Flake.lock: update Nix dependencies (Verified) #106
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: "Flake.lock: update Nix dependencies (Verified)" | |
| on: | |
| workflow_dispatch: # allows manual triggering | |
| schedule: | |
| - cron: 0 0 * * 0 # runs weekly on Sunday at 00:00 | |
| env: | |
| BRANCH: "main" | |
| COMMIT_MESSAGE: "chore(lockfile): auto update flake.lock" | |
| # GIT_NAME: "github-actions[bot]" | |
| # GIT_EMAIL: "41898282+github-actions[bot]@users.noreply.github.com" | |
| jobs: | |
| nix-flake-update: | |
| permissions: | |
| contents: write | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v5 | |
| - name: Install Nix | |
| uses: DeterminateSystems/determinate-nix-action@v3 | |
| - name: Check Nix flake inputs | |
| uses: DeterminateSystems/flake-checker-action@v12 | |
| with: | |
| ignore-missing-flake-lock: false | |
| fail-mode: true | |
| - name: Update flake.lock | |
| run: | | |
| nix flake update | |
| - name: Detect modified files | |
| id: diff | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| # List modified (tracked) files relative to HEAD. | |
| # If you only want specific patterns, add a grep here (e.g., grep -E '(^|/)flake\.lock$'). | |
| mapfile -t changed < <(git ls-files -m --full-name) | |
| if [ "${#changed[@]}" -eq 0 ]; then | |
| echo "changed=false" >> "$GITHUB_OUTPUT" | |
| echo "changed_files=" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| # Join into a comma-separated string for downstream steps. | |
| IFS=',' read -r -a _ <<< "" | |
| changed_csv="$(printf "%s," "${changed[@]}")" | |
| changed_csv="${changed_csv%,}" | |
| echo "Changed files:" | |
| printf ' - %s\n' "${changed[@]}" | |
| echo "changed=true" >> "$GITHUB_OUTPUT" | |
| echo "changed_files=${changed_csv}" >> "$GITHUB_OUTPUT" | |
| - name: Commit via REST Contents API (server-signed → Verified) | |
| if: steps.diff.outputs.changed == 'true' | |
| uses: actions/github-script@v8 | |
| env: | |
| CHANGED_FILES: ${{ steps.diff.outputs.changed_files }} | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| const owner = context.repo.owner; | |
| const repo = context.repo.repo; | |
| const branch = process.env.BRANCH; | |
| const message = process.env.COMMIT_MESSAGE; | |
| const files = (process.env.CHANGED_FILES || '') | |
| .split(',') | |
| .map(s => s.trim()) | |
| .filter(Boolean); | |
| for (const path of files) { | |
| const content = fs.readFileSync(path, { encoding: 'base64' }); | |
| // Get existing sha if the file already exists | |
| let sha; | |
| try { | |
| const res = await github.rest.repos.getContent({ owner, repo, path, ref: branch }); | |
| if (!Array.isArray(res.data)) sha = res.data.sha; | |
| } catch (e) { | |
| if (e.status !== 404) throw e; | |
| } | |
| // NOTE: author/committer intentionally omitted to allow platform signing | |
| const r = await github.rest.repos.createOrUpdateFileContents({ | |
| owner, repo, path, branch, | |
| message, | |
| content, | |
| sha | |
| }); | |
| core.info(`Committed ${path}: ${r.data.commit.sha}`); | |
| } |