUMMARY"
            fi
            echo "" >> "$GITHUB_STEP_SUMMARY"
          }

          FILES=(flake.lock flake.nix nix/node-modules.nix nix/hashes.json)
          STATUS="$(git status --short -- "${FILES[@]}" || true)"
          if [ -z "$STATUS" ]; then
            echo "✅ No changes detected. Hashes are already up to date."
            summarize "no changes"
            exit 0
          fi

          echo "📝 Changes detected:"
          echo "$STATUS"
          echo "🔗 Staging files..."
          git add "${FILES[@]}"
          echo "💾 Committing changes..."
          git commit -m "Update Nix flake.lock and hashes"
          echo "✅ Changes committed"

          BRANCH="${TARGET_BRANCH:-${GITHUB_REF_NAME}}"
          echo "🌳 Pulling latest from branch: $BRANCH"
          git pull --rebase origin "$BRANCH"
          echo "🚀 Pushing changes to branch: $BRANCH"
          git push origin HEAD:"$BRANCH"
          echo "✅ Changes pushed successfully"

          summarize "committed $(git rev-parse --short HEAD)"