|
1 | 1 | name: Nix Derivation |
| 2 | + |
2 | 3 | on: |
3 | | - pull_request: |
4 | | - branches: [ master ] |
5 | | - push: |
6 | | - branches: [ master, 2.x-dev ] |
| 4 | + pull_request_target: |
| 5 | + branches: [master] |
| 6 | + paths: |
| 7 | + - 'Cargo.lock' |
| 8 | + - 'package.nix' |
| 9 | + - '.github/workflows/nix.yml' |
7 | 10 |
|
8 | 11 | jobs: |
9 | | - build: |
| 12 | + fix-hashes: |
| 13 | + name: Fix Nix Hashes |
10 | 14 | runs-on: ubuntu-latest |
11 | 15 | permissions: |
12 | 16 | contents: write |
| 17 | + pull-requests: write |
13 | 18 | steps: |
14 | 19 | - uses: actions/checkout@v6 |
15 | 20 | with: |
16 | | - fetch-depth: 0 |
| 21 | + ref: ${{ github.event.pull_request.head.ref }} |
| 22 | + repository: ${{ github.event.pull_request.head.repo.full_name }} |
17 | 23 |
|
18 | 24 | - name: Install Nix |
19 | 25 | uses: cachix/install-nix-action@v31 |
20 | 26 |
|
21 | | - - name: Install Rust |
22 | | - uses: actions-rs/toolchain@v1 |
23 | | - with: |
24 | | - toolchain: stable |
25 | | - profile: minimal |
| 27 | + - uses: dtolnay/rust-toolchain@stable |
26 | 28 |
|
27 | 29 | - name: Install fixsha |
28 | 30 | run: cargo install fixsha |
29 | 31 |
|
30 | 32 | - name: Run fixsha |
31 | 33 | run: fixsha |
32 | 34 |
|
33 | | - - name: Commit hash fixes |
34 | | - if: github.event_name == 'pull_request' |
| 35 | + - name: Push hash fix if needed |
| 36 | + if: github.event.pull_request.head.repo.full_name == github.repository |
| 37 | + env: |
| 38 | + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
35 | 39 | run: | |
36 | | - if [[ -n $(git status -s package.nix) ]]; then |
37 | | - git config user.name "github-actions[bot]" |
38 | | - git config user.email "github-actions[bot]@users.noreply.github.com" |
39 | | - git add package.nix |
40 | | - |
41 | | - git commit --amend --no-edit |
42 | | -
|
43 | | - # Rebase onto latest base branch before pushing - prevents "Base branch was modified" |
44 | | - # when multiple PRs merge in quick succession |
45 | | - git fetch origin ${{ github.base_ref }} |
46 | | - git rebase origin/${{ github.base_ref }} |
47 | | - git push --force origin HEAD:${{ github.head_ref }} |
| 40 | + if [[ -z $(git status -s package.nix) ]]; then |
| 41 | + echo "No hash changes needed" |
| 42 | + exit 0 |
48 | 43 | fi |
| 44 | +
|
| 45 | + CONTENT=$(base64 -w 0 package.nix) |
| 46 | + SHA=$(gh api repos/${{ github.repository }}/contents/package.nix \ |
| 47 | + --jq '.sha' \ |
| 48 | + -H "Accept: application/vnd.github+json" \ |
| 49 | + --method GET \ |
| 50 | + -f ref=${{ github.event.pull_request.head.ref }}) |
| 51 | +
|
| 52 | + gh api repos/${{ github.repository }}/contents/package.nix \ |
| 53 | + --method PUT \ |
| 54 | + -H "Accept: application/vnd.github+json" \ |
| 55 | + -f message="fix(nix): update cargoHash" \ |
| 56 | + -f content="$CONTENT" \ |
| 57 | + -f sha="$SHA" \ |
| 58 | + -f branch=${{ github.event.pull_request.head.ref }} |
| 59 | +
|
| 60 | + echo "Nix hashes updated via API commit" |
| 61 | +
|
| 62 | + - name: Comment on fork PRs |
| 63 | + if: github.event.pull_request.head.repo.full_name != github.repository |
| 64 | + env: |
| 65 | + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 66 | + run: | |
| 67 | + if [[ -z $(git status -s package.nix) ]]; then |
| 68 | + echo "No hash changes needed" |
| 69 | + exit 0 |
| 70 | + fi |
| 71 | +
|
| 72 | + NEW_HASH=$(grep 'cargoHash' package.nix | sed 's/.*"\(.*\)".*/\1/') |
| 73 | +
|
| 74 | + gh pr comment ${{ github.event.pull_request.number }} \ |
| 75 | + -R ${{ github.repository }} \ |
| 76 | + --body "The \`cargoHash\` in \`package.nix\` needs updating. Please update it to: |
| 77 | +
|
| 78 | + \`\`\`nix |
| 79 | + cargoHash = \"$NEW_HASH\"; |
| 80 | + \`\`\`" |
0 commit comments