DeterminateSystems/update-flake-lock DeterminateSystems/update-flake-lock

  • Stars
    star
    226
  • Rank 176,514 (Top 4 %)
  • Language
    TypeScript
  • License
    MIT License
  • Created about 3 years ago
  • Updated 3 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
DeterminateSystems/update-flake-lock
github

DeterminateSystems

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Automatically refresh your Nix Flakes.

update-flake-lock

This is a GitHub Action that will update your flake.lock file whenever it is run.

NOTE: As of v3, this action will no longer automatically install Nix to the action runner. You MUST set up a Nix with flakes support enabled prior to running this action, or your workflow will not function as expected.

Example

An example GitHub Action workflow using this action would look like the following:

name: update-flake-lock
on:
  workflow_dispatch: # allows manual triggering
  schedule:
    - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00

jobs:
  lockfile:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v1
      - name: Update flake.lock
        uses: DeterminateSystems/update-flake-lock@vX
        with:
          pr-title: "Update flake.lock" # Title of PR to be created
          pr-labels: |                  # Labels to be set on the PR
            dependencies
            automated

Example updating specific input(s)

NOTE: If any inputs have a stale reference (e.g. the lockfile thinks a git input wants its "ref" to be "nixos-unstable", but the flake.nix specifies "nixos-unstable-small"), they will also be updated. At this time, there is no known workaround.

It is also possible to update specific inputs by specifying them in a space-separated list:

name: update-flake-lock
on:
  workflow_dispatch: # allows manual triggering
  schedule:
    - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00

jobs:
  lockfile:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v1
      - name: Update flake.lock
        uses: DeterminateSystems/update-flake-lock@vX
        with:
          inputs: input1 input2 input3

Example adding options to nix command

It is also possible to use specific options to the nix command in a space separated list:

name: update-flake-lock
on:
  workflow_dispatch: # allows manual triggering
  schedule:
    - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00

jobs:
  lockfile:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v1
      - name: Update flake.lock
        uses: DeterminateSystems/update-flake-lock@vX
        with:
          nix-options: --debug --log-format raw

Example that prints the number of the created PR

name: update-flake-lock
on:
  workflow_dispatch: # allows manual triggering
  schedule:
    - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00

jobs:
  lockfile:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v1
      - name: Update flake.lock
        id: update
        uses: DeterminateSystems/update-flake-lock@vX
        with:
          inputs: input1 input2 input3
      - name: Print PR number
        run: echo Pull request number is ${{ steps.update.outputs.pull-request-number }}.

Example that doesn't run on PRs

If you were to run this action as a part of your CI workflow, you may want to prevent it from running against Pull Requests.

name: update-flake-lock
on:
  workflow_dispatch: # allows manual triggering
  pull_request: # triggers on every Pull Request
  schedule:
    - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00

jobs:
  lockfile:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v1
      - name: Update flake.lock
        if: ${{ github.event_name != 'pull_request' }}
        uses: DeterminateSystems/update-flake-lock@vX
        with:
          inputs: input1 input2 input3
          path-to-flake-dir: 'nix/' # in this example our flake doesn't sit at the root of the repository, it sits under 'nix/flake.nix'

Example using a different Git user

If you want to change the author and / or committer of the flake.lock update commit, you can tweak the git-{author,committer}-{name,email} options:

name: update-flake-lock
on:
  workflow_dispatch: # allows manual triggering
  schedule:
    - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00

jobs:
  lockfile:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v1
      - name: Update flake.lock
        uses: DeterminateSystems/update-flake-lock@vX
        with:
          git-author-name: 'Jane Author'
          git-author-email: 'github-actions[bot]@users.noreply.github.com'
          git-committer-name: 'John Committer'
          git-committer-email: 'github-actions[bot]@users.noreply.github.com'

Running GitHub Actions CI

GitHub Actions will not run workflows when a branch is pushed by or a PR is opened by a GitHub Action. There are two ways to have GitHub Actions CI run on a PR submitted by this action.

Without a Personal Authentication Token

Without using a Personal Authentication Token, you can manually run the following to kick off a CI run:

git branch -D update_flake_lock_action
git fetch origin
git checkout update_flake_lock_action
git commit --amend --no-edit
git push origin update_flake_lock_action --force

With a Personal Authentication Token

By providing a Personal Authentication Token, the PR will be submitted in a way that bypasses this limitation (GitHub will essentially think it is the owner of the PAT submitting the PR, and not an Action). You can create a token by visiting https://github.com/settings/tokens and select at least the repo scope. Then, store this token in your repository secrets (i.e. https://github.com/<USER>/<REPO>/settings/secrets/actions) as GH_TOKEN_FOR_UPDATES and set up your workflow file like the following:

name: update-flake-lock
on:
  workflow_dispatch: # allows manual triggering
  schedule:
    - cron: '0 0 * * 1,4' # Run twice a week

jobs:
  lockfile:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v1
      - name: Update flake.lock
        uses: DeterminateSystems/update-flake-lock@vX
        with:
          token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}

With GPG commit signing

It's possible for the bot to produce GPG signed commits. Associating a GPG public key to a github user account is not required but it is necessary if you want the signed commits to appear as verified in Github. This can be a compliance requirement in some cases.

You can follow Github's guide on creating and/or adding a new GPG key to an user account. Using a specific github user account for the bot can be a good security measure to dissociate this bot's actions and commits from your personal github account.

For the bot to produce signed commits, you will have to provide the GPG private keys to this action's input parameters. You can safely do that with Github secrets as explained here.

When using commit signing, the commit author name and email for the commits produced by this bot would correspond to the ones associated to the GPG Public Key.

If you want to sign using a subkey, you must specify the subkey fingerprint using the gpg-fingerprint input parameter.

You can find an example of how to using this action with commit signing below:

name: update-flake-lock
on:
  workflow_dispatch: # allows manual triggering
  schedule:
    - cron: '0 0 * * 1,4' # Run twice a week

jobs:
  lockfile:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v1
      - name: Update flake.lock
        uses: DeterminateSystems/update-flake-lock@vX
        with:
          sign-commits: true
          gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
          gpg-fingerprint: ${{ secrets.GPG_FINGERPRINT }} # specify subkey fingerprint (optional)
          gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }}

Custom PR Body

By default the generated PR body is set to be the following template:

Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.

```
{{ env.GIT_COMMIT_MESSAGE }}
```

### Running GitHub Actions on this PR

GitHub Actions will not run workflows on pull requests which are opened by a GitHub Action.

To run GitHub Actions workflows on this PR, run:

```sh
git branch -D update_flake_lock_action
git fetch origin
git checkout update_flake_lock_action
git commit --amend --no-edit
git push origin update_flake_lock_action --force
```

However you can customize it, with variable interpolation performed with Handlebars. This allows you to customize the template with the following variables:

  • env.GIT_AUTHOR_NAME
  • env.GIT_AUTHOR_EMAIL
  • env.GIT_COMMITTER_NAME
  • env.GIT_COMMITTER_EMAIL
  • env.GIT_COMMIT_MESSAGE

Add assignees or reviewers

You can assign the PR to or request a review from one or more GitHub users with pr-assignees and pr-reviewers, respectively. These properties expect a comma or newline separated list of GitHub usernames:

name: update-flake-lock
on:
  workflow_dispatch: # allows manual triggering
  schedule:
    - cron: '0 0 * * 1,4' # Run twice a week

jobs:
  lockfile:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v1
      - name: Update flake.lock
        uses: DeterminateSystems/update-flake-lock@vX
        with:
          pr-assignees: SomeGitHubUsername
          pr-reviewers: SomeOtherGitHubUsername,SomeThirdGitHubUsername

Contributing

Feel free to send a PR or open an issue if you find something functions unexpectedly! Please make sure to test your changes and update any related documentation before submitting your PR.

How to test changes

In order to more easily test your changes to this action, we have created a template repository that should point you in the right direction: https://github.com/DeterminateSystems/update-flake-lock-test-template. Please see the README in that repository for instructions on testing your changes.

More Repositories

1

nix-installer

Install Nix and flakes with the fast and reliable Determinate Nix Installer, with over 2 million installs.
Rust
1,919
star
2

zero-to-nix

Zero to Nix is your guide to learning Nix and flakes. Created by Determinate Systems.
MDX
890
star
3

riff

Riff automatically provides external dependencies for Rust projects, with support for other languages coming soon.
Rust
487
star
4

magic-nix-cache-action

Save 30-50%+ of CI time without any effort or cost. Use Magic Nix Cache, a totally free and zero-configuration binary cache for Nix on GitHub Actions.
TypeScript
354
star
5

magic-nix-cache

Save 30-50%+ of CI time without any effort or cost. Use Magic Nix Cache, a totally free and zero-configuration binary cache for Nix on GitHub Actions.
Rust
231
star
6

nuenv

A Nushell environment for Nix
Nushell
196
star
7

nix-netboot-serve

Make any NixOS system netbootable with 10s cycle times.
Rust
196
star
8

flake-checker

Health checks for your Nix flakes
Rust
160
star
9

nix-installer-action

The Github Action for the Determinate Nix Installer
TypeScript
150
star
10

fh

The official CLI for FlakeHub: search for flakes, and add new inputs to your Nix flake.
Rust
110
star
11

bootspec-secureboot

Rust
88
star
12

nix-to-kubernetes

An example of deploying Nix-built Docker images to Kubernetes.Not act
Nix
78
star
13

flake-schemas

Schemas for common flake output types
Nix
77
star
14

macos-ephemeral

Scripts and instructions for making ephemeral macOS machines with Mosyle MDM support.
Shell
76
star
15

flake-checker-action

A GitHub Action that performs health checks for your Nix flake.lock files
TypeScript
45
star
16

nixos-vault-service

Nix
43
star
17

terraform-provider-hydra

Declaratively configure your Hydra server with Terraform.
Go
43
star
18

nix-github-actions

An example project showing how to use Nix to replace third-party GitHub Actions
Nix
43
star
19

nix-policy

Experiments with Nix and Open Policy Agent
Nix
27
star
20

bonk

Erase macOS machines over Tailscale.
Go
26
star
21

flakehub-push

Release your Nix flake to FlakeHub.com.
Rust
26
star
22

bootspec

Implementation of RFC-0125's datatype and synthesis tooling.
Rust
23
star
23

nix-wasm-example

Nix
19
star
24

nix-copy-deploy

An example project for the nix copy utility
Shell
13
star
25

zpool-auto-expand-partitions

Rust
12
star
26

hydra-github-jobsets-generator

Generate declarative jobsets for a project's GitHub repository.
Rust
12
star
27

dhcpv6macd

A DHCPv6 service which assigns IPv6 addresses strictly on MAC address only. Potentially violates RFCs and specs.
Nix
11
star
28

nixos-example-openstack

An example of building and pushing images for Openstack.
Nix
10
star
29

apple-sdks.nix

Experimental extraction of Apple SDKs.
Nix
9
star
30

nix-cpio-generator

Rust
9
star
31

hydra-examples

Example files for Hydra.
Nix
8
star
32

cpiotools

Tools for examining CPIOs.
Rust
7
star
33

prometheus-weather-gov

An example Nix project using Python, with a NixOS Module, NixOS test, and Docker image.
Python
7
star
34

hydra-nixos-org-configuration

A mirror of the project and jobset configurations on hydra.nixos.org.
HCL
6
star
35

nix

Tracks the fallback paths for Nix, to allow upgrades on our schedule.
Nix
6
star
36

nix-config-parser

Rust
6
star
37

asset-tagger

Print asset tags.
Shell
4
star
38

inspect

Inspect a flake's outputs with flake schemas.
Nix
4
star
39

search-detsys-dev

Python
4
star
40

flakehub-mirror

TypeScript
4
star
41

templates

Ready-made flake templates to get started with Nix
Nix
3
star
42

export

Export arbitrary bytes from Rust to various shells and interpreters.
Rust
3
star
43

elixir-nix

Nix
2
star
44

coldsnap.nix

Nix
2
star
45

hydra-scale-equinix-metal

Scale Equinix Metal builders based on Hydra usage.
Rust
2
star
46

scanoss-nix

Packages for the ScanOSS tool set.
Nix
2
star
47

detsys-ts

TypeScript
2
star
48

hydra-runcommand-logs

Experiments logging to the journal from RunCommand.
Nix
2
star
49

ci

Determinate CI is the one-stop shop for effortless Nix CI in GitHub Actions.
2
star
50

flakehub-docs

FlakeHub documentation
MDX
2
star
51

install-riff-action

A GitHub Action for installing Riff
Shell
1
star
52

homebrew-riff

A Homebrew formula for Riff
Ruby
1
star
53

karonte-nix

Python
1
star
54

github-actions-oidc-claims

Rust
1
star
55

nix-installer-example

Nix
1
star
56

linear-import-nix

Nix
1
star
57

pickup.nix

Nix
1
star
58

hydra-github-jobsets-example-project

1
star
59

hydra-test-migrate-to-s3

Test migrating a Hydra instance from a local cache to an S3-backed cache.
Nix
1
star
60

buildkite-install-nix-macos

A Buildkite workflow to install Nix on macOS
Shell
1
star
61

update-flake-lock-test-template

A template repository for testing changes to https://github.com/DeterminateSystems/update-flake-lock/
Nix
1
star
62

marp-nix

Nix
1
star
63

fh-init-example-project

Python
1
star
64

.github

Determinate Systems
1
star
65

ipxe-boot-lab

Local lab for testing iPXE boot in user network namespaces.
Rust
1
star
66

mlnx-workspace

Nix
1
star
67

store-paths

Nix
1
star