Compare commits

...

20 commits

Author SHA1 Message Date
03cebd352a
test 2024-12-13 23:42:19 +01:00
793ab55475
fix: Update create-pull-request action, use "" for branch name
It should now work with Gitea and Forgejo
2024-12-13 14:57:59 +01:00
Graham Christensen
0ba1118664
Merge pull request #144 from detsys-pr-bot/detsys-ts-update-eb87094f35072ac911526ad052c3437c9e0c42d6
Update `detsys-ts`: Merge pull request #69 from DeterminateSystems/update-deps
2024-11-26 11:31:58 -05:00
grahamc
236c0fa397 Update detsys-ts for: Merge pull request #69 from DeterminateSystems/update-deps (eb87094f35072ac911526ad052c3437c9e0c42d6) 2024-11-20 18:57:29 +00:00
Graham Christensen
8fa6d41e3f
Merge pull request #141 from DeterminateSystems/colemickens/pr-url
action.yml: expose pull-request-url from create-pr action
2024-11-08 14:50:46 -05:00
Cole Mickens
1360662aa3 action.yml: expose pull-request-url from create-pr action 2024-11-08 11:34:36 -08:00
Graham Christensen
531bd45244
Merge pull request #139 from detsys-pr-bot/detsys-ts-update-4280bc94c9545f31ccf08001cc16f20ccb91b770
Update `detsys-ts`: Merge pull request #67 from DeterminateSystems/allow-obliterating-id-token-privs
2024-11-06 14:56:02 -05:00
grahamc
1afac295f9 Update detsys-ts for: Merge pull request #67 from DeterminateSystems/allow-obliterating-id-token-privs (4280bc94c9545f31ccf08001cc16f20ccb91b770) 2024-11-06 19:43:49 +00:00
dependabot[bot]
965531f332
build(deps-dev): bump vite from 5.2.12 to 5.4.6 (#131)
* build(deps-dev): bump vite from 5.2.12 to 5.4.6

Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 5.2.12 to 5.4.6.
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v5.4.6/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v5.4.6/packages/vite)

---
updated-dependencies:
- dependency-name: vite
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* pnpm i

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Cole Helbling <cole.helbling@determinate.systems>
2024-09-19 16:42:07 +00:00
Graham Christensen
a2bbe0274e
Merge pull request #128 from detsys-pr-bot/detsys-ts-update-65dd73c562ac60a068340f8e0c040bdcf2c59afe
Update `detsys-ts`: Merge pull request #63 from DeterminateSystems/retry-streams
2024-09-04 14:14:50 -04:00
grahamc
802501548e Update detsys-ts for: Merge pull request #63 from DeterminateSystems/retry-streams (65dd73c562ac60a068340f8e0c040bdcf2c59afe) 2024-09-04 18:05:28 +00:00
Graham Christensen
7d80c329b4
Merge pull request #126 from detsys-pr-bot/detsys-ts-update-817e4d4123b6fb4eae5aa557658f25f8539e7240
Update `detsys-ts`: Merge pull request #62 from DeterminateSystems/dont-pull-microstackshots
2024-08-26 19:46:57 -04:00
grahamc
7bc6ec59cc Update detsys-ts for: Merge pull request #62 from DeterminateSystems/dont-pull-microstackshots (817e4d4123b6fb4eae5aa557658f25f8539e7240) 2024-08-26 15:26:03 +00:00
Graham Christensen
4cf6b19203
Merge pull request #125 from detsys-pr-bot/detsys-ts-update-e8f6e8f54d85aa0fd3d0b694dd3279a21497a33b
Update `detsys-ts`: Merge pull request #61 from DeterminateSystems/use-coalesce-for-array
2024-08-26 10:09:12 -04:00
grahamc
73ba0ca899 Update detsys-ts for: Merge pull request #61 from DeterminateSystems/use-coalesce-for-array (e8f6e8f54d85aa0fd3d0b694dd3279a21497a33b) 2024-08-26 14:05:27 +00:00
Graham Christensen
24f53daa86
Merge pull request #124 from detsys-pr-bot/detsys-ts-update-cf1897a891edc164a8240f469cd56d14364e6be1
Update `detsys-ts`: Merge pull request #58 from DeterminateSystems/collect-crash-logs
2024-08-26 09:41:53 -04:00
grahamc
420fb2aaf7 Update detsys-ts for: Merge pull request #58 from DeterminateSystems/collect-crash-logs (cf1897a891edc164a8240f469cd56d14364e6be1) 2024-08-26 13:31:25 +00:00
Cole Helbling
db4ee38117 Fixup support for Nix 2.23.0 and later 2024-06-28 14:11:30 -07:00
Pierre Penninckx
b0723e0fae Add instructions for new fine grained GitHub PAT 2024-06-18 09:23:51 -07:00
Arian van Putten
af9a980c7d Lock third-party actions
A caller of this action can lock this action to a specific commit. However because the action itself does not lock its dependent actions to a specific commit this opens the end-user up to possible supply-chain attacks if the dependent actions rewrite their tags.

This PR changes all third party actions to be explicitly locked.

Dependabot will still work and update these hashes for you


I also suggest installing https://github.com/ossf/scorecard in this repo. It will report about these kind of issues.

Note that you should in turn have to audit all the third party deps of the actions that your action depends on. In general this is all a bit of a mess and GitHub's security model is very meh

e.g. see https://github.com/ossf/scorecard/issues/2189
2024-06-18 09:17:15 -07:00
9 changed files with 28752 additions and 39755 deletions

View file

@ -185,7 +185,7 @@ git push origin update_flake_lock_action --force
### With a Personal Authentication Token ### With a Personal Authentication Token
By providing a Personal Authentication Token, the PR will be submitted in a way that bypasses this limitation (GitHub will essentially think it is the owner of the PAT submitting the PR, and not an Action). By providing a Personal Authentication Token, the PR will be submitted in a way that bypasses this limitation (GitHub will essentially think it is the owner of the PAT submitting the PR, and not an Action).
You can create a token by visiting https://github.com/settings/tokens and select at least the `repo` scope. Then, store this token in your repository secrets (i.e. `https://github.com/<USER>/<REPO>/settings/secrets/actions`) as `GH_TOKEN_FOR_UPDATES` and set up your workflow file like the following: You can create a token by visiting https://github.com/settings/tokens and select at least the `repo` scope. For the new fine-grained tokens, you need to enable read and write access for "Contents" and "Pull Requests" permissions. Then, store this token in your repository secrets (i.e. `https://github.com/<USER>/<REPO>/settings/secrets/actions`) as `GH_TOKEN_FOR_UPDATES` and set up your workflow file like the following:
```yaml ```yaml
name: update-flake-lock name: update-flake-lock

View file

@ -106,6 +106,9 @@ outputs:
pull-request-number: pull-request-number:
description: "The number of the opened pull request" description: "The number of the opened pull request"
value: ${{ steps.create-pr.outputs.pull-request-number }} value: ${{ steps.create-pr.outputs.pull-request-number }}
pull-request-url:
description: "The The URL of the opened pull request."
value: ${{ steps.create-pr.outputs.pull-request-url }}
pull-request-operation: pull-request-operation:
description: "The pull request operation performed by the action, `created`, `updated` or `closed`." description: "The pull request operation performed by the action, `created`, `updated` or `closed`."
value: ${{ steps.create-pr.outputs.pull-request-operation }} value: ${{ steps.create-pr.outputs.pull-request-operation }}
@ -115,7 +118,7 @@ runs:
- name: Import bot's GPG key for signing commits - name: Import bot's GPG key for signing commits
if: ${{ inputs.sign-commits == 'true' }} if: ${{ inputs.sign-commits == 'true' }}
id: import-gpg id: import-gpg
uses: crazy-max/ghaction-import-gpg@v6 uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
with: with:
gpg_private_key: ${{ inputs.gpg-private-key }} gpg_private_key: ${{ inputs.gpg-private-key }}
fingerprint: ${{ inputs.gpg-fingerprint }} fingerprint: ${{ inputs.gpg-fingerprint }}
@ -190,7 +193,7 @@ runs:
echo "$DELIMITER" >> $GITHUB_ENV echo "$DELIMITER" >> $GITHUB_ENV
echo "GIT_COMMIT_MESSAGE is: ${COMMIT_MESSAGE}" echo "GIT_COMMIT_MESSAGE is: ${COMMIT_MESSAGE}"
- name: Interpolate PR Body - name: Interpolate PR Body
uses: pedrolamas/handlebars-action@v2.4.0 uses: pedrolamas/handlebars-action@2995d7eadacbc8f2f6ab8431a01d84a5fa3b8bb4 # v2.4.0
with: with:
files: "pr_body.template" files: "pr_body.template"
output-filename: "pr_body.txt" output-filename: "pr_body.txt"
@ -207,16 +210,17 @@ runs:
run: rm -f pr_body.txt pr_body.template run: rm -f pr_body.txt pr_body.template
- name: Create PR - name: Create PR
id: create-pr id: create-pr
uses: peter-evans/create-pull-request@v6 # uses: peter-evans/create-pull-request@main
uses: peter-evans/create-pull-request@v6.0.1
with: with:
base: ${{ inputs.base }} base: "${{ inputs.base }}"
branch: ${{ inputs.branch }} branch: "${{ inputs.branch }}"
delete-branch: true delete-branch: true
committer: ${{ env.GIT_COMMITTER_NAME }} ${{ env.GIT_COMMITTER_EMAIL }} committer: "${{ env.GIT_COMMITTER_NAME }} ${{ env.GIT_COMMITTER_EMAIL }}"
author: ${{ env.GIT_AUTHOR_NAME }} ${{ env.GIT_AUTHOR_EMAIL }} author: "${{ env.GIT_AUTHOR_NAME }} ${{ env.GIT_AUTHOR_EMAIL }}"
title: ${{ inputs.pr-title }} title: "${{ inputs.pr-title }}"
token: ${{ inputs.token }} token: "${{ inputs.token }}"
assignees: ${{ inputs.pr-assignees }} assignees: "${{ inputs.pr-assignees }}"
labels: ${{ inputs.pr-labels }} labels: "${{ inputs.pr-labels }}"
reviewers: ${{ inputs.pr-reviewers }} reviewers: "${{ inputs.pr-reviewers }}"
body: ${{ steps.pr_body.outputs.content }} body: "${{ steps.pr_body.outputs.content }}"

66229
dist/index.js vendored

File diff suppressed because one or more lines are too long

2
dist/index.js.map vendored

File diff suppressed because one or more lines are too long

View file

@ -26,22 +26,22 @@
}, },
"homepage": "https://github.com/DeterminateSystems/update-flake-lock#readme", "homepage": "https://github.com/DeterminateSystems/update-flake-lock#readme",
"dependencies": { "dependencies": {
"@actions/core": "^1.10.1", "@actions/core": "^1.11.1",
"@actions/exec": "^1.1.1", "@actions/exec": "^1.1.1",
"detsys-ts": "github:DeterminateSystems/detsys-ts" "detsys-ts": "github:DeterminateSystems/detsys-ts"
}, },
"devDependencies": { "devDependencies": {
"@trivago/prettier-plugin-sort-imports": "^4.3.0", "@trivago/prettier-plugin-sort-imports": "^4.3.0",
"@typescript-eslint/eslint-plugin": "^7.11.0", "@typescript-eslint/eslint-plugin": "^7.18.0",
"@vercel/ncc": "^0.38.1", "@vercel/ncc": "^0.38.3",
"eslint": "^8.57.0", "eslint": "^8.57.1",
"eslint-import-resolver-typescript": "^3.6.1", "eslint-import-resolver-typescript": "^3.6.3",
"eslint-plugin-github": "^4.10.2", "eslint-plugin-github": "^4.10.2",
"eslint-plugin-import": "^2.29.1", "eslint-plugin-import": "^2.31.0",
"eslint-plugin-prettier": "^5.1.3", "eslint-plugin-prettier": "^5.2.1",
"prettier": "^3.2.5", "prettier": "^3.3.3",
"tsup": "^8.0.2", "tsup": "^8.3.5",
"typescript": "^5.4.5", "typescript": "^5.6.3",
"vitest": "^1.6.0" "vitest": "^1.6.0"
} }
} }

File diff suppressed because it is too large Load diff

View file

@ -24,7 +24,8 @@ test("Nix command arguments", () => {
"flake", "flake",
"update", "update",
"--commit-lock-file", "--commit-lock-file",
"--commit-lockfile-summary", "--option",
"commit-lockfile-summary",
"just testing", "just testing",
], ],
}, },
@ -42,7 +43,8 @@ test("Nix command arguments", () => {
"--update-input", "--update-input",
"rust-overlay", "rust-overlay",
"--commit-lock-file", "--commit-lock-file",
"--commit-lockfile-summary", "--option",
"commit-lockfile-summary",
"just testing", "just testing",
], ],
}, },
@ -57,7 +59,8 @@ test("Nix command arguments", () => {
"flake", "flake",
"update", "update",
"--commit-lock-file", "--commit-lock-file",
"--commit-lockfile-summary", "--option",
"commit-lockfile-summary",
"just testing", "just testing",
], ],
}, },

View file

@ -9,10 +9,23 @@ export function makeNixCommandArgs(
input, input,
]); ]);
// NOTE(cole-h): In Nix versions 2.23.0 and later, `commit-lockfile-summary` became an alias to
// the setting `commit-lock-file-summary` (https://github.com/NixOS/nix/pull/10691), and Nix does
// not treat aliases the same as their "real" setting by requiring setting aliases to be
// configured via `--option <alias name> <option value>`
// (https://github.com/NixOS/nix/issues/10989).
// So, we go the long way so that we can support versions both before and after Nix 2.23.0.
const lockfileSummaryFlags = [
"--option",
"commit-lockfile-summary",
commitMessage,
];
const updateLockMechanism = flakeInputFlags.length === 0 ? "update" : "lock"; const updateLockMechanism = flakeInputFlags.length === 0 ? "update" : "lock";
return nixOptions return nixOptions
.concat(["flake", updateLockMechanism]) .concat(["flake", updateLockMechanism])
.concat(flakeInputFlags) .concat(flakeInputFlags)
.concat(["--commit-lock-file", "--commit-lockfile-summary", commitMessage]); .concat(["--commit-lock-file"])
.concat(lockfileSummaryFlags);
} }

0
test Normal file
View file