Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: add Nix Flake Update GitHub workflow to keep flake inputs updated #520

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ci: add Nix Flake Update GitHub workflow to keep flake inputs updated #520

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions .github/workflows/nix_flake_update.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
---
name: Nix Flake Update

on: # yamllint disable-line rule:truthy
workflow_dispatch:

schedule:
- cron: "0 0 1 * *"

jobs:
nix-flake-update:
runs-on: ubuntu-22.04

permissions:
contents: write
pull-requests: write

steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/nix-installer-action@v16
- uses: DeterminateSystems/magic-nix-cache-action@v8

- uses: DeterminateSystems/update-flake-lock@v24
with:
pr-labels: dependencies
pr-title: "stylix: update all flake inputs"
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should use the GitHub App from #664 to allow GitHub Actions to run on the created pull request.

-- #520 (review)

Upstream suggests adding an authentication token:

With a Personal Authentication Token

By providing a Personal Authentication Token, the PR will be submitted in a way that bypasses this limitation (GitHub will essentially think it is the owner of the PAT submitting the PR, and not an Action).
You can create a token by visiting https://github.com/settings/tokens and select at least the repo scope. For the new fine-grained tokens, you need to enable read and write access for "Contents" and "Pull Requests" permissions. Then, store this token in your repository secrets (i.e. https://github.com/<USER>/<REPO>/settings/secrets/actions) as GH_TOKEN_FOR_UPDATES and set up your workflow file like the following:

name: update-flake-lock
on:
  workflow_dispatch: # allows manual triggering
  schedule:
    - cron: '0 0 * * 1,4' # Run twice a week

jobs:
  lockfile:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v1
      - name: Update flake.lock
        uses: DeterminateSystems/update-flake-lock@vX
        with:
          token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}

-- https://github.com/DeterminateSystems/update-flake-lock/blob/0ba11186640dde09ade3e5599aabb2a57f28d8aa/README.md?plain=1#L185-L209

I assume we have to add the following and properly setup secrets.GH_TOKEN_UPDATE_FLAKE_LOCK:

Suggested change
pr-title: "stylix: update all flake inputs"
pr-title: "stylix: update all flake inputs"
token: ${{ secrets.GH_TOKEN_UPDATE_FLAKE_LOCK }}

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe the app token functions the same as a PAT, except that any actions taken by it use the identity of the app rather than a personal account.

Copy link
Collaborator Author

@trueNAHO trueNAHO Dec 31, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe the app token functions the same as a PAT, except that any actions taken by it use the identity of the app rather than a personal account.

Which of the two approaches should we use? I assume following upstream instructions might be more reliable.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I prefer the app approach as otherwise, the flake update pull requests would appear as if I created them myself, which I think is misleading. That might skew the contributors chart as well.

For reference, the app currently has the following permissions on the repository:

Metadata
Contents
Pull Requests

Copy link

@Eveeifyeve Eveeifyeve Jan 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could just run it without specifying a PAT or an application an example is here: https://github.com/Eveeifyeve/Dotfiles/actions/runs/12970346909/workflow

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could just run it without specifying a PAT or an application an example is here: https://github.com/Eveeifyeve/Dotfiles/actions/runs/12970346909/workflow

Although it's recommended to have one if your reaching the github action bot limits.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could just run it without specifying a PAT or an application

We need to use something other than the default token so that the testbeds are run on the updated version.