├── .editorconfig
├── .envrc
├── .eslintrc.json
├── .github
    ├── PULL_REQUEST_TEMPLATE.md
    ├── dependabot.yml
    └── workflows
    │   ├── ci.yml
    │   ├── update.yml
    │   └── validate.yml
├── .gitignore
├── .prettierignore
├── LICENSE
├── README.md
├── action.yml
├── dist
    ├── index.d.ts
    ├── index.js
    ├── index.js.map
    └── package.json
├── flake.lock
├── flake.nix
├── package.json
├── pnpm-lock.yaml
├── prettier.config.cjs
├── shell.nix
├── src
    ├── index.ts
    ├── nix.test.ts
    └── nix.ts
├── tsconfig.json
└── tsup.config.ts


/.editorconfig:
--------------------------------------------------------------------------------
 1 | # https://editorconfig.org
 2 | root = true
 3 | 
 4 | [*]
 5 | indent_style = space
 6 | indent_size = 2
 7 | end_of_line = lf
 8 | charset = utf-8
 9 | trim_trailing_whitespace = true
10 | insert_final_newline = true
11 | 


--------------------------------------------------------------------------------
/.envrc:
--------------------------------------------------------------------------------
1 | use flake
2 | 


--------------------------------------------------------------------------------
/.eslintrc.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "plugins": ["@typescript-eslint"],
 3 |   "extends": ["plugin:github/recommended"],
 4 |   "parser": "@typescript-eslint/parser",
 5 |   "parserOptions": {
 6 |     "ecmaVersion": 9,
 7 |     "sourceType": "module",
 8 |     "project": "./tsconfig.json"
 9 |   },
10 |   "settings": {
11 |     "import/resolver": {
12 |       "typescript": {}
13 |     }
14 |   },
15 |   "rules": {
16 |     "i18n-text/no-en": "off",
17 |     "eslint-comments/no-use": "off",
18 |     "import/no-namespace": "off",
19 |     "no-unused-vars": "off",
20 |     "@typescript-eslint/no-unused-vars": [
21 |       "error",
22 |       {
23 |         "argsIgnorePattern": "^_"
24 |       }
25 |     ],
26 |     "@typescript-eslint/explicit-member-accessibility": [
27 |       "error",
28 |       {
29 |         "accessibility": "no-public"
30 |       }
31 |     ],
32 |     "@typescript-eslint/no-base-to-string": "error",
33 |     "@typescript-eslint/no-require-imports": "error",
34 |     "@typescript-eslint/array-type": "error",
35 |     "@typescript-eslint/await-thenable": "error",
36 |     "@typescript-eslint/ban-ts-comment": "error",
37 |     "camelcase": "error",
38 |     "@typescript-eslint/consistent-type-assertions": "error",
39 |     "@typescript-eslint/explicit-function-return-type": [
40 |       "error",
41 |       {
42 |         "allowExpressions": true
43 |       }
44 |     ],
45 |     "@typescript-eslint/func-call-spacing": ["error", "never"],
46 |     "@typescript-eslint/no-array-constructor": "error",
47 |     "@typescript-eslint/no-empty-interface": "error",
48 |     "@typescript-eslint/no-explicit-any": "error",
49 |     "@typescript-eslint/no-floating-promises": "error",
50 |     "@typescript-eslint/no-extraneous-class": "error",
51 |     "@typescript-eslint/no-for-in-array": "error",
52 |     "@typescript-eslint/no-inferrable-types": "error",
53 |     "@typescript-eslint/no-misused-new": "error",
54 |     "@typescript-eslint/no-namespace": "error",
55 |     "@typescript-eslint/no-non-null-assertion": "warn",
56 |     "@typescript-eslint/no-unnecessary-qualifier": "error",
57 |     "@typescript-eslint/no-unnecessary-type-assertion": "error",
58 |     "@typescript-eslint/no-useless-constructor": "error",
59 |     "@typescript-eslint/no-var-requires": "error",
60 |     "@typescript-eslint/prefer-for-of": "warn",
61 |     "@typescript-eslint/prefer-function-type": "warn",
62 |     "@typescript-eslint/prefer-includes": "error",
63 |     "@typescript-eslint/prefer-string-starts-ends-with": "error",
64 |     "@typescript-eslint/promise-function-async": "error",
65 |     "@typescript-eslint/require-array-sort-compare": "error",
66 |     "@typescript-eslint/restrict-plus-operands": "error",
67 |     "@typescript-eslint/type-annotation-spacing": "error",
68 |     "@typescript-eslint/unbound-method": "error"
69 |   },
70 |   "env": {
71 |     "node": true,
72 |     "es6": true
73 |   }
74 | }
75 | 


--------------------------------------------------------------------------------
/.github/PULL_REQUEST_TEMPLATE.md:
--------------------------------------------------------------------------------
 1 | ##### Description
 2 | 
 3 | <!---
 4 | Please include a short description of what your PR does and / or the motivation
 5 | behind it
 6 | --->
 7 | 
 8 | ##### Checklist
 9 | 
10 | - [ ] Tested functionality against a test repository (see ["How to test changes"](../README.md#how-to-test-changes))
11 | - [ ] Added or updated relevant documentation (leave unchecked if not applicable)
12 | 


--------------------------------------------------------------------------------
/.github/dependabot.yml:
--------------------------------------------------------------------------------
1 | version: 2
2 | updates:
3 |   - package-ecosystem: "github-actions"
4 |     directory: "/"
5 |     schedule:
6 |       interval: "daily"
7 | 


--------------------------------------------------------------------------------
/.github/workflows/ci.yml:
--------------------------------------------------------------------------------
 1 | name: CI
 2 | 
 3 | on:
 4 |   pull_request:
 5 |   push:
 6 |     branches: [main]
 7 | 
 8 | jobs:
 9 |   typescript-action:
10 |     runs-on: ubuntu-latest
11 |     permissions:
12 |       id-token: write
13 |       contents: read
14 |     steps:
15 |       - uses: actions/checkout@v4
16 |         with:
17 |           fetch-depth: 0
18 |       - name: Check Nixpkgs
19 |         uses: DeterminateSystems/flake-checker-action@main
20 |         with:
21 |           fail-mode: true
22 |       - name: Install Determinate Nix
23 |         uses: DeterminateSystems/determinate-nix-action@v3
24 |       - name: Enable FlakeHub Cache
25 |         uses: DeterminateSystems/flakehub-cache-action@main
26 |       - name: Install pnpm dependencies
27 |         run: nix develop --command pnpm install
28 |       - name: Check formatting
29 |         run: nix develop --command pnpm run check-fmt
30 |       - name: Lint
31 |         run: nix develop --command pnpm run lint
32 |       - name: Build
33 |         run: nix develop --command pnpm run build
34 |       - name: Run test suite
35 |         run: nix develop --command pnpm run test
36 |       - name: Package
37 |         run: nix develop --command pnpm run package
38 |       - name: Check git status
39 |         run: git status --porcelain=v1
40 |       - name: Ensure no staged changes
41 |         run: git diff --exit-code
42 | 


--------------------------------------------------------------------------------
/.github/workflows/update.yml:
--------------------------------------------------------------------------------
 1 | name: update-flake-lock
 2 | 
 3 | on:
 4 |   workflow_dispatch:
 5 |   schedule:
 6 |     - cron: "0 0 * * 0"
 7 | 
 8 | jobs:
 9 |   lockfile:
10 |     runs-on: ubuntu-latest
11 |     permissions:
12 |       id-token: write
13 |       contents: read
14 |     steps:
15 |       - name: Checkout
16 |         uses: actions/checkout@v4
17 |       - name: Install Determinate Nix
18 |         uses: DeterminateSystems/determinate-nix-action@v3
19 |       - name: Enable FlakeHub Cache
20 |         uses: DeterminateSystems/flakehub-cache-action@main
21 |       - name: Update flake.lock
22 |         uses: ./.
23 |         with:
24 |           _internal-strict-mode: true
25 | 


--------------------------------------------------------------------------------
/.github/workflows/validate.yml:
--------------------------------------------------------------------------------
 1 | name: CI
 2 | 
 3 | on:
 4 |   pull_request:
 5 |   push:
 6 |     branches: [main]
 7 | 
 8 | jobs:
 9 |   validate:
10 |     runs-on: ubuntu-latest
11 |     steps:
12 |       - uses: actions/checkout@v4
13 |         with:
14 |           fetch-depth: 0
15 |       - name: Validate YAML
16 |         uses: nwisbeta/validate-yaml-schema@v2.0.0
17 |         with:
18 |           yamlSchemasJson: |
19 |             {
20 |               "https://json.schemastore.org/github-action.json": ["action.yml"]
21 |             }
22 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # JS dependencies
2 | node_modules/
3 | 


--------------------------------------------------------------------------------
/.prettierignore:
--------------------------------------------------------------------------------
1 | dist/
2 | lib/
3 | node_modules/
4 | pnpm-lock.yaml
5 | README.md
6 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2021 Determinate Systems, Inc.
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # update-flake-lock
  2 | 
  3 | This is a GitHub Action that updates the [`flake.lock`][lockfile] file for your [Nix flake][flakes] whenever it is run.
  4 | 
  5 | > [!NOTE]
  6 | > As of v3, this action no longer automatically installs [Determinate Nix][det-nix] to the action runner.
  7 | > You **must** set up Nix with flakes support enabled prior to running this action or your workflow will not function as expected.
  8 | 
  9 | ## Example
 10 | 
 11 | Here's an example GitHub Action workflow using this Action:
 12 | 
 13 | ```yaml
 14 | name: "Flake.lock: update Nix dependencies"
 15 | 
 16 | on:
 17 |   workflow_dispatch: # allows manual triggering
 18 |   schedule:
 19 |     - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00
 20 | 
 21 | jobs:
 22 |   nix-flake-update:
 23 |     permissions:
 24 |       contents: write
 25 |       id-token: write
 26 |       issues: write
 27 |       pull-requests: write
 28 |     runs-on: ubuntu-latest
 29 |     steps:
 30 |       - uses: actions/checkout@v4
 31 |       - uses: DeterminateSystems/determinate-nix-action@v3
 32 |       - uses: DeterminateSystems/update-flake-lock@main
 33 |         with:
 34 |           pr-title: "Update Nix flake inputs" # Title of PR to be created
 35 |           pr-labels: |                  # Labels to be set on the PR
 36 |             dependencies
 37 |             automated
 38 | ```
 39 | 
 40 | ## Example updating specific input(s)
 41 | 
 42 | > [!NOTE]
 43 | > If any inputs have a stale reference (e.g. the lockfile thinks a git input wants its "ref" to be "nixos-unstable", but the flake.nix specifies "nixos-unstable-small"), they are also updated. At this time, there is no known workaround.
 44 | 
 45 | It's also possible to update specific [flake inputs][inputs] by specifying them in a space-separated list:
 46 | 
 47 | ```yaml
 48 | name: update-flake-lock
 49 | 
 50 | on:
 51 |   workflow_dispatch: # allows manual triggering
 52 |   schedule:
 53 |     - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00
 54 | 
 55 | jobs:
 56 |   lockfile:
 57 |     runs-on: ubuntu-latest
 58 |     steps:
 59 |       - name: Checkout repository
 60 |         uses: actions/checkout@v4
 61 |       - name: Install Determinate Nix
 62 |         uses: DeterminateSystems/determinate-nix-action@v3
 63 |       - name: Update flake.lock
 64 |         uses: DeterminateSystems/update-flake-lock@main
 65 |         with:
 66 |           inputs: input1 input2 input3
 67 | ```
 68 | 
 69 | ## Example adding options to nix command
 70 | 
 71 | It's also possible to use specific options to the `nix` command in a space-separated list:
 72 | 
 73 | ```yaml
 74 | name: update-flake-lock
 75 | on:
 76 |   workflow_dispatch: # allows manual triggering
 77 |   schedule:
 78 |     - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00
 79 | 
 80 | jobs:
 81 |   lockfile:
 82 |     runs-on: ubuntu-latest
 83 |     steps:
 84 |       - name: Checkout repository
 85 |         uses: actions/checkout@v4
 86 |       - name: Install Determinate Nix
 87 |         uses: DeterminateSystems/determinate-nix-action@v3
 88 |       - name: Update flake.lock
 89 |         uses: DeterminateSystems/update-flake-lock@main
 90 |         with:
 91 |           nix-options: --debug --log-format raw
 92 | ```
 93 | 
 94 | ## Example that prints the number of the created PR
 95 | 
 96 | ```yaml
 97 | name: update-flake-lock
 98 | on:
 99 |   workflow_dispatch: # allows manual triggering
100 |   schedule:
101 |     - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00
102 | 
103 | jobs:
104 |   lockfile:
105 |     runs-on: ubuntu-latest
106 |     steps:
107 |       - name: Checkout repository
108 |         uses: actions/checkout@v4
109 |       - name: Install Determinate Nix
110 |         uses: DeterminateSystems/determinate-nix-action@v3
111 |       - name: Update flake.lock
112 |         id: update
113 |         uses: DeterminateSystems/update-flake-lock@main
114 |         with:
115 |           inputs: input1 input2 input3
116 |       - name: Print PR number
117 |         run: echo Pull request number is ${{ steps.update.outputs.pull-request-number }}.
118 | ```
119 | 
120 | ## Example that doesn't run on PRs
121 | 
122 | If you were to run this action as a part of your CI workflow, you may want to prevent it from running against Pull Requests.
123 | 
124 | ```yaml
125 | name: update-flake-lock
126 | on:
127 |   workflow_dispatch: # allows manual triggering
128 |   pull_request: # triggers on every Pull Request
129 |   schedule:
130 |     - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00
131 | 
132 | jobs:
133 |   lockfile:
134 |     runs-on: ubuntu-latest
135 |     steps:
136 |       - name: Checkout repository
137 |         uses: actions/checkout@v4
138 |       - name: Install Determinate Nix
139 |         uses: DeterminateSystems/determinate-nix-action@v3
140 |       - name: Update flake.lock
141 |         if: ${{ github.event_name != 'pull_request' }}
142 |         uses: DeterminateSystems/update-flake-lock@main
143 |         with:
144 |           inputs: input1 input2 input3
145 |           path-to-flake-dir: 'nix/' # in this example our flake doesn't sit at the root of the repository, it sits under 'nix/flake.nix'
146 | ```
147 | 
148 | ## Example using a different Git user
149 | 
150 | If you want to change the author and / or committer of the flake.lock update commit, you can tweak the `git-{author,committer}-{name,email}` options:
151 | 
152 | ```yaml
153 | name: update-flake-lock
154 | on:
155 |   workflow_dispatch: # allows manual triggering
156 |   schedule:
157 |     - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00
158 | 
159 | jobs:
160 |   lockfile:
161 |     runs-on: ubuntu-latest
162 |     steps:
163 |       - name: Checkout repository
164 |         uses: actions/checkout@v4
165 |       - name: Install Determinate Nix
166 |         uses: DeterminateSystems/determinate-nix-action@v3
167 |       - name: Update flake.lock
168 |         uses: DeterminateSystems/update-flake-lock@main
169 |         with:
170 |           git-author-name: Jane Author
171 |           git-author-email: github-actions[bot]@users.noreply.github.com
172 |           git-committer-name: John Committer
173 |           git-committer-email: github-actions[bot]@users.noreply.github.com
174 | ```
175 | 
176 | ## Running GitHub Actions CI
177 | 
178 | GitHub Actions doesn't run workflows when a branch is pushed by or a PR is opened by a GitHub Action.
179 | There are two ways to have GitHub Actions CI run on a PR submitted by this action.
180 | 
181 | ### Without a Personal Authentication Token
182 | 
183 | Without using a Personal Authentication Token, close and reopen the pull request manually to kick off CI.
184 | 
185 | ### With a Personal Authentication Token
186 | 
187 | By providing a Personal Authentication Token, the PR is submitted in a way that bypasses this limitation (GitHub essentially thinks it's the owner of the PAT submitting the PR, and not an Action).
188 | You can create a token by visiting https://github.com/settings/tokens and select at least the `repo` scope. For the new fine-grained tokens, you need to enable read and write access for "Contents" and "Pull Requests" permissions. Then, store this token in your repository secrets (i.e. `https://github.com/<USER>/<REPO>/settings/secrets/actions`) as `GH_TOKEN_FOR_UPDATES` and set up your workflow file like the following:
189 | 
190 | ```yaml
191 | name: update-flake-lock
192 | on:
193 |   workflow_dispatch: # allows manual triggering
194 |   schedule:
195 |     - cron: '0 0 * * 1,4' # Run twice a week
196 | 
197 | jobs:
198 |   lockfile:
199 |     runs-on: ubuntu-latest
200 |     steps:
201 |       - name: Checkout repository
202 |         uses: actions/checkout@v4
203 |       - name: Install Determinate Nix
204 |         uses: DeterminateSystems/determinate-nix-action@v3
205 |       - name: Update flake.lock
206 |         uses: DeterminateSystems/update-flake-lock@main
207 |         with:
208 |           token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
209 | ```
210 | 
211 | ## With GPG commit signing
212 | 
213 | It's possible for the bot to produce GPG-signed commits.
214 | Associating a GPG public key to a GitHub user account isn't required but it *is* necessary if you want the signed commits to appear as verified in Github.
215 | This can be a compliance requirement in some cases.
216 | 
217 | You can follow [GitHub's guide to creating and/or adding a new GPG key to an user account](https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-new-gpg-key-to-your-github-account).
218 | Using a specific GitHub user account for the bot can be a good security measure to dissociate this bot's actions and commits from your personal GitHub account.
219 | 
220 | For the bot to produce signed commits, you need to provide the GPG private keys to this action's input parameters. You can safely do that with [Github secrets as explained here](https://github.com/crazy-max/ghaction-import-gpg#prerequisites).
221 | 
222 | When using commit signing, the commit author name and email for the commits produced by this bot would correspond to the ones associated to the GPG Public Key.
223 | 
224 | If you want to sign using a subkey, you must specify the subkey fingerprint using the `gpg-fingerprint` input parameter.
225 | 
226 | Here's an example of how to using this action with commit signing:
227 | 
228 | ```yaml
229 | name: update-flake-lock
230 | 
231 | on:
232 |   workflow_dispatch: # allows manual triggering
233 |   schedule:
234 |     - cron: '0 0 * * 1,4' # Run twice a week
235 | 
236 | jobs:
237 |   lockfile:
238 |     runs-on: ubuntu-latest
239 |     steps:
240 |       - name: Checkout repository
241 |         uses: actions/checkout@v4
242 |       - name: Install Determinate Nix
243 |         uses: DeterminateSystems/determinate-nix-action@v3
244 |       - name: Update flake.lock
245 |         uses: DeterminateSystems/update-flake-lock@main
246 |         with:
247 |           sign-commits: true
248 |           gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
249 |           gpg-fingerprint: ${{ secrets.GPG_FINGERPRINT }} # specify subkey fingerprint (optional)
250 |           gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }}
251 | ```
252 | 
253 | ## Custom PR Body
254 | 
255 | By default, the generated PR body uses this template:
256 | 
257 | ````handlebars
258 | Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
259 | 
260 | ````
261 | {{ env.GIT_COMMIT_MESSAGE }}
262 | ````
263 | ```
264 | 
265 | ### Running GitHub Actions on this PR
266 | 
267 | GitHub Actions doesn't run workflows on pull requests that are opened by a GitHub Action.
268 | 
269 | To run GitHub Actions workflows on this PR, run:
270 | 
271 | ```sh
272 | git branch -D update_flake_lock_action
273 | git fetch origin
274 | git checkout update_flake_lock_action
275 | git commit --amend --no-edit
276 | git push origin update_flake_lock_action --force
277 | ```
278 | ````
279 | 
280 | You can customize it, however, using variable interpolation performed with [Handlebars].
281 | This enables you to customize the template with these variables:
282 | 
283 | - `env.GIT_AUTHOR_NAME`
284 | - `env.GIT_AUTHOR_EMAIL`
285 | - `env.GIT_COMMITTER_NAME`
286 | - `env.GIT_COMMITTER_EMAIL`
287 | - `env.GIT_COMMIT_MESSAGE`
288 | 
289 | ## Add assignees or reviewers
290 | 
291 | You can assign the PR to or request a review from one or more GitHub users with `pr-assignees` and `pr-reviewers`, respectively.
292 | These properties expect a comma or newline separated list of GitHub usernames:
293 | 
294 | ```yaml
295 | name: update-flake-lock
296 | on:
297 |   workflow_dispatch: # allows manual triggering
298 |   schedule:
299 |     - cron: '0 0 * * 1,4' # Run twice a week
300 | 
301 | jobs:
302 |   lockfile:
303 |     runs-on: ubuntu-latest
304 |     steps:
305 |       - name: Checkout repository
306 |         uses: actions/checkout@v4
307 |       - name: Install Determinate Nix
308 |         uses: DeterminateSystems/determinate-nix-action@v3
309 |       - name: Update flake.lock
310 |         uses: DeterminateSystems/update-flake-lock@main
311 |         with:
312 |           pr-assignees: SomeGitHubUsername
313 |           pr-reviewers: SomeOtherGitHubUsername,SomeThirdGitHubUsername
314 | ```
315 | 
316 | ## Contributing
317 | 
318 | Feel free to send a PR or open an issue if you find that something functions unexpectedly!
319 | Please make sure to test your changes and update any related documentation before submitting your PR.
320 | 
321 | ### How to test changes
322 | 
323 | In order to more easily test your changes to this action, we have created a template repository that should point you in the right direction: https://github.com/DeterminateSystems/update-flake-lock-test-template.
324 | Please see the README in that repository for instructions on testing your changes.
325 | 
326 | [det-nix]: https://docs.determinate.systems/determinate-nix
327 | [flakes]: https://zero-to-nix.com/concepts/flakes
328 | [handlebars]: https://handlebarsjs.com
329 | [inputs]: https://zero-to-nix.com/concepts/flakes/#inputs
330 | [lockfile]: https://zero-to-nix.com/concepts/flakes/#lockfile
331 | 


--------------------------------------------------------------------------------
/action.yml:
--------------------------------------------------------------------------------
  1 | name: "Update Nix Flake Lock"
  2 | description: "Update your Nix flake.lock and send a PR"
  3 | inputs:
  4 |   inputs:
  5 |     description: "A space-separated list of inputs to update. Leave empty to update all inputs."
  6 |     required: false
  7 |     default: ""
  8 |   token:
  9 |     description: "GITHUB_TOKEN or a `repo` scoped Personal Access Token (PAT)"
 10 |     required: false
 11 |     default: ${{ github.token }}
 12 |   commit-msg:
 13 |     description: "The message provided with the commit"
 14 |     required: false
 15 |     default: "flake.lock: Update"
 16 |   base:
 17 |     description: "Sets the pull request base branch. Defaults to the branch checked out in the workflow."
 18 |     required: false
 19 |   branch:
 20 |     description: "The branch of the PR to be created"
 21 |     required: false
 22 |     default: "update_flake_lock_action"
 23 |   path-to-flake-dir:
 24 |     description: "The path of the directory containing `flake.nix` file within your repository. Useful when `flake.nix` cannot reside at the root of your repository."
 25 |     required: false
 26 |   pr-title:
 27 |     description: "The title of the PR to be created"
 28 |     required: false
 29 |     default: "flake.lock: Update"
 30 |   pr-body:
 31 |     description: "The body of the PR to be created"
 32 |     required: false
 33 |     default: |
 34 |       Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
 35 | 
 36 |       ```
 37 |       {{ env.GIT_COMMIT_MESSAGE }}
 38 |       ```
 39 | 
 40 |       ### Running GitHub Actions on this PR
 41 | 
 42 |       GitHub Actions will not run workflows on pull requests which are opened by a GitHub Action.
 43 | 
 44 |       **To run GitHub Actions workflows on this PR, close and re-open this pull request.**
 45 | 
 46 |   pr-labels:
 47 |     description: "A comma or newline separated list of labels to set on the Pull Request to be created"
 48 |     required: false
 49 |     default: ""
 50 |   pr-assignees:
 51 |     description: "A comma or newline separated list of assignees (GitHub usernames)."
 52 |     required: false
 53 |     default: ""
 54 |   pr-reviewers:
 55 |     description: "A comma or newline separated list of reviewers (GitHub usernames) to request a review from."
 56 |     required: false
 57 |     default: ""
 58 |   git-author-name:
 59 |     description: "Author name used for commit. Only used if sign-commits is false."
 60 |     required: false
 61 |     default: "github-actions[bot]"
 62 |   git-author-email:
 63 |     description: "Author email used for commit. Only used if sign-commits is false."
 64 |     required: false
 65 |     default: "github-actions[bot]@users.noreply.github.com"
 66 |   git-committer-name:
 67 |     description: "Committer name used for commit. Only used if sign-commits is false."
 68 |     required: false
 69 |     default: "github-actions[bot]"
 70 |   git-committer-email:
 71 |     description: "Committer email used for commit. Only used if sign-commits is false."
 72 |     required: false
 73 |     default: "github-actions[bot]@users.noreply.github.com"
 74 |   sign-commits:
 75 |     description: "Set to true if the action should sign the commit with GPG"
 76 |     required: false
 77 |     default: "false"
 78 |   gpg-private-key:
 79 |     description: "GPG Private Key with which to sign the commits in the PR to be created"
 80 |     required: false
 81 |     default: ""
 82 |   gpg-fingerprint:
 83 |     description: "Fingerprint of specific GPG subkey to use"
 84 |     required: false
 85 |   gpg-passphrase:
 86 |     description: "GPG Private Key Passphrase for the GPG Private Key with which to sign the commits in the PR to be created"
 87 |     required: false
 88 |     default: ""
 89 |   nix-options:
 90 |     description: "A space-separated list of options to pass to the nix command"
 91 |     required: false
 92 |     default: ""
 93 |   _internal-strict-mode:
 94 |     description: Whether to fail when any errors are thrown. Used only to test the Action; do not set this in your own workflows.
 95 |     required: false
 96 |     default: false
 97 | outputs:
 98 |   pull-request-number:
 99 |     description: "The number of the opened pull request"
100 |     value: ${{ steps.create-pr.outputs.pull-request-number }}
101 |   pull-request-url:
102 |     description: "The The URL of the opened pull request."
103 |     value: ${{ steps.create-pr.outputs.pull-request-url }}
104 |   pull-request-operation:
105 |     description: "The pull request operation performed by the action, `created`, `updated` or `closed`."
106 |     value: ${{ steps.create-pr.outputs.pull-request-operation }}
107 | runs:
108 |   using: "composite"
109 |   steps:
110 |     - name: Import bot's GPG key for signing commits
111 |       if: ${{ inputs.sign-commits == 'true' }}
112 |       id: import-gpg
113 |       uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
114 |       with:
115 |         gpg_private_key: ${{ inputs.gpg-private-key }}
116 |         fingerprint: ${{ inputs.gpg-fingerprint }}
117 |         passphrase: ${{ inputs.gpg-passphrase }}
118 |         git_config_global: true
119 |         git_user_signingkey: true
120 |         git_commit_gpgsign: true
121 |     - name: Set environment variables (signed commits)
122 |       if: ${{ inputs.sign-commits == 'true' }}
123 |       shell: bash
124 |       env:
125 |         GIT_AUTHOR_NAME: ${{ steps.import-gpg.outputs.name }}
126 |         GIT_AUTHOR_EMAIL: ${{ steps.import-gpg.outputs.email }}
127 |         GIT_COMMITTER_NAME: ${{ steps.import-gpg.outputs.name }}
128 |         GIT_COMMITTER_EMAIL: ${{ steps.import-gpg.outputs.email }}
129 |         TARGETS: ${{ inputs.inputs }}
130 |       run: |
131 |         echo "GIT_AUTHOR_NAME=$GIT_AUTHOR_NAME" >> $GITHUB_ENV
132 |         echo "GIT_AUTHOR_EMAIL=<$GIT_AUTHOR_EMAIL>" >> $GITHUB_ENV
133 |         echo "GIT_COMMITTER_NAME=$GIT_COMMITTER_NAME" >> $GITHUB_ENV
134 |         echo "GIT_COMMITTER_EMAIL=<$GIT_COMMITTER_EMAIL>" >> $GITHUB_ENV
135 |     - name: Set environment variables (unsigned commits)
136 |       if: ${{ inputs.sign-commits != 'true' }}
137 |       shell: bash
138 |       run: |
139 |         echo "GIT_AUTHOR_NAME=${{ inputs.git-author-name }}" >> $GITHUB_ENV
140 |         echo "GIT_AUTHOR_EMAIL=<${{ inputs.git-author-email }}>" >> $GITHUB_ENV
141 |         echo "GIT_COMMITTER_NAME=${{ inputs.git-committer-name }}" >> $GITHUB_ENV
142 |         echo "GIT_COMMITTER_EMAIL=<${{ inputs.git-committer-email }}>" >> $GITHUB_ENV
143 |     - name: Run update-flake-lock
144 |       shell: bash
145 |       run: node "$GITHUB_ACTION_PATH/dist/index.js"
146 |       env:
147 |         # The following manually exposes all of the action inputs into INPUT_ environment variables so actionsCore.getInput works:
148 |         # https://github.com/actions/toolkit/blob/ae38557bb0dba824cdda26ce787bd6b66cf07a83/packages/core/src/core.ts#L126
149 |         INPUT_BASE: ${{ inputs.base }}
150 |         INPUT_BRANCH: ${{ inputs.branch }}
151 |         INPUT_COMMIT-MSG: ${{ inputs.commit-msg }}
152 |         INPUT_GIT-AUTHOR-EMAIL: ${{ inputs.git-author-email }}
153 |         INPUT_GIT-AUTHOR-NAME: ${{ inputs.git-author-name }}
154 |         INPUT_GIT-COMMITTER-EMAIL: ${{ inputs.git-committer-email }}
155 |         INPUT_GIT-COMMITTER-NAME: ${{ inputs.git-committer-name }}
156 |         INPUT_GPG-FINGERPRINT: ${{ inputs.gpg-fingerprint }}
157 |         INPUT_GPG-PASSPHRASE: ${{ inputs.gpg-passphrase }}
158 |         INPUT_GPG-PRIVATE-KEY: ${{ inputs.gpg-private-key }}
159 |         INPUT_INPUTS: ${{ inputs.inputs }}
160 |         INPUT_NIX-OPTIONS: ${{ inputs.nix-options }}
161 |         INPUT_PATH-TO-FLAKE-DIR: ${{ inputs.path-to-flake-dir }}
162 |         INPUT_PR-ASSIGNEES: ${{ inputs.pr-assignees }}
163 |         INPUT_PR-BODY: ${{ inputs.pr-body }}
164 |         INPUT_PR-LABELS: ${{ inputs.pr-labels }}
165 |         INPUT_PR-REVIEWERS: ${{ inputs.pr-reviewers }}
166 |         INPUT_PR-TITLE: ${{ inputs.pr-title }}
167 |         INPUT_PULL-REQUEST-NUMBER: ${{ inputs.pull-request-number }}
168 |         INPUT_PULL-REQUEST-OPERATION: ${{ inputs.pull-request-operation }}
169 |         INPUT_SIGN-COMMITS: ${{ inputs.sign-commits }}
170 |         INPUT_TOKEN: ${{ inputs.token }}
171 |         INPUT__INTERNAL-STRICT-MODE: ${{ inputs._internal-strict-mode }}
172 |     - name: Save PR Body as file
173 |       uses: DamianReeves/write-file-action@v1.3
174 |       with:
175 |         path: pr_body.template
176 |         contents: ${{ inputs.pr-body }}
177 |       env: {}
178 |     - name: Set additional env variables (GIT_COMMIT_MESSAGE)
179 |       shell: bash
180 |       run: |
181 |         DELIMITER=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
182 |         COMMIT_MESSAGE="$(git log --format=%b -n 1)"
183 |         echo "GIT_COMMIT_MESSAGE<<$DELIMITER" >> $GITHUB_ENV
184 |         echo "$COMMIT_MESSAGE" >> $GITHUB_ENV
185 |         echo "$DELIMITER" >> $GITHUB_ENV
186 |         echo "GIT_COMMIT_MESSAGE is: ${COMMIT_MESSAGE}"
187 |     - name: Interpolate PR Body
188 |       uses: pedrolamas/handlebars-action@2995d7eadacbc8f2f6ab8431a01d84a5fa3b8bb4 # v2.4.0
189 |       with:
190 |         files: "pr_body.template"
191 |         output-filename: "pr_body.txt"
192 |     - name: Read pr_body.txt
193 |       id: pr_body
194 |       uses: juliangruber/read-file-action@v1
195 |       with:
196 |         path: "pr_body.txt"
197 |     # We need to remove the pr_body files so that the
198 |     # peter-evans/create-pull-request action does not commit it (the
199 |     # action commits all new and modified files).
200 |     - name: Remove PR body template files
201 |       shell: bash
202 |       run: rm -f pr_body.txt pr_body.template
203 |     - name: Create PR
204 |       id: create-pr
205 |       uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
206 |       with:
207 |         base: ${{ inputs.base }}
208 |         branch: ${{ inputs.branch }}
209 |         delete-branch: true
210 |         committer: ${{ env.GIT_COMMITTER_NAME }} ${{ env.GIT_COMMITTER_EMAIL }}
211 |         author: ${{ env.GIT_AUTHOR_NAME }} ${{ env.GIT_AUTHOR_EMAIL }}
212 |         title: ${{ inputs.pr-title }}
213 |         token: ${{ inputs.token }}
214 |         assignees: ${{ inputs.pr-assignees }}
215 |         labels: ${{ inputs.pr-labels }}
216 |         reviewers: ${{ inputs.pr-reviewers }}
217 |         body: ${{ steps.pr_body.outputs.content }}
218 | 


--------------------------------------------------------------------------------
/dist/index.d.ts:
--------------------------------------------------------------------------------
1 | 
2 | export {  }
3 | 


--------------------------------------------------------------------------------
/dist/index.js.map:
--------------------------------------------------------------------------------
1 | {"version":3,"sources":["../src/nix.ts","../src/index.ts"],"sourcesContent":["// Build the Nix args out of inputs from the Actions environment\nexport function makeNixCommandArgs(\n  nixOptions: string[],\n  flakeInputs: string[],\n  commitMessage: string,\n): string[] {\n  const flakeInputFlags = flakeInputs.flatMap((input) => [\n    \"--update-input\",\n    input,\n  ]);\n\n  // NOTE(cole-h): In Nix versions 2.23.0 and later, `commit-lockfile-summary` became an alias to\n  // the setting `commit-lock-file-summary` (https://github.com/NixOS/nix/pull/10691), and Nix does\n  // not treat aliases the same as their \"real\" setting by requiring setting aliases to be\n  // configured via `--option <alias name> <option value>`\n  // (https://github.com/NixOS/nix/issues/10989).\n  // So, we go the long way so that we can support versions both before and after Nix 2.23.0.\n  const lockfileSummaryFlags = [\n    \"--option\",\n    \"commit-lockfile-summary\",\n    commitMessage,\n  ];\n\n  const updateLockMechanism = flakeInputFlags.length === 0 ? \"update\" : \"lock\";\n\n  return nixOptions\n    .concat([\"flake\", updateLockMechanism])\n    .concat(flakeInputFlags)\n    .concat([\"--commit-lock-file\"])\n    .concat(lockfileSummaryFlags);\n}\n","import { makeNixCommandArgs } from \"./nix.js\";\nimport * as actionsCore from \"@actions/core\";\nimport * as actionsExec from \"@actions/exec\";\nimport { DetSysAction, inputs } from \"detsys-ts\";\n\nconst EVENT_EXECUTION_FAILURE = \"execution_failure\";\n\nclass UpdateFlakeLockAction extends DetSysAction {\n  private commitMessage: string;\n  private nixOptions: string[];\n  private flakeInputs: string[];\n  private pathToFlakeDir: string | null;\n\n  constructor() {\n    super({\n      name: \"update-flake-lock\",\n      fetchStyle: \"universal\",\n      requireNix: \"fail\",\n    });\n\n    this.commitMessage = inputs.getString(\"commit-msg\");\n    this.flakeInputs = inputs.getArrayOfStrings(\"inputs\", \"space\");\n    this.nixOptions = inputs.getArrayOfStrings(\"nix-options\", \"space\");\n    this.pathToFlakeDir = inputs.getStringOrNull(\"path-to-flake-dir\");\n  }\n\n  async main(): Promise<void> {\n    await this.update();\n  }\n\n  // No post phase\n  async post(): Promise<void> {}\n\n  async update(): Promise<void> {\n    // Nix command of this form:\n    // nix ${maybe nix options} flake ${\"update\" or \"lock\"} ${maybe --update-input flags} --commit-lock-file --commit-lockfile-summary ${commit message}\n    // Example commands:\n    // nix --extra-substituters https://example.com flake lock --update-input nixpkgs --commit-lock-file --commit-lockfile-summary \"updated flake.lock\"\n    // nix flake update --commit-lock-file --commit-lockfile-summary \"updated flake.lock\"\n    const nixCommandArgs: string[] = makeNixCommandArgs(\n      this.nixOptions,\n      this.flakeInputs,\n      this.commitMessage,\n    );\n\n    actionsCore.debug(\n      JSON.stringify({\n        options: this.nixOptions,\n        inputs: this.flakeInputs,\n        message: this.commitMessage,\n        args: nixCommandArgs,\n      }),\n    );\n\n    const execOptions: actionsExec.ExecOptions = {\n      cwd: this.pathToFlakeDir !== null ? this.pathToFlakeDir : undefined,\n      ignoreReturnCode: true,\n    };\n\n    const exitCode = await actionsExec.exec(\"nix\", nixCommandArgs, execOptions);\n\n    if (exitCode !== 0) {\n      this.recordEvent(EVENT_EXECUTION_FAILURE, {\n        exitCode,\n      });\n      actionsCore.setFailed(`non-zero exit code of ${exitCode} detected`);\n    } else {\n      actionsCore.info(`flake.lock file was successfully updated`);\n    }\n  }\n}\n\nfunction main(): void {\n  new UpdateFlakeLockAction().execute();\n}\n\nmain();\n"],"mappings":";AACO,SAAS,mBACd,YACA,aACA,eACU;AACV,QAAM,kBAAkB,YAAY,QAAQ,CAAC,UAAU;AAAA,IACrD;AAAA,IACA;AAAA,EACF,CAAC;AAQD,QAAM,uBAAuB;AAAA,IAC3B;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,QAAM,sBAAsB,gBAAgB,WAAW,IAAI,WAAW;AAEtE,SAAO,WACJ,OAAO,CAAC,SAAS,mBAAmB,CAAC,EACrC,OAAO,eAAe,EACtB,OAAO,CAAC,oBAAoB,CAAC,EAC7B,OAAO,oBAAoB;AAChC;;;AC7BA,YAAY,iBAAiB;AAC7B,YAAY,iBAAiB;AAC7B,SAAS,cAAc,cAAc;AAErC,IAAM,0BAA0B;AAEhC,IAAM,wBAAN,cAAoC,aAAa;AAAA,EAM/C,cAAc;AACZ,UAAM;AAAA,MACJ,MAAM;AAAA,MACN,YAAY;AAAA,MACZ,YAAY;AAAA,IACd,CAAC;AAED,SAAK,gBAAgB,OAAO,UAAU,YAAY;AAClD,SAAK,cAAc,OAAO,kBAAkB,UAAU,OAAO;AAC7D,SAAK,aAAa,OAAO,kBAAkB,eAAe,OAAO;AACjE,SAAK,iBAAiB,OAAO,gBAAgB,mBAAmB;AAAA,EAClE;AAAA,EAEA,MAAM,OAAsB;AAC1B,UAAM,KAAK,OAAO;AAAA,EACpB;AAAA;AAAA,EAGA,MAAM,OAAsB;AAAA,EAAC;AAAA,EAE7B,MAAM,SAAwB;AAM5B,UAAM,iBAA2B;AAAA,MAC/B,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAEA,IAAY;AAAA,MACV,KAAK,UAAU;AAAA,QACb,SAAS,KAAK;AAAA,QACd,QAAQ,KAAK;AAAA,QACb,SAAS,KAAK;AAAA,QACd,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,UAAM,cAAuC;AAAA,MAC3C,KAAK,KAAK,mBAAmB,OAAO,KAAK,iBAAiB;AAAA,MAC1D,kBAAkB;AAAA,IACpB;AAEA,UAAM,WAAW,MAAkB,iBAAK,OAAO,gBAAgB,WAAW;AAE1E,QAAI,aAAa,GAAG;AAClB,WAAK,YAAY,yBAAyB;AAAA,QACxC;AAAA,MACF,CAAC;AACD,MAAY,sBAAU,yBAAyB,QAAQ,WAAW;AAAA,IACpE,OAAO;AACL,MAAY,iBAAK,0CAA0C;AAAA,IAC7D;AAAA,EACF;AACF;AAEA,SAAS,OAAa;AACpB,MAAI,sBAAsB,EAAE,QAAQ;AACtC;AAEA,KAAK;","names":[]}


--------------------------------------------------------------------------------
/dist/package.json:
--------------------------------------------------------------------------------
1 | {
2 |   "type": "module"
3 | }
4 | 


--------------------------------------------------------------------------------
/flake.lock:
--------------------------------------------------------------------------------
 1 | {
 2 |   "nodes": {
 3 |     "nixpkgs": {
 4 |       "locked": {
 5 |         "lastModified": 1746663147,
 6 |         "narHash": "sha256-Ua0drDHawlzNqJnclTJGf87dBmaO/tn7iZ+TCkTRpRc=",
 7 |         "rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54",
 8 |         "revCount": 796699,
 9 |         "type": "tarball",
10 |         "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.1.796699%2Brev-dda3dcd3fe03e991015e9a74b22d35950f264a54/0196b263-02b0-7dec-8aca-c2506ed2485f/source.tar.gz"
11 |       },
12 |       "original": {
13 |         "type": "tarball",
14 |         "url": "https://flakehub.com/f/NixOS/nixpkgs/0.1.%2A.tar.gz"
15 |       }
16 |     },
17 |     "root": {
18 |       "inputs": {
19 |         "nixpkgs": "nixpkgs"
20 |       }
21 |     }
22 |   },
23 |   "root": "root",
24 |   "version": 7
25 | }
26 | 


--------------------------------------------------------------------------------
/flake.nix:
--------------------------------------------------------------------------------
 1 | {
 2 |   description = "update-flake-lock";
 3 | 
 4 |   inputs.nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0.1.*.tar.gz";
 5 | 
 6 |   outputs = { self, nixpkgs }:
 7 |     let
 8 |       supportedSystems = [ "x86_64-linux" "aarch64-darwin" "aarch64-linux" "x86_64-darwin" ];
 9 |       forEachSupportedSystem = f: nixpkgs.lib.genAttrs supportedSystems (system: f {
10 |         pkgs = import nixpkgs { inherit system; };
11 |       });
12 |     in
13 |     {
14 |       devShells = forEachSupportedSystem ({ pkgs }: {
15 |         default = pkgs.mkShell {
16 |           packages = with pkgs; [
17 |             nodejs_latest
18 |             nodePackages_latest.pnpm
19 |           ];
20 |         };
21 |       });
22 |     };
23 | }
24 | 


--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "update-flake-lock",
 3 |   "version": "1.0.0",
 4 |   "description": "",
 5 |   "main": "./dist/index.js",
 6 |   "types": "./dist/index.d.ts",
 7 |   "type": "module",
 8 |   "scripts": {
 9 |     "build": "tsup",
10 |     "format": "prettier --write .",
11 |     "check-fmt": "prettier --check .",
12 |     "lint": "eslint src/**/*.ts --ignore-pattern *.test.ts",
13 |     "package": "ncc build",
14 |     "test": "vitest --watch false",
15 |     "all": "pnpm run format && pnpm run lint && pnpm run build && pnpm run package"
16 |   },
17 |   "repository": {
18 |     "type": "git",
19 |     "url": "git+https://github.com/DeterminateSystems/update-flake-lock.git"
20 |   },
21 |   "keywords": [],
22 |   "author": "",
23 |   "license": "MIT",
24 |   "bugs": {
25 |     "url": "https://github.com/DeterminateSystems/update-flake-lock/issues"
26 |   },
27 |   "homepage": "https://github.com/DeterminateSystems/update-flake-lock#readme",
28 |   "dependencies": {
29 |     "@actions/core": "^1.11.1",
30 |     "@actions/exec": "^1.1.1",
31 |     "detsys-ts": "github:DeterminateSystems/detsys-ts"
32 |   },
33 |   "devDependencies": {
34 |     "@trivago/prettier-plugin-sort-imports": "^4.3.0",
35 |     "@typescript-eslint/eslint-plugin": "^7.18.0",
36 |     "@vercel/ncc": "^0.38.3",
37 |     "eslint": "^8.57.1",
38 |     "eslint-import-resolver-typescript": "^3.10.1",
39 |     "eslint-plugin-github": "^4.10.2",
40 |     "eslint-plugin-import": "^2.31.0",
41 |     "eslint-plugin-prettier": "^5.4.1",
42 |     "prettier": "^3.5.3",
43 |     "tsup": "^8.5.0",
44 |     "typescript": "^5.8.3",
45 |     "vitest": "^3.2.0"
46 |   }
47 | }
48 | 


--------------------------------------------------------------------------------
/prettier.config.cjs:
--------------------------------------------------------------------------------
 1 | /** @type {import('prettier').Config} */
 2 | module.exports = {
 3 |   plugins: [require.resolve("@trivago/prettier-plugin-sort-imports")],
 4 |   semi: true,
 5 |   singleQuote: false,
 6 |   tabWidth: 2,
 7 |   trailingComma: "all",
 8 |   useTabs: false,
 9 |   // Import sorting
10 |   importOrderSeparation: true,
11 |   importOrderSortSpecifiers: true,
12 | };
13 | 


--------------------------------------------------------------------------------
/shell.nix:
--------------------------------------------------------------------------------
1 | (import
2 |   (fetchTarball {
3 |     url = "https://github.com/edolstra/flake-compat/archive/99f1c2157fba4bfe6211a321fd0ee43199025dbf.tar.gz";
4 |     sha256 = "0x2jn3vrawwv9xp15674wjz9pixwjyj3j771izayl962zziivbx2";
5 |   })
6 |   { src = ./.; }).shellNix
7 | 


--------------------------------------------------------------------------------
/src/index.ts:
--------------------------------------------------------------------------------
 1 | import { makeNixCommandArgs } from "./nix.js";
 2 | import * as actionsCore from "@actions/core";
 3 | import * as actionsExec from "@actions/exec";
 4 | import { DetSysAction, inputs } from "detsys-ts";
 5 | 
 6 | const EVENT_EXECUTION_FAILURE = "execution_failure";
 7 | 
 8 | class UpdateFlakeLockAction extends DetSysAction {
 9 |   private commitMessage: string;
10 |   private nixOptions: string[];
11 |   private flakeInputs: string[];
12 |   private pathToFlakeDir: string | null;
13 | 
14 |   constructor() {
15 |     super({
16 |       name: "update-flake-lock",
17 |       fetchStyle: "universal",
18 |       requireNix: "fail",
19 |     });
20 | 
21 |     this.commitMessage = inputs.getString("commit-msg");
22 |     this.flakeInputs = inputs.getArrayOfStrings("inputs", "space");
23 |     this.nixOptions = inputs.getArrayOfStrings("nix-options", "space");
24 |     this.pathToFlakeDir = inputs.getStringOrNull("path-to-flake-dir");
25 |   }
26 | 
27 |   async main(): Promise<void> {
28 |     await this.update();
29 |   }
30 | 
31 |   // No post phase
32 |   async post(): Promise<void> {}
33 | 
34 |   async update(): Promise<void> {
35 |     // Nix command of this form:
36 |     // nix ${maybe nix options} flake ${"update" or "lock"} ${maybe --update-input flags} --commit-lock-file --commit-lockfile-summary ${commit message}
37 |     // Example commands:
38 |     // nix --extra-substituters https://example.com flake lock --update-input nixpkgs --commit-lock-file --commit-lockfile-summary "updated flake.lock"
39 |     // nix flake update --commit-lock-file --commit-lockfile-summary "updated flake.lock"
40 |     const nixCommandArgs: string[] = makeNixCommandArgs(
41 |       this.nixOptions,
42 |       this.flakeInputs,
43 |       this.commitMessage,
44 |     );
45 | 
46 |     actionsCore.debug(
47 |       JSON.stringify({
48 |         options: this.nixOptions,
49 |         inputs: this.flakeInputs,
50 |         message: this.commitMessage,
51 |         args: nixCommandArgs,
52 |       }),
53 |     );
54 | 
55 |     const execOptions: actionsExec.ExecOptions = {
56 |       cwd: this.pathToFlakeDir !== null ? this.pathToFlakeDir : undefined,
57 |       ignoreReturnCode: true,
58 |     };
59 | 
60 |     const exitCode = await actionsExec.exec("nix", nixCommandArgs, execOptions);
61 | 
62 |     if (exitCode !== 0) {
63 |       this.recordEvent(EVENT_EXECUTION_FAILURE, {
64 |         exitCode,
65 |       });
66 |       actionsCore.setFailed(`non-zero exit code of ${exitCode} detected`);
67 |     } else {
68 |       actionsCore.info(`flake.lock file was successfully updated`);
69 |     }
70 |   }
71 | }
72 | 
73 | function main(): void {
74 |   new UpdateFlakeLockAction().execute();
75 | }
76 | 
77 | main();
78 | 


--------------------------------------------------------------------------------
/src/nix.test.ts:
--------------------------------------------------------------------------------
 1 | import { makeNixCommandArgs } from "./nix.js";
 2 | import { expect, test } from "vitest";
 3 | 
 4 | type TestCase = {
 5 |   inputs: {
 6 |     nixOptions: string[];
 7 |     flakeInputs: string[];
 8 |     commitMessage: string;
 9 |   };
10 |   expected: string[];
11 | };
12 | 
13 | test("Nix command arguments", () => {
14 |   const testCases: TestCase[] = [
15 |     {
16 |       inputs: {
17 |         nixOptions: ["--log-format", "raw"],
18 |         flakeInputs: [],
19 |         commitMessage: "just testing",
20 |       },
21 |       expected: [
22 |         "--log-format",
23 |         "raw",
24 |         "flake",
25 |         "update",
26 |         "--commit-lock-file",
27 |         "--option",
28 |         "commit-lockfile-summary",
29 |         "just testing",
30 |       ],
31 |     },
32 |     {
33 |       inputs: {
34 |         nixOptions: [],
35 |         flakeInputs: ["nixpkgs", "rust-overlay"],
36 |         commitMessage: "just testing",
37 |       },
38 |       expected: [
39 |         "flake",
40 |         "lock",
41 |         "--update-input",
42 |         "nixpkgs",
43 |         "--update-input",
44 |         "rust-overlay",
45 |         "--commit-lock-file",
46 |         "--option",
47 |         "commit-lockfile-summary",
48 |         "just testing",
49 |       ],
50 |     },
51 |     {
52 |       inputs: {
53 |         nixOptions: ["--debug"],
54 |         flakeInputs: [],
55 |         commitMessage: "just testing",
56 |       },
57 |       expected: [
58 |         "--debug",
59 |         "flake",
60 |         "update",
61 |         "--commit-lock-file",
62 |         "--option",
63 |         "commit-lockfile-summary",
64 |         "just testing",
65 |       ],
66 |     },
67 |   ];
68 | 
69 |   testCases.forEach(({ inputs, expected }) => {
70 |     const args = makeNixCommandArgs(
71 |       inputs.nixOptions,
72 |       inputs.flakeInputs,
73 |       inputs.commitMessage,
74 |     );
75 |     expect(args).toStrictEqual(expected);
76 |   });
77 | });
78 | 


--------------------------------------------------------------------------------
/src/nix.ts:
--------------------------------------------------------------------------------
 1 | // Build the Nix args out of inputs from the Actions environment
 2 | export function makeNixCommandArgs(
 3 |   nixOptions: string[],
 4 |   flakeInputs: string[],
 5 |   commitMessage: string,
 6 | ): string[] {
 7 |   const flakeInputFlags = flakeInputs.flatMap((input) => [
 8 |     "--update-input",
 9 |     input,
10 |   ]);
11 | 
12 |   // NOTE(cole-h): In Nix versions 2.23.0 and later, `commit-lockfile-summary` became an alias to
13 |   // the setting `commit-lock-file-summary` (https://github.com/NixOS/nix/pull/10691), and Nix does
14 |   // not treat aliases the same as their "real" setting by requiring setting aliases to be
15 |   // configured via `--option <alias name> <option value>`
16 |   // (https://github.com/NixOS/nix/issues/10989).
17 |   // So, we go the long way so that we can support versions both before and after Nix 2.23.0.
18 |   const lockfileSummaryFlags = [
19 |     "--option",
20 |     "commit-lockfile-summary",
21 |     commitMessage,
22 |   ];
23 | 
24 |   const updateLockMechanism = flakeInputFlags.length === 0 ? "update" : "lock";
25 | 
26 |   return nixOptions
27 |     .concat(["flake", updateLockMechanism])
28 |     .concat(flakeInputFlags)
29 |     .concat(["--commit-lock-file"])
30 |     .concat(lockfileSummaryFlags);
31 | }
32 | 


--------------------------------------------------------------------------------
/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "compilerOptions": {
 3 |     "target": "ES2020" /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */,
 4 |     "module": "Node16",
 5 |     "moduleResolution": "NodeNext",
 6 |     "outDir": "./dist",
 7 |     "rootDir": "./src",
 8 |     "strict": true /* Enable all strict type-checking options. */,
 9 |     "noImplicitAny": true /* Raise error on expressions and declarations with an implied 'any' type. */,
10 |     "esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */,
11 |     "resolveJsonModule": true,
12 |     "declaration": true
13 |   },
14 |   "exclude": ["node_modules", "**/*.test.ts", "dist"]
15 | }
16 | 


--------------------------------------------------------------------------------
/tsup.config.ts:
--------------------------------------------------------------------------------
 1 | import { name } from "./package.json";
 2 | import { defineConfig } from "tsup";
 3 | 
 4 | export default defineConfig({
 5 |   name,
 6 |   entry: ["src/index.ts"],
 7 |   format: ["esm"],
 8 |   target: "node20",
 9 |   bundle: true,
10 |   splitting: false,
11 |   sourcemap: true,
12 |   clean: true,
13 |   dts: {
14 |     resolve: true,
15 |   },
16 | });
17 | 


--------------------------------------------------------------------------------