ci: add flake-update workflow

Defelo · Defelo · commit 9ca3ae0fd010 · 2025-10-02T19:36:31.000+02:00
diff --git a/.github/workflows/flake-update.yml b/.github/workflows/flake-update.yml
@@ -0,0 +1,82 @@
+name: flake-update
+
+permissions:
+  actions: write
+  contents: read
+  pull-requests: write
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * 1"
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    steps:
+      - name: ensure upstream
+        run: |
+          if gh api "/repos/${GITHUB_REPOSITORY}" | jq -e .fork; then
+            echo "::error::This workflow should only run in the upstream repository. Disabling it in this fork, so you can ignore this run failure."
+            gh -R "$GITHUB_REPOSITORY" workflow disable "$GITHUB_WORKFLOW"
+            exit 1
+          fi
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+      - name: ensure ssh key
+        run: |
+          if [[ -z "$FLAKE_UPDATE_SSH_KEY" ]]; then
+            echo "::error::FLAKE_UPDATE_SSH_KEY secret is not set. Please either set this secret or disable this workflow."
+            exit 1
+          fi
+        env:
+          FLAKE_UPDATE_SSH_KEY: ${{ secrets.FLAKE_UPDATE_SSH_KEY }}
+
+      - name: install nix
+        uses: cachix/install-nix-action@v31
+
+      - name: configure git
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: clone repository
+        uses: actions/checkout@v5
+        with:
+          ssh-key: ${{ secrets.FLAKE_UPDATE_SSH_KEY }}
+
+      - run: nix flake update --commit-lock-file
+
+      - name: push
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -exuo pipefail
+
+          git fetch origin HEAD:remotes/origin/HEAD
+          if git diff --quiet remotes/origin/HEAD; then
+            echo "::notice::All flake inputs are already up to date."
+              if git ls-remote origin refs/heads/flake-update | grep -q .; then
+              echo "::notice::Removing flake-update branch."
+              git push -d origin flake-update
+            fi
+            exit
+          fi
+
+          { echo '```' && git log -1 --format=%B | tail -n+3 && echo '```'; } > .pr_body
+
+          echo "::notice::Pushing to the flake-update branch."
+          git push -f origin HEAD:refs/heads/flake-update
+
+          url="$(gh api "/repos/${GITHUB_REPOSITORY}/pulls?state=open&head=${GITHUB_REPOSITORY_OWNER}:flake-update&per_page=1" --jq '.[].html_url')"
+          if [[ -n "$url" ]]; then
+            echo "::notice::PR for flake-update branch already exists: ${url}"
+          else
+            echo "::notice::Creating a new PR for the flake-update branch."
+            gh pr create -t 'chore: update flake.lock' -F .pr_body -H flake-update
+
+            # push again to trigger ci
+            git commit --amend --no-edit
+            git push -f origin HEAD:refs/heads/flake-update
+          fi
diff --git a/flake.nix b/flake.nix
@@ -51,4 +51,6 @@
         '';
       });
     };
+
+  nixConfig.commit-lock-file-summary = "chore: update flake.lock";
 }

Original file line number	Diff line number	Diff line change
`@@ -51,4 +51,6 @@`
`51`	`51`	`'';`
`52`	`52`	`});`
`53`	`53`	`};`
	`54`	`+`
	`55`	`+ nixConfig.commit-lock-file-summary = "chore: update flake.lock";`
`54`	`56`	`}`