Merge caae4dc74a into bc75a5b55e

README.md

@@ -183,6 +183,44 @@ jobs:
           token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
 ```
 
+### Authenticating via a Github App
+
+A Github App can both produce verified commits _and_ create pull requests that will trigger further Github Actions.
+
+Create a stub Github App in your organization. Disable webhooks, add Content write and Pull Request write permissions, and make it available only within your organization. Install the App in the Organization (possibly restricting only to relevant repos). Copy the App secret into an Actions secret, along with the App ID.
+
+Set up your workflow like this:
+
+```yaml
+name: update-flake-lock
+on:
+  workflow_dispatch: # allows manual triggering
+  schedule:
+    - cron: '0 0 * * 1,4' # Run twice a week
+
+jobs:
+  lockfile:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - name: Install Nix
+        uses: cachix/install-nix-action@v17
+      - name: Get Updater Token
+        uses: tibdex/github-app-token@v1
+        id: generate-token
+        with:
+          app_id: ${{ secrets.UPDATE_APP_ID}}
+          private_key: ${{secrets.UPDATE_APP_KEY}}
+      - name: Update flake.lock
+        uses: DeterminateSystems/update-flake-lock@vX
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+          commit-with-token: true
+        ```
+
+```
+
 ## With GPG commit signing
 
 It's possible for the bot to produce GPG signed commits. Associating a GPG public key to a github user account is not required but it is necessary if you want the signed commits to appear as verified in Github. This can be a compliance requirement in some cases.

action.yml

@@ -9,6 +9,10 @@ inputs:
     description: 'GITHUB_TOKEN or a `repo` scoped Personal Access Token (PAT)'
     required: false
     default: ${{ github.token }}
+  commit-with-token:
+    description: 'Set to "true" to produce a verified commit with token'
+    required: false
+    default: ''
   commit-msg:
     description: 'The message provided with the commit'
     required: false
@@ -149,6 +153,36 @@ runs:
         TARGETS: ${{ inputs.inputs }}
         COMMIT_MSG: ${{ inputs.commit-msg }}
         PATH_TO_FLAKE_DIR: ${{ inputs.path-to-flake-dir }}
+        COMMIT_WITH_TOKEN: ${{ inputs.commit-with-token }}
+
+    - name: Commit changes
+      if: ${{ inputs.commit-with-token == 'true' }}
+      env:
+        GITHUB_TOKEN: ${{ inputs.token }}
+        FILE_TO_COMMIT: flake.lock
+        DESTINATION_BRANCH: ${{ inputs.branch }}
+      shell: bash
+      run: |
+        set -x
+        export CONTENT=$( base64 -i $FILE_TO_COMMIT )
+        export BASE=$DESTINATION_BRANCH
+        if gh api --method GET /repos/:owner/:repo/git/refs/heads/$DESTINATION_BRANCH; then
+          git fetch origin $DESTINATION_BRANCH
+        else
+          export BASE=$(gh repo view --json defaultBranchRef --template '{{ .defaultBranchRef.name }}' ${{github.repository}})
+          export BASE_SHA=$( git rev-parse origin/$BASE )
+          gh api --method POST /repos/:owner/:repo/git/refs \
+            --field ref=refs/heads/$DESTINATION_BRANCH \
+            --field sha=$BASE_SHA
+        fi
+        export BASE_SHA=$( git rev-parse origin/$BASE )
+        export SHA=$( git rev-parse origin/$BASE:$FILE_TO_COMMIT )
+        gh api --method PUT /repos/:owner/:repo/contents/$FILE_TO_COMMIT \
+          --field message="${{inputs.commit-msg}}" \
+          --field content="$CONTENT" \
+          --field encoding="base64" \
+          --field branch="$DESTINATION_BRANCH" \
+          --field sha="$SHA"
     - name: Save PR Body as file
       uses: DamianReeves/write-file-action@v1.2
       with:

update-flake-lock.sh

@@ -5,12 +5,18 @@ if [[ -n "$PATH_TO_FLAKE_DIR" ]]; then
   cd "$PATH_TO_FLAKE_DIR"
 fi
 
+commitArg=""
+if [[ "$COMMIT_WITH_TOKEN" != "true" ]]; then
+  # Commit happening in next step
+  commitArg="suppress"
+fi
+
 if [[ -n "$TARGETS" ]]; then
     inputs=()
     for input in $TARGETS; do
         inputs+=("--update-input" "$input")
     done
-    nix flake lock "${inputs[@]}" --commit-lock-file --commit-lockfile-summary "$COMMIT_MSG"
+    nix flake lock "${inputs[@]}" ${commitArg:+"--commit-lock-file"} --commit-lockfile-summary "$COMMIT_MSG"
 else
-    nix flake update --commit-lock-file --commit-lockfile-summary "$COMMIT_MSG"
+    nix flake update ${commitArg:+"--commit-lock-file"} --commit-lockfile-summary "$COMMIT_MSG"
 fi