From b25b706c99d48b7b1db89ac8d80c0d32b6635d5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 30 Jun 2026 09:12:23 +0200 Subject: [PATCH] effects: move package/submodule updates to onSchedule Move the update-packages and update-submodules cron workflows to nixbot onSchedule effects so they can be triggered on demand from the repo page (Mic92/nixbot#48), instead of waiting for the next cron occurrence. Both run against a token-authenticated clone: the GitToken secret authenticates git push and gh. Also drop the always-failing fail-test effect, now covered upstream. --- .github/workflows/update-packages.yaml | 43 ----------- .github/workflows/update-submodules.yaml | 29 -------- checks/effects.nix | 93 ++++++++++++++++++------ 3 files changed, 72 insertions(+), 93 deletions(-) delete mode 100644 .github/workflows/update-packages.yaml delete mode 100644 .github/workflows/update-submodules.yaml diff --git a/.github/workflows/update-packages.yaml b/.github/workflows/update-packages.yaml deleted file mode 100644 index 9fb07570a..000000000 --- a/.github/workflows/update-packages.yaml +++ /dev/null @@ -1,43 +0,0 @@ -name: Update Packages -on: - schedule: - - cron: "0 3 * * *" # Daily at 3am UTC - workflow_dispatch: - inputs: - package: - description: "Package to update (leave empty for all)" - required: false - type: string -jobs: - update-packages: - runs-on: ubuntu-slim - permissions: - contents: write - pull-requests: write - steps: - - name: Generate GitHub App Token - id: app-token - uses: actions/create-github-app-token@v3 - with: - app-id: ${{ secrets.APP_ID }} - private-key: ${{ secrets.APP_PRIVATE_KEY }} - - name: Checkout repository - uses: actions/checkout@v7 - with: - token: ${{ steps.app-token.outputs.token }} - - name: Setup Nix - uses: NixOS/nix-installer-action@main - with: - extra-conf: | - extra-substituters = https://cache.thalheim.io - extra-trusted-public-keys = cache.thalheim.io-1:R7msbosLEZKrxk/lKxf9BTjOOH7Ax3H0Qj0/6wiHOgc= - - name: Setup GitHub CLI - run: | - echo "${{ steps.app-token.outputs.token }}" | gh auth login --with-token - - name: Update packages - run: | - if [ -n "${{ inputs.package }}" ]; then - nix run .#updater -- --pr -p "${{ inputs.package }}" - else - nix run .#updater -- --pr - fi diff --git a/.github/workflows/update-submodules.yaml b/.github/workflows/update-submodules.yaml deleted file mode 100644 index ebafa9c2d..000000000 --- a/.github/workflows/update-submodules.yaml +++ /dev/null @@ -1,29 +0,0 @@ -name: "Update zsh submodules" -on: - repository_dispatch: - workflow_dispatch: - schedule: - - cron: "51 2 * * *" -jobs: - update-submodules: - runs-on: ubuntu-slim - steps: - - uses: actions/checkout@v7 - with: - submodules: true - - name: Update zsh submodules - run: | - git submodule update --init --recursive - git submodule update --recursive --remote - - uses: actions/create-github-app-token@v3 - id: app-token - with: - app-id: ${{ vars.CI_APP_ID }} - private-key: ${{ secrets.CI_PRIVATE_KEY }} - - name: Create Pull Request - uses: peter-evans/create-pull-request@v8 - with: - title: Update zsh modules - token: ${{ steps.app-token.outputs.token }} - labels: | - auto-merge diff --git a/checks/effects.nix b/checks/effects.nix index 9cafaf648..dfe8253a8 100644 --- a/checks/effects.nix +++ b/checks/effects.nix @@ -1,12 +1,45 @@ # Dogfood for nixbot effects: exercises the hercules-style # secrets file and the current-task state API. { inputs, self }: -_args: { +_args: +let + pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; + + # Scheduled effect operating on a fresh clone. The GitToken secret + # authenticates git push (token in the origin URL) and gh (GH_TOKEN). + mkRepoEffect = + name: script: + pkgs.runCommand "effect-${name}" + { + nativeBuildInputs = [ + pkgs.cacert + pkgs.git + pkgs.gh + pkgs.jq + pkgs.nix + pkgs.openssh + ]; + # mkEffect JSON-encodes secretsMap; raw derivations must too. + secretsMap = builtins.toJSON { git.type = "GitToken"; }; + # The sandbox does not inherit the host HOME. + HOME = "/build"; + } + '' + set -euo pipefail + token=$(jq -r '.git.data.token' "$HERCULES_CI_SECRETS_JSON") + export GH_TOKEN="$token" + git config --global user.name "dotfiles-bot" + git config --global user.email "dotfiles-bot@users.noreply.github.com" + git config --global safe.directory '*' + git clone --recurse-submodules \ + "https://x-access-token:$token@github.com/Mic92/dotfiles" repo + cd repo + ${script} + ''; +in +{ onPush.default.outputs.effects = { state-test = - let - pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; - in pkgs.runCommand "effect-state-test" { nativeBuildInputs = [ @@ -29,21 +62,7 @@ _args: { [ "$got" = "state-test $rev" ] ''; - # Always fails: verifies nixbot posts a failed commit status for a - # failed effect instead of leaving it green (Mic92/nixbot#30). - fail-test = - let - pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; - in - pkgs.runCommand "effect-fail-test" { } '' - echo "this effect fails on purpose" - exit 1 - ''; - sandbox-test = - let - pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; - in pkgs.runCommand "effect-sandbox-test" { nativeBuildInputs = [ @@ -72,9 +91,6 @@ _args: { onSchedule.heartbeat = { when = { }; outputs.effects.heartbeat = - let - pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; - in pkgs.runCommand "effect-heartbeat" { nativeBuildInputs = [ @@ -91,4 +107,39 @@ _args: { echo heartbeat stored ''; }; + + # Daily package updates; one PR per changed package. + onSchedule.update-packages = { + when = { + hour = 3; + minute = 0; + }; + outputs.effects.update-packages = mkRepoEffect "update-packages" '' + nix run .#updater -- --pr + ''; + }; + + # Daily zsh submodule bump on a single branch and PR. + onSchedule.update-submodules = { + when = { + hour = 2; + minute = 51; + }; + outputs.effects.update-submodules = mkRepoEffect "update-submodules" '' + git submodule update --init --recursive + git submodule update --recursive --remote + if git diff --quiet; then + echo "no submodule changes" + exit 0 + fi + branch=update-zsh-modules + git checkout -b "$branch" + git commit -am "Update zsh modules" + git push -f origin "$branch" + if ! gh pr view "$branch" >/dev/null 2>&1; then + gh pr create --head "$branch" --title "Update zsh modules" \ + --body "Automated zsh submodule update." --label auto-merge + fi + ''; + }; }