diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 39c9c88a..57c6336c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,7 +17,7 @@ on: jobs: ci: - uses: metacraft-labs/nixos-modules/.github/workflows/flake-checks-ci-matrix.yml@main + uses: ./.github/workflows/reusable-flake-checks-ci-matrix.yml secrets: inherit with: runner: '["self-hosted", "Linux", "x86-64-v2"]' diff --git a/.github/workflows/flake-checks-ci-matrix.yml b/.github/workflows/reusable-flake-checks-ci-matrix.yml similarity index 100% rename from .github/workflows/flake-checks-ci-matrix.yml rename to .github/workflows/reusable-flake-checks-ci-matrix.yml diff --git a/.github/workflows/reusable-update-flake-lock.yml b/.github/workflows/reusable-update-flake-lock.yml new file mode 100644 index 00000000..0a9d8b90 --- /dev/null +++ b/.github/workflows/reusable-update-flake-lock.yml @@ -0,0 +1,74 @@ +name: "Update Nix Flake lockfile" + +on: + # Allow this workflow to be reused by other workflows: + workflow_call: + inputs: + runner: + description: 'JSON-encoded list of runner labels' + default: '["self-hosted"]' + required: false + type: string + + secrets: + NIX_GITHUB_TOKEN: + description: GitHub token to add as access-token in nix.conf + required: false + CACHIX_AUTH_TOKEN: + description: 'Cachix auth token' + required: true + CREATE_PR_APP_ID: + description: ID of the GitHub App used for opening pull requests. + required: true + CREATE_PR_APP_PRIVATE_KEY: + description: Private key of the GitHub App used for opening pull requests. + required: true + + # Allow this workflow to be triggered manually: + workflow_dispatch: + + # Run every Sunday at 00:00: + schedule: + - cron: 0 0 * * 0 # https://crontab.guru/#0_0_*_*_0 + +jobs: + main: + runs-on: ${{ fromJSON(inputs.runner) }} + + steps: + - uses: actions/checkout@v4 + + - name: Install Nix + uses: metacraft-labs/nixos-modules/.github/install-nix@main + with: + nix-github-token: ${{ secrets.NIX_GITHUB_TOKEN }} + cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} + cachix-cache: ${{ vars.CACHIX_CACHE }} + trusted-public-keys: ${{ vars.TRUSTED_PUBLIC_KEYS }} + substituters: ${{ vars.SUBSTITUTERS }} + + - name: Run `nix flake update` + id: update-lockfile + run: | + curl -fsSL --proto '=https' --tlsv1.2 \ + https://raw.githubusercontent.com/metacraft-labs/nixos-modules/main/scripts/commit_flake_update.bash \ + -o commit_flake_update.bash + bash commit_flake_update.bash + + - uses: tibdex/github-app-token@v2.1.0 + id: generate-token + with: + app_id: ${{ secrets.CREATE_PR_APP_ID }} + private_key: ${{ secrets.CREATE_PR_APP_PRIVATE_KEY }} + + - name: Create Pull Request + if: ${{ hashFiles('commit_msg_body.txt') != '' }} + uses: peter-evans/create-pull-request@v7 + with: + token: ${{ steps.generate-token.outputs.token }} + title: 'Update Nix Flake lockfile' + body-path: commit_msg_body.txt + branch: 'create-pull-request/update-flake-lockfile' + delete-branch: true + branch-suffix: timestamp + add-paths: flake.lock diff --git a/.github/workflows/update-flake-packages.yml b/.github/workflows/reusable-update-flake-packages.yml similarity index 98% rename from .github/workflows/update-flake-packages.yml rename to .github/workflows/reusable-update-flake-packages.yml index c06a786b..1ab90fd5 100644 --- a/.github/workflows/update-flake-packages.yml +++ b/.github/workflows/reusable-update-flake-packages.yml @@ -7,7 +7,7 @@ on: runner: description: 'JSON-encoded list of runner labels' default: '["self-hosted"]' - required: true + required: false type: string secrets: diff --git a/.github/workflows/update-flake-lock.yml b/.github/workflows/update-flake-lock.yml index 7f5ed938..8d037772 100644 --- a/.github/workflows/update-flake-lock.yml +++ b/.github/workflows/update-flake-lock.yml @@ -1,74 +1,16 @@ -name: "Update Nix Flake lockfile" +name: Update Nix Flake lockfile on: - # Allow this workflow to be reused by other workflows: - workflow_call: - inputs: - runner: - description: 'JSON-encoded list of runner labels' - default: '["self-hosted"]' - required: true - type: string - - secrets: - NIX_GITHUB_TOKEN: - description: GitHub token to add as access-token in nix.conf - required: false - CACHIX_AUTH_TOKEN: - description: 'Cachix auth token' - required: true - CREATE_PR_APP_ID: - description: ID of the GitHub App used for opening pull requests. - required: true - CREATE_PR_APP_PRIVATE_KEY: - description: Private key of the GitHub App used for opening pull requests. - required: true - - # Allow this workflow to be triggered manually: + # Enable option to manually run the action: workflow_dispatch: # Run every Sunday at 00:00: schedule: - - cron: 0 0 * * 0 # https://crontab.guru/#0_0_*_*_0 + - cron: 0 0 * * 0 jobs: - main: - runs-on: ${{ fromJSON(inputs.runner) }} - - steps: - - uses: actions/checkout@v4 - - - name: Install Nix - uses: metacraft-labs/nixos-modules/.github/install-nix@main - with: - nix-github-token: ${{ secrets.NIX_GITHUB_TOKEN }} - cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} - cachix-cache: ${{ vars.CACHIX_CACHE }} - trusted-public-keys: ${{ vars.TRUSTED_PUBLIC_KEYS }} - substituters: ${{ vars.SUBSTITUTERS }} - - - name: Run `nix flake update` - id: update-lockfile - run: | - curl -fsSL --proto '=https' --tlsv1.2 \ - https://raw.githubusercontent.com/metacraft-labs/nixos-modules/main/scripts/commit_flake_update.bash \ - -o commit_flake_update.bash - bash commit_flake_update.bash - - - uses: tibdex/github-app-token@v2.1.0 - id: generate-token - with: - app_id: ${{ secrets.CREATE_PR_APP_ID }} - private_key: ${{ secrets.CREATE_PR_APP_PRIVATE_KEY }} - - - name: Create Pull Request - if: ${{ hashFiles('commit_msg_body.txt') != '' }} - uses: peter-evans/create-pull-request@v7 - with: - token: ${{ steps.generate-token.outputs.token }} - title: 'Update Nix Flake lockfile' - body-path: commit_msg_body.txt - branch: 'create-pull-request/update-flake-lockfile' - delete-branch: true - branch-suffix: timestamp - add-paths: flake.lock + update-flake-lock: + uses: ./.github/workflows/reusable-update-flake-lock.yml + secrets: inherit + with: + runner: '["self-hosted", "Linux", "x86-64-v2"]' diff --git a/flake.lock b/flake.lock index 3023314d..544ade90 100644 --- a/flake.lock +++ b/flake.lock @@ -92,11 +92,11 @@ }, "crane": { "locked": { - "lastModified": 1731098351, - "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=", + "lastModified": 1731974733, + "narHash": "sha256-enYSSZVVl15FI5p+0Y5/Ckf5DZAvXe6fBrHxyhA/njc=", "owner": "ipetkov", "repo": "crane", - "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28", + "rev": "3cb338ce81076ce5e461cf77f7824476addb0e1c", "type": "github" }, "original": { @@ -120,11 +120,11 @@ ] }, "locked": { - "lastModified": 1731782081, - "narHash": "sha256-yonI7FCxlMHJy06ecIrDkeF7BiTvDfB4GeX0p3ba5a0=", + "lastModified": 1732179756, + "narHash": "sha256-Qw5ZZjWtf1CsFAu2DWtb+edhtusSScEEU3cbHPSBTR4=", "owner": "cachix", "repo": "devenv", - "rev": "206ac362af93a3d14593cd4fbae1d94c53b925df", + "rev": "24f0aac5d4798899a0a739ea2c13396850fad2a8", "type": "github" }, "original": { @@ -177,11 +177,11 @@ ] }, "locked": { - "lastModified": 1731746438, - "narHash": "sha256-f3SSp1axoOk0NAI7oFdRzbxG2XPBSIXC+/DaAXnvS1A=", + "lastModified": 1732109232, + "narHash": "sha256-iYh6h8yueU8IyOfNclbiBG2+fBFcjjUfXm90ZBzk0c0=", "owner": "nix-community", "repo": "disko", - "rev": "cb64993826fa7a477490be6ccb38ba1fa1e18fa8", + "rev": "a0c384e0a3b8bcaed30a6bcf3783f8a7c8b35be4", "type": "github" }, "original": { @@ -272,11 +272,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1731738660, - "narHash": "sha256-tIXhc9lX1b030v812yVJanSR37OnpTb/OY5rU3TbShA=", + "lastModified": 1732170943, + "narHash": "sha256-3qmtB25X5nxaaDL2VNlWB6OAQGVGv7xRm9tFMgJ3Jlo=", "owner": "nix-community", "repo": "fenix", - "rev": "e10ba121773f754a30d31b6163919a3e404a434f", + "rev": "7db16a01bca24b46acc1677f2b86ae03b5f207f8", "type": "github" }, "original": { @@ -519,11 +519,11 @@ ] }, "locked": { - "lastModified": 1731363552, - "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=", + "lastModified": 1732021966, + "narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0", + "rev": "3308484d1a443fc5bc92012435d79e80458fe43c", "type": "github" }, "original": { @@ -681,11 +681,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1731240174, - "narHash": "sha256-HYu+bPoV3UILhwc4Ar5iQ7aF+DuQWHXl4mljN6Bwq6A=", + "lastModified": 1732122592, + "narHash": "sha256-lF54irx92m8ddNDQDtOUjKsZAnsGyPL3QTO7byjlxNg=", "owner": "astro", "repo": "microvm.nix", - "rev": "dd89404e1885b8d7033106f3898eaef8db660cb2", + "rev": "19650774c23df84d0b8f315d2527274563497cad", "type": "github" }, "original": { @@ -734,11 +734,11 @@ ] }, "locked": { - "lastModified": 1731768170, - "narHash": "sha256-9Zj2baKY3KaKzs5+nqZgIwr/o/iibhENFxjOnpU+IOU=", + "lastModified": 1732016537, + "narHash": "sha256-XwXUK+meYnlhdQz2TVE4Wv+tsx1CkdGbDPt1tRzCNH4=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "2bcef10f4319f34ddebadb5f37eaa81ca2510730", + "rev": "61cee20168a3ebb71a9efd70a55adebaadfbe4d4", "type": "github" }, "original": { @@ -780,11 +780,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1731645784, - "narHash": "sha256-VBmrvzXm+jtvl9CKBvGjcMWfBx/FCtsbn/7D4//Ru2k=", + "lastModified": 1732158339, + "narHash": "sha256-37M8Ohbf5Ui5+4GE//5isxjdzGIlsmVN6NXhTgxiCXo=", "owner": "nix-community", "repo": "nixd", - "rev": "0f3c0c730e5cb9414f3b269dc9b36062a0e5236e", + "rev": "6d80199f5b3b24521a1be335e2a75683f859d82a", "type": "github" }, "original": { @@ -811,11 +811,11 @@ }, "nixos-2405": { "locked": { - "lastModified": 1731652201, - "narHash": "sha256-XUO0JKP1hlww0d7mm3kpmIr4hhtR4zicg5Wwes9cPMg=", + "lastModified": 1731797254, + "narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c21b77913ea840f8bcf9adf4c41cecc2abffd38d", + "rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59", "type": "github" }, "original": { @@ -943,11 +943,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1731676054, - "narHash": "sha256-OZiZ3m8SCMfh3B6bfGC/Bm4x3qc1m2SVEAlkV6iY7Yg=", + "lastModified": 1732014248, + "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5e4fbfb6b3de1aa2872b76d49fafc942626e2add", + "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", "type": "github" }, "original": { @@ -1028,11 +1028,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1731693936, - "narHash": "sha256-uHUUS1WPyW6ohp5Bt3dAZczUlQ22vOn7YZF8vaPKIEw=", + "lastModified": 1732050317, + "narHash": "sha256-G5LUEOC4kvB/Xbkglv0Noi04HnCfryur7dVjzlHkgpI=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "1b90e979aeee8d1db7fe14603a00834052505497", + "rev": "c0bbbb3e5d7d1d1d60308c8270bfd5b250032bb4", "type": "github" }, "original": { @@ -1156,11 +1156,11 @@ ] }, "locked": { - "lastModified": 1730321837, - "narHash": "sha256-vK+a09qq19QNu2MlLcvN4qcRctJbqWkX7ahgPZ/+maI=", + "lastModified": 1732111664, + "narHash": "sha256-XWHuPWcP59QnHEewdZJXBX1TA2lAP78Vz4daG6tfIr4=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "746901bb8dba96d154b66492a29f5db0693dbfcc", + "rev": "62003fdad7a5ab7b6af3ea9bd7290e4c220277d0", "type": "github" }, "original": {