From f145c2b65bf8d4d2ea45313807014ad80402b4e9 Mon Sep 17 00:00:00 2001 From: David Anderson Date: Mon, 13 Feb 2023 18:46:33 -0800 Subject: [PATCH] .github/workflows: add workflow to update go.mod Nix SRI hash So that I just get a quick PR to approve and merge instead of periodically discovering that the SRI hash has bitrotted. Signed-off-by: David Anderson --- .github/workflows/update-flakes.yml | 49 +++++++++++++++++++++++++++++ update-flake.sh | 4 +-- 2 files changed, 51 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/update-flakes.yml diff --git a/.github/workflows/update-flakes.yml b/.github/workflows/update-flakes.yml new file mode 100644 index 000000000..0e0133eb1 --- /dev/null +++ b/.github/workflows/update-flakes.yml @@ -0,0 +1,49 @@ +name: update-flakes + +on: + # run action when a change lands in the main branch which updates go.mod. Also + # allow manual triggering. + push: + branches: + - main + paths: + - go.mod + - .github/workflows/update-flakes.yml + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + tailscale: + runs-on: ubuntu-latest + + steps: + - name: Check out code + uses: actions/checkout@v3 + + - name: Run update-flakes + run: ./update-flakes.sh + + - name: Get access token + uses: tibdex/github-app-token@f717b5ecd4534d3c4df4ce9b5c1c2214f0f7cd06 # v1.6.0 + id: generate-token + with: + app_id: ${{ secrets.LICENSING_APP_ID }} + installation_id: ${{ secrets.LICENSING_APP_INSTALLATION_ID }} + private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }} + + - name: Send pull request + uses: peter-evans/create-pull-request@ad43dccb4d726ca8514126628bec209b8354b6dd #v4.1.4 + with: + token: ${{ steps.generate-token.outputs.token }} + author: Flakes Updater + committer: Flakes Updater + branch: flakes + commit-message: "go.mod.sri: update SRI hash for go.mod changes" + title: "go.mod.sri: update SRI hash for go.mod changes" + body: Triggered by ${{ github.repository }}@${{ github.sha }} + signoff: true + delete-branch: true + reviewers: danderson diff --git a/update-flake.sh b/update-flake.sh index ed0784de5..af31c9775 100755 --- a/update-flake.sh +++ b/update-flake.sh @@ -8,8 +8,8 @@ REV=$(cat go.toolchain.rev) OUT=$(mktemp -d -t nar-hash-XXXXXX) rm -rf $OUT -go mod vendor -o $OUT -go run tailscale.com/cmd/nardump --sri $OUT >go.mod.sri +./tool/go mod vendor -o $OUT +./tool/go run tailscale.com/cmd/nardump --sri $OUT >go.mod.sri rm -rf $OUT # nix-direnv only watches the top-level nix file for changes. As a