Improvements to update actions

2025-02-10 14:06:45 -08:00 · 2025-02-10 14:06:45 -08:00 · 49350456db
commit 49350456db
parent 00a0846661
4 changed files with 62 additions and 10 deletions
--- a/.github/workflows/check-nix-format.yml
+++ b/.github/workflows/check-nix-format.yml
@ -6,6 +6,10 @@ name: Check that Nix files are formatted
 on:
  pull_request:
    types: [opened, synchronize, reopened]
+  push:
+    branches:
+      - master
+      - 'push-action/**'
  merge_group:
 permissions:
  contents: read
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@ -33,6 +33,47 @@ jobs:
      run: ./ci/update-nur.sh
      env:
        API_TOKEN_GITHUB: '${{ steps.get_workflow_token.outputs.token }}'
+    - uses: CasperWA/push-protected@v2
+      with:
+        token: ${{ steps.get_workflow_token.outputs.token }}
+        branch: master
+
+  update_combined:
+    runs-on: ubuntu-latest
+    needs: update_nur
+    steps:
+    - id: get_workflow_token
+      uses: peter-murray/workflow-application-token-action@v4.0.1
+      with:
+        application_id: '${{ secrets.GH_APPLICATION_ID }}'
+        application_private_key: '${{ secrets.GH_APPLICATION_PRIVATE_KEY }}'
+        permissions: "contents:write"
+        revoke_token: true
+    - uses: actions/checkout@v4
+      with:
+        repository: nix-community/nur-combined
+        path: nur
+    - uses: actions/checkout@v4
+      with:
+        repository: nix-community/nur-combined
+        path: nur-combined
+    - uses: cachix/install-nix-action@v30
+      with:
+        nix_path: nixpkgs=channel:nixos-unstable
+        extra_nix_config: |
+          experimental-features = nix-command flakes
+    - name: update nur-combined
+      run: ./ci/update-nur-combined.sh
+      env:
+        API_TOKEN_GITHUB: '${{ steps.get_workflow_token.outputs.token }}'
+    - name: rebase and push
+      run: |
+        ./ci/lib/setup-git.sh
+        git -C $GITHUB_WORKSPACE/nur-combined pull --rebase origin master
+        git -C $GITHUB_WORKSPACE/nur-combined push origin HEAD:master
+      env:
+        GITHUB_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
+
  update_search:
    runs-on: ubuntu-latest
    needs: update_nur
--- a/ci/update-nur-combined.sh
+++ b/ci/update-nur-combined.sh
@ -0,0 +1,17 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -p git -p nix -p bash -i bash
+
+set -eu -o pipefail # Exit with nonzero exit code if anything fails
+
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
+
+source ${DIR}/lib/setup-git.sh
+set -x
+
+cd ${DIR}/..
+
+nix run "${DIR}#" -- combine nur-combined
+
+git -C nur-combined pull --rebase origin master
+git -C nur-combined push origin HEAD:master
--- a/ci/update-nur.sh
+++ b/ci/update-nur.sh
@ -13,10 +13,6 @@ nix run "${DIR}#" -- update

 cd ${DIR}/..

-git clone \
-  --single-branch \
-  "https://$API_TOKEN_GITHUB@github.com/nix-community/nur-combined.git"
-
 nix run "${DIR}#" -- combine nur-combined

 nix flake update nixpkgs
@ -26,10 +22,4 @@ if [[ -z "$(git diff --exit-code)" ]]; then
 else
  git add --all repos.json* flake.lock
  git commit -m "automatic update"
-  # in case we are getting overtaken by a different job
-  git pull --rebase origin master
-  git push "https://$API_TOKEN_GITHUB@github.com/nix-community/NUR" HEAD:master
 fi
-
-git -C nur-combined pull --rebase origin master
-git -C nur-combined push origin HEAD:master