af9a980c7d
A caller of this action can lock this action to a specific commit. However because the action itself does not lock its dependent actions to a specific commit this opens the end-user up to possible supply-chain attacks if the dependent actions rewrite their tags. This PR changes all third party actions to be explicitly locked. Dependabot will still work and update these hashes for you I also suggest installing https://github.com/ossf/scorecard in this repo. It will report about these kind of issues. Note that you should in turn have to audit all the third party deps of the actions that your action depends on. In general this is all a bit of a mess and GitHub's security model is very meh e.g. see https://github.com/ossf/scorecard/issues/2189
222 lines
9.2 KiB
YAML
222 lines
9.2 KiB
YAML
name: "Update Nix Flake Lock"
|
|
description: "Update your Nix flake.lock and send a PR"
|
|
inputs:
|
|
inputs:
|
|
description: "A space-separated list of inputs to update. Leave empty to update all inputs."
|
|
required: false
|
|
default: ""
|
|
token:
|
|
description: "GITHUB_TOKEN or a `repo` scoped Personal Access Token (PAT)"
|
|
required: false
|
|
default: ${{ github.token }}
|
|
commit-msg:
|
|
description: "The message provided with the commit"
|
|
required: false
|
|
default: "flake.lock: Update"
|
|
base:
|
|
description: "Sets the pull request base branch. Defaults to the branch checked out in the workflow."
|
|
required: false
|
|
branch:
|
|
description: "The branch of the PR to be created"
|
|
required: false
|
|
default: "update_flake_lock_action"
|
|
path-to-flake-dir:
|
|
description: "The path of the directory containing `flake.nix` file within your repository. Useful when `flake.nix` cannot reside at the root of your repository."
|
|
required: false
|
|
pr-title:
|
|
description: "The title of the PR to be created"
|
|
required: false
|
|
default: "flake.lock: Update"
|
|
pr-body:
|
|
description: "The body of the PR to be created"
|
|
required: false
|
|
default: |
|
|
Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
|
|
|
|
```
|
|
{{ env.GIT_COMMIT_MESSAGE }}
|
|
```
|
|
|
|
### Running GitHub Actions on this PR
|
|
|
|
GitHub Actions will not run workflows on pull requests which are opened by a GitHub Action.
|
|
|
|
To run GitHub Actions workflows on this PR, run:
|
|
|
|
```sh
|
|
git branch -D update_flake_lock_action
|
|
git fetch origin
|
|
git checkout update_flake_lock_action
|
|
git commit --amend --no-edit
|
|
git push origin update_flake_lock_action --force
|
|
```
|
|
|
|
pr-labels:
|
|
description: "A comma or newline separated list of labels to set on the Pull Request to be created"
|
|
required: false
|
|
default: ""
|
|
pr-assignees:
|
|
description: "A comma or newline separated list of assignees (GitHub usernames)."
|
|
required: false
|
|
default: ""
|
|
pr-reviewers:
|
|
description: "A comma or newline separated list of reviewers (GitHub usernames) to request a review from."
|
|
required: false
|
|
default: ""
|
|
git-author-name:
|
|
description: "Author name used for commit. Only used if sign-commits is false."
|
|
required: false
|
|
default: "github-actions[bot]"
|
|
git-author-email:
|
|
description: "Author email used for commit. Only used if sign-commits is false."
|
|
required: false
|
|
default: "github-actions[bot]@users.noreply.github.com"
|
|
git-committer-name:
|
|
description: "Committer name used for commit. Only used if sign-commits is false."
|
|
required: false
|
|
default: "github-actions[bot]"
|
|
git-committer-email:
|
|
description: "Committer email used for commit. Only used if sign-commits is false."
|
|
required: false
|
|
default: "github-actions[bot]@users.noreply.github.com"
|
|
sign-commits:
|
|
description: "Set to true if the action should sign the commit with GPG"
|
|
required: false
|
|
default: "false"
|
|
gpg-private-key:
|
|
description: "GPG Private Key with which to sign the commits in the PR to be created"
|
|
required: false
|
|
default: ""
|
|
gpg-fingerprint:
|
|
description: "Fingerprint of specific GPG subkey to use"
|
|
required: false
|
|
gpg-passphrase:
|
|
description: "GPG Private Key Passphrase for the GPG Private Key with which to sign the commits in the PR to be created"
|
|
required: false
|
|
default: ""
|
|
nix-options:
|
|
description: "A space-separated list of options to pass to the nix command"
|
|
required: false
|
|
default: ""
|
|
_internal-strict-mode:
|
|
description: Whether to fail when any errors are thrown. Used only to test the Action; do not set this in your own workflows.
|
|
required: false
|
|
default: false
|
|
outputs:
|
|
pull-request-number:
|
|
description: "The number of the opened pull request"
|
|
value: ${{ steps.create-pr.outputs.pull-request-number }}
|
|
pull-request-operation:
|
|
description: "The pull request operation performed by the action, `created`, `updated` or `closed`."
|
|
value: ${{ steps.create-pr.outputs.pull-request-operation }}
|
|
runs:
|
|
using: "composite"
|
|
steps:
|
|
- name: Import bot's GPG key for signing commits
|
|
if: ${{ inputs.sign-commits == 'true' }}
|
|
id: import-gpg
|
|
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
|
|
with:
|
|
gpg_private_key: ${{ inputs.gpg-private-key }}
|
|
fingerprint: ${{ inputs.gpg-fingerprint }}
|
|
passphrase: ${{ inputs.gpg-passphrase }}
|
|
git_config_global: true
|
|
git_user_signingkey: true
|
|
git_commit_gpgsign: true
|
|
- name: Set environment variables (signed commits)
|
|
if: ${{ inputs.sign-commits == 'true' }}
|
|
shell: bash
|
|
env:
|
|
GIT_AUTHOR_NAME: ${{ steps.import-gpg.outputs.name }}
|
|
GIT_AUTHOR_EMAIL: ${{ steps.import-gpg.outputs.email }}
|
|
GIT_COMMITTER_NAME: ${{ steps.import-gpg.outputs.name }}
|
|
GIT_COMMITTER_EMAIL: ${{ steps.import-gpg.outputs.email }}
|
|
TARGETS: ${{ inputs.inputs }}
|
|
run: |
|
|
echo "GIT_AUTHOR_NAME=$GIT_AUTHOR_NAME" >> $GITHUB_ENV
|
|
echo "GIT_AUTHOR_EMAIL=<$GIT_AUTHOR_EMAIL>" >> $GITHUB_ENV
|
|
echo "GIT_COMMITTER_NAME=$GIT_COMMITTER_NAME" >> $GITHUB_ENV
|
|
echo "GIT_COMMITTER_EMAIL=<$GIT_COMMITTER_EMAIL>" >> $GITHUB_ENV
|
|
- name: Set environment variables (unsigned commits)
|
|
if: ${{ inputs.sign-commits != 'true' }}
|
|
shell: bash
|
|
run: |
|
|
echo "GIT_AUTHOR_NAME=${{ inputs.git-author-name }}" >> $GITHUB_ENV
|
|
echo "GIT_AUTHOR_EMAIL=<${{ inputs.git-author-email }}>" >> $GITHUB_ENV
|
|
echo "GIT_COMMITTER_NAME=${{ inputs.git-committer-name }}" >> $GITHUB_ENV
|
|
echo "GIT_COMMITTER_EMAIL=<${{ inputs.git-committer-email }}>" >> $GITHUB_ENV
|
|
- name: Run update-flake-lock
|
|
shell: bash
|
|
run: node "$GITHUB_ACTION_PATH/dist/index.js"
|
|
env:
|
|
# The following manually exposes all of the action inputs into INPUT_ environment variables so actionsCore.getInput works:
|
|
# https://github.com/actions/toolkit/blob/ae38557bb0dba824cdda26ce787bd6b66cf07a83/packages/core/src/core.ts#L126
|
|
INPUT_BASE: ${{ inputs.base }}
|
|
INPUT_BRANCH: ${{ inputs.branch }}
|
|
INPUT_COMMIT-MSG: ${{ inputs.commit-msg }}
|
|
INPUT_GIT-AUTHOR-EMAIL: ${{ inputs.git-author-email }}
|
|
INPUT_GIT-AUTHOR-NAME: ${{ inputs.git-author-name }}
|
|
INPUT_GIT-COMMITTER-EMAIL: ${{ inputs.git-committer-email }}
|
|
INPUT_GIT-COMMITTER-NAME: ${{ inputs.git-committer-name }}
|
|
INPUT_GPG-FINGERPRINT: ${{ inputs.gpg-fingerprint }}
|
|
INPUT_GPG-PASSPHRASE: ${{ inputs.gpg-passphrase }}
|
|
INPUT_GPG-PRIVATE-KEY: ${{ inputs.gpg-private-key }}
|
|
INPUT_INPUTS: ${{ inputs.inputs }}
|
|
INPUT_NIX-OPTIONS: ${{ inputs.nix-options }}
|
|
INPUT_PATH-TO-FLAKE-DIR: ${{ inputs.path-to-flake-dir }}
|
|
INPUT_PR-ASSIGNEES: ${{ inputs.pr-assignees }}
|
|
INPUT_PR-BODY: ${{ inputs.pr-body }}
|
|
INPUT_PR-LABELS: ${{ inputs.pr-labels }}
|
|
INPUT_PR-REVIEWERS: ${{ inputs.pr-reviewers }}
|
|
INPUT_PR-TITLE: ${{ inputs.pr-title }}
|
|
INPUT_PULL-REQUEST-NUMBER: ${{ inputs.pull-request-number }}
|
|
INPUT_PULL-REQUEST-OPERATION: ${{ inputs.pull-request-operation }}
|
|
INPUT_SIGN-COMMITS: ${{ inputs.sign-commits }}
|
|
INPUT_TOKEN: ${{ inputs.token }}
|
|
INPUT__INTERNAL-STRICT-MODE: ${{ inputs._internal-strict-mode }}
|
|
- name: Save PR Body as file
|
|
uses: DamianReeves/write-file-action@v1.3
|
|
with:
|
|
path: pr_body.template
|
|
contents: ${{ inputs.pr-body }}
|
|
env: {}
|
|
- name: Set additional env variables (GIT_COMMIT_MESSAGE)
|
|
shell: bash
|
|
run: |
|
|
DELIMITER=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
|
|
COMMIT_MESSAGE="$(git log --format=%b -n 1)"
|
|
echo "GIT_COMMIT_MESSAGE<<$DELIMITER" >> $GITHUB_ENV
|
|
echo "$COMMIT_MESSAGE" >> $GITHUB_ENV
|
|
echo "$DELIMITER" >> $GITHUB_ENV
|
|
echo "GIT_COMMIT_MESSAGE is: ${COMMIT_MESSAGE}"
|
|
- name: Interpolate PR Body
|
|
uses: pedrolamas/handlebars-action@2995d7eadacbc8f2f6ab8431a01d84a5fa3b8bb4 # v2.4.0
|
|
with:
|
|
files: "pr_body.template"
|
|
output-filename: "pr_body.txt"
|
|
- name: Read pr_body.txt
|
|
id: pr_body
|
|
uses: juliangruber/read-file-action@v1
|
|
with:
|
|
path: "pr_body.txt"
|
|
# We need to remove the pr_body files so that the
|
|
# peter-evans/create-pull-request action does not commit it (the
|
|
# action commits all new and modified files).
|
|
- name: Remove PR body template files
|
|
shell: bash
|
|
run: rm -f pr_body.txt pr_body.template
|
|
- name: Create PR
|
|
id: create-pr
|
|
uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
|
|
with:
|
|
base: ${{ inputs.base }}
|
|
branch: ${{ inputs.branch }}
|
|
delete-branch: true
|
|
committer: ${{ env.GIT_COMMITTER_NAME }} ${{ env.GIT_COMMITTER_EMAIL }}
|
|
author: ${{ env.GIT_AUTHOR_NAME }} ${{ env.GIT_AUTHOR_EMAIL }}
|
|
title: ${{ inputs.pr-title }}
|
|
token: ${{ inputs.token }}
|
|
assignees: ${{ inputs.pr-assignees }}
|
|
labels: ${{ inputs.pr-labels }}
|
|
reviewers: ${{ inputs.pr-reviewers }}
|
|
body: ${{ steps.pr_body.outputs.content }}
|