feat(ci): make bot commit verified

charliie-dev · charliie-dev · commit c06f5ec0dbdb · 2025-10-24T16:04:09.000+08:00
diff --git a/.github/workflows/update_flake.yml b/.github/workflows/update_flake.yml
@@ -1,29 +1,102 @@
-name: update flake.lock
+---
+name: "Flake.lock: update Nix dependencies (Verified)"
 on:
   workflow_dispatch: # allows manual triggering
-  # Scheduled update (1st of every month)
-  schedule: [{ cron: "30 02 1 * *" }]
+  schedule:
+    - cron: 30 02 1 * * # 1st of every month
+
+env:
+  BRANCH: "main"
+  COMMIT_MESSAGE: "chore(lockfile): auto update flake.lock"
+  # GIT_NAME: "github-actions[bot]"
+  # GIT_EMAIL: "41898282+github-actions[bot]@users.noreply.github.com"
 
 jobs:
-  update-lockfile:
-    if: github.repository_owner == 'CharlesChiuGit'
-    runs-on: ubuntu-latest
+  nix-flake-update:
     permissions:
       contents: write
+      id-token: write
+    runs-on: ubuntu-latest
+
     steps:
-      - uses: actions/checkout@v5
-        with:
-          fetch-depth: 0 # Required to count the commits
-      - uses: cachix/install-nix-action@v31
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Install Nix
+        uses: DeterminateSystems/determinate-nix-action@v3
+
+      - name: Check Nix flake inputs
+        uses: DeterminateSystems/flake-checker-action@v12
         with:
-          nix_path: nixpkgs=channel:nixos-unstable
-      - name: Run flake-update
+          ignore-missing-flake-lock: false
+          fail-mode: true
+
+      - name: Update flake.lock
         run: |
           nix flake update
-      - uses: stefanzweifel/git-auto-commit-action@v7
+
+      - name: Detect modified files
+        id: diff
+        shell: bash
+        run: |
+          set -euo pipefail
+          # List modified (tracked) files relative to HEAD.
+          # If you only want specific patterns, add a grep here (e.g., grep -E '(^|/)flake\.lock$').
+          mapfile -t changed < <(git ls-files -m --full-name)
+
+          if [ "${#changed[@]}" -eq 0 ]; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+            echo "changed_files=" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          # Join into a comma-separated string for downstream steps.
+          IFS=',' read -r -a _ <<< ""
+          changed_csv="$(printf "%s," "${changed[@]}")"
+          changed_csv="${changed_csv%,}"
+
+          echo "Changed files:"
+          printf ' - %s\n' "${changed[@]}"
+
+          echo "changed=true" >> "$GITHUB_OUTPUT"
+          echo "changed_files=${changed_csv}" >> "$GITHUB_OUTPUT"
+
+      - name: Commit via REST Contents API (server-signed ??Verified)
+        if: steps.diff.outputs.changed == 'true'
+        uses: actions/github-script@v8
+        env:
+          CHANGED_FILES: ${{ steps.diff.outputs.changed_files }}
         with:
-          commit_message: "chore(lockfile): auto update flake.lock"
-          commit_user_name: "github-actions[bot]"
-          commit_user_email: "41898282+github-actions[bot]@users.noreply.github.com"
-          commit_author: "github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>"
-          file_pattern: "flake.lock"
+          script: |
+            const fs = require('fs');
+            const owner   = context.repo.owner;
+            const repo    = context.repo.repo;
+            const branch  = process.env.BRANCH;
+            const message = process.env.COMMIT_MESSAGE;
+
+            const files = (process.env.CHANGED_FILES || '')
+              .split(',')
+              .map(s => s.trim())
+              .filter(Boolean);
+
+            for (const path of files) {
+              const content = fs.readFileSync(path, { encoding: 'base64' });
+
+              // Get existing sha if the file already exists
+              let sha;
+              try {
+                const res = await github.rest.repos.getContent({ owner, repo, path, ref: branch });
+                if (!Array.isArray(res.data)) sha = res.data.sha;
+              } catch (e) {
+                if (e.status !== 404) throw e;
+              }
+
+              // NOTE: author/committer intentionally omitted to allow platform signing
+              const r = await github.rest.repos.createOrUpdateFileContents({
+                owner, repo, path, branch,
+                message,
+                content,
+                sha
+              });
+              core.info(`Committed ${path}: ${r.data.commit.sha}`);
+            }
diff --git a/.github/workflows/update_lockfile.yml b/.github/workflows/update_lockfile.yml
@@ -1,41 +1,112 @@
-name: update lockfile
+---
+name: "lazy-lock: update lazy.nvim dependencies (Verified)"
 on:
-  # workflow_dispatch # manual update
-  # Scheduled update (07:30 everyday at UTC+8)
-  schedule: [{ cron: "30 23 * * *" }]
-  workflow_dispatch:
+  workflow_dispatch: # allows manual triggering
+  schedule:
+    # Scheduled update (07:30 everyday at UTC+8)
+    - cron: 30 23 * * *
+
+env:
+  BRANCH: "main"
+  COMMIT_MESSAGE: "chore(lockfile): auto update flake.lock"
 
 jobs:
   update-lockfile:
     if: github.repository_owner == 'CharlesChiuGit'
-    runs-on: ubuntu-latest
     permissions:
       contents: write
+      id-token: write
+    runs-on: ubuntu-latest
+
     steps:
-      - uses: actions/checkout@v5
+      - name: Checkout repository
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0 # Required to count the commits
-      - uses: andstor/file-existence-action@v3
+
+      - name: Check if lockfile existed
+        uses: andstor/file-existence-action@v3
         id: check_lockfile
         with:
           files: "lazy-lock.json"
-      - uses: rhysd/action-setup-vim@v1
+
+      - name: Setup neovim
+        uses: rhysd/action-setup-vim@v1
         if: ${{ steps.check_lockfile.outputs.files_exists == 'true' }}
         with:
           neovim: true
           # version: nightly
-      - name: Run lockfile-autoupdate
+
+      - name: Run lazy update
         if: ${{ steps.check_lockfile.outputs.files_exists == 'true' }}
         timeout-minutes: 5
         run: |
           ./scripts/update_lockfile.sh
           nvim --headless "+Lazy! update" +qa
           cp -pv "${HOME}/.config/nvim/lazy-lock.json" .
-      - uses: stefanzweifel/git-auto-commit-action@v7
-        if: ${{ steps.check_lockfile.outputs.files_exists == 'true' }}
+
+      - name: Detect modified files
+        id: diff
+        shell: bash
+        run: |
+          set -euo pipefail
+          # List modified (tracked) files relative to HEAD.
+          # If you only want specific patterns, add a grep here (e.g., grep -E '(^|/)lazy-lock\.json$').
+          mapfile -t changed < <(git ls-files -m --full-name)
+
+          if [ "${#changed[@]}" -eq 0 ]; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+            echo "changed_files=" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          # Join into a comma-separated string for downstream steps.
+          IFS=',' read -r -a _ <<< ""
+          changed_csv="$(printf "%s," "${changed[@]}")"
+          changed_csv="${changed_csv%,}"
+
+          echo "Changed files:"
+          printf ' - %s\n' "${changed[@]}"
+
+          echo "changed=true" >> "$GITHUB_OUTPUT"
+          echo "changed_files=${changed_csv}" >> "$GITHUB_OUTPUT"
+
+      - name: Commit via REST Contents API (server-signed ??Verified)
+        if: steps.diff.outputs.changed == 'true'
+        uses: actions/github-script@v8
+        env:
+          CHANGED_FILES: ${{ steps.diff.outputs.changed_files }}
         with:
-          commit_message: "chore(lockfile): auto update lazy-lock.json"
-          commit_user_name: "github-actions[bot]"
-          commit_user_email: "41898282+github-actions[bot]@users.noreply.github.com"
-          commit_author: "github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>"
-          file_pattern: "lazy-lock.json"
+          script: |
+            const fs = require('fs');
+            const owner   = context.repo.owner;
+            const repo    = context.repo.repo;
+            const branch  = process.env.BRANCH;
+            const message = process.env.COMMIT_MESSAGE;
+
+            const files = (process.env.CHANGED_FILES || '')
+              .split(',')
+              .map(s => s.trim())
+              .filter(Boolean);
+
+            for (const path of files) {
+              const content = fs.readFileSync(path, { encoding: 'base64' });
+
+              // Get existing sha if the file already exists
+              let sha;
+              try {
+                const res = await github.rest.repos.getContent({ owner, repo, path, ref: branch });
+                if (!Array.isArray(res.data)) sha = res.data.sha;
+              } catch (e) {
+                if (e.status !== 404) throw e;
+              }
+
+              // NOTE: author/committer intentionally omitted to allow platform signing
+              const r = await github.rest.repos.createOrUpdateFileContents({
+                owner, repo, path, branch,
+                message,
+                content,
+                sha
+              });
+              core.info(`Committed ${path}: ${r.data.commit.sha}`);
+            }
