name: "Update Nix Flake Lock" description: "Update your Nix flake.lock and send a PR" inputs: inputs: description: "A space-separated list of inputs to update. Leave empty to update all inputs." required: false default: "" token: description: "GITHUB_TOKEN or a `repo` scoped Personal Access Token (PAT)" required: false default: ${{ github.token }} commit-msg: description: "The message provided with the commit" required: false default: "flake.lock: Update" base: description: "Sets the pull request base branch. Defaults to the branch checked out in the workflow." required: false branch: description: "The branch of the PR to be created" required: false default: "update_flake_lock_action" path-to-flake-dir: description: "The path of the directory containing `flake.nix` file within your repository. Useful when `flake.nix` cannot reside at the root of your repository." required: false pr-title: description: "The title of the PR to be created" required: false default: "flake.lock: Update" pr-body: description: "The body of the PR to be created" required: false default: | Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action. ``` {{ env.GIT_COMMIT_MESSAGE }} ``` ### Running GitHub Actions on this PR GitHub Actions will not run workflows on pull requests which are opened by a GitHub Action. To run GitHub Actions workflows on this PR, run: ```sh git branch -D update_flake_lock_action git fetch origin git checkout update_flake_lock_action git commit --amend --no-edit git push origin update_flake_lock_action --force ``` pr-labels: description: "A comma or newline separated list of labels to set on the Pull Request to be created" required: false default: "" pr-assignees: description: "A comma or newline separated list of assignees (GitHub usernames)." required: false default: "" pr-reviewers: description: "A comma or newline separated list of reviewers (GitHub usernames) to request a review from." required: false default: "" git-author-name: description: "Author name used for commit. Only used if sign-commits is false." required: false default: "github-actions[bot]" git-author-email: description: "Author email used for commit. Only used if sign-commits is false." required: false default: "github-actions[bot]@users.noreply.github.com" git-committer-name: description: "Committer name used for commit. Only used if sign-commits is false." required: false default: "github-actions[bot]" git-committer-email: description: "Committer email used for commit. Only used if sign-commits is false." required: false default: "github-actions[bot]@users.noreply.github.com" sign-commits: description: "Set to true if the action should sign the commit with GPG" required: false default: "false" gpg-private-key: description: "GPG Private Key with which to sign the commits in the PR to be created" required: false default: "" gpg-fingerprint: description: "Fingerprint of specific GPG subkey to use" required: false gpg-passphrase: description: "GPG Private Key Passphrase for the GPG Private Key with which to sign the commits in the PR to be created" required: false default: "" nix-options: description: "A space-separated list of options to pass to the nix command" required: false default: "" outputs: pull-request-number: description: "The number of the opened pull request" value: ${{ steps.create-pr.outputs.pull-request-number }} pull-request-operation: description: "The pull request operation performed by the action, `created`, `updated` or `closed`." value: ${{ steps.create-pr.outputs.pull-request-operation }} runs: using: "composite" steps: - name: Import bot's GPG key for signing commits if: ${{ inputs.sign-commits == 'true' }} id: import-gpg uses: crazy-max/ghaction-import-gpg@v6 with: gpg_private_key: ${{ inputs.gpg-private-key }} fingerprint: ${{ inputs.gpg-fingerprint }} passphrase: ${{ inputs.gpg-passphrase }} git_config_global: true git_user_signingkey: true git_commit_gpgsign: true - name: Set environment variables (signed commits) if: ${{ inputs.sign-commits == 'true' }} shell: bash env: GIT_AUTHOR_NAME: ${{ steps.import-gpg.outputs.name }} GIT_AUTHOR_EMAIL: ${{ steps.import-gpg.outputs.email }} GIT_COMMITTER_NAME: ${{ steps.import-gpg.outputs.name }} GIT_COMMITTER_EMAIL: ${{ steps.import-gpg.outputs.email }} TARGETS: ${{ inputs.inputs }} run: | echo "GIT_AUTHOR_NAME=$GIT_AUTHOR_NAME" >> $GITHUB_ENV echo "GIT_AUTHOR_EMAIL=<$GIT_AUTHOR_EMAIL>" >> $GITHUB_ENV echo "GIT_COMMITTER_NAME=$GIT_COMMITTER_NAME" >> $GITHUB_ENV echo "GIT_COMMITTER_EMAIL=<$GIT_COMMITTER_EMAIL>" >> $GITHUB_ENV - name: Set environment variables (unsigned commits) if: ${{ inputs.sign-commits != 'true' }} shell: bash run: | echo "GIT_AUTHOR_NAME=${{ inputs.git-author-name }}" >> $GITHUB_ENV echo "GIT_AUTHOR_EMAIL=<${{ inputs.git-author-email }}>" >> $GITHUB_ENV echo "GIT_COMMITTER_NAME=${{ inputs.git-committer-name }}" >> $GITHUB_ENV echo "GIT_COMMITTER_EMAIL=<${{ inputs.git-committer-email }}>" >> $GITHUB_ENV - name: Run update-flake-lock shell: bash run: node "$GITHUB_ACTION_PATH/dist/index.js" env: # The following manually exposes all of the action inputs into INPUT_ environment variables so actionsCore.getInput works: # https://github.com/actions/toolkit/blob/ae38557bb0dba824cdda26ce787bd6b66cf07a83/packages/core/src/core.ts#L126 INPUT_BASE: ${{ inputs.base }} INPUT_BRANCH: ${{ inputs.branch }} INPUT_COMMIT-MSG: ${{ inputs.commit-msg }} INPUT_GIT-AUTHOR-EMAIL: ${{ inputs.git-author-email }} INPUT_GIT-AUTHOR-NAME: ${{ inputs.git-author-name }} INPUT_GIT-COMMITTER-EMAIL: ${{ inputs.git-committer-email }} INPUT_GIT-COMMITTER-NAME: ${{ inputs.git-committer-name }} INPUT_GPG-FINGERPRINT: ${{ inputs.gpg-fingerprint }} INPUT_GPG-PASSPHRASE: ${{ inputs.gpg-passphrase }} INPUT_GPG-PRIVATE-KEY: ${{ inputs.gpg-private-key }} INPUT_INPUTS: ${{ inputs.inputs }} INPUT_NIX-OPTIONS: ${{ inputs.nix-options }} INPUT_PATH-TO-FLAKE-DIR: ${{ inputs.path-to-flake-dir }} INPUT_PR-ASSIGNEES: ${{ inputs.pr-assignees }} INPUT_PR-BODY: ${{ inputs.pr-body }} INPUT_PR-LABELS: ${{ inputs.pr-labels }} INPUT_PR-REVIEWERS: ${{ inputs.pr-reviewers }} INPUT_PR-TITLE: ${{ inputs.pr-title }} INPUT_PULL-REQUEST-NUMBER: ${{ inputs.pull-request-number }} INPUT_PULL-REQUEST-OPERATION: ${{ inputs.pull-request-operation }} INPUT_SIGN-COMMITS: ${{ inputs.sign-commits }} INPUT_TOKEN: ${{ inputs.token }} - name: Save PR Body as file uses: DamianReeves/write-file-action@v1.3 with: path: pr_body.template contents: ${{ inputs.pr-body }} env: {} - name: Set additional env variables (GIT_COMMIT_MESSAGE) shell: bash run: | DELIMITER=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) COMMIT_MESSAGE="$(git log --format=%b -n 1)" echo "GIT_COMMIT_MESSAGE<<$DELIMITER" >> $GITHUB_ENV echo "$COMMIT_MESSAGE" >> $GITHUB_ENV echo "$DELIMITER" >> $GITHUB_ENV echo "GIT_COMMIT_MESSAGE is: ${COMMIT_MESSAGE}" - name: Interpolate PR Body uses: pedrolamas/handlebars-action@v2.4.0 with: files: "pr_body.template" output-filename: "pr_body.txt" - name: Read pr_body.txt id: pr_body uses: juliangruber/read-file-action@v1 with: path: "pr_body.txt" # We need to remove the pr_body files so that the # peter-evans/create-pull-request action does not commit it (the # action commits all new and modified files). - name: Remove PR body template files shell: bash run: rm -f pr_body.txt pr_body.template - name: Create PR id: create-pr uses: peter-evans/create-pull-request@v6 with: base: ${{ inputs.base }} branch: ${{ inputs.branch }} delete-branch: true committer: ${{ env.GIT_COMMITTER_NAME }} ${{ env.GIT_COMMITTER_EMAIL }} author: ${{ env.GIT_AUTHOR_NAME }} ${{ env.GIT_AUTHOR_EMAIL }} title: ${{ inputs.pr-title }} token: ${{ inputs.token }} assignees: ${{ inputs.pr-assignees }} labels: ${{ inputs.pr-labels }} reviewers: ${{ inputs.pr-reviewers }} body: ${{ steps.pr_body.outputs.content }}