mirror of
https://github.com/DeterminateSystems/update-flake-lock.git
synced 2024-12-23 13:32:07 +01:00
Merge pull request #38 from edulix/main
This commit is contained in:
commit
8c1a4653b4
2 changed files with 169 additions and 32 deletions
68
README.md
68
README.md
|
@ -166,6 +166,74 @@ jobs:
|
|||
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
|
||||
```
|
||||
|
||||
## With GPG commit signing
|
||||
|
||||
It's possible for the bot to produce GPG signed commits. Associating a GPG public key to a github user account is not required but it is necessary if you want the signed commits to appear as verified in Github. This can be a compliance requirement in some cases.
|
||||
|
||||
You can follow [Github's guide on creating and/or adding a new GPG key to an user account](https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-new-gpg-key-to-your-github-account). Using a specific github user account for the bot can be a good security measure to dissociate this bot's actions and commits from your personal github account.
|
||||
|
||||
For the bot to produce signed commits, you will have to provide the GPG private keys to this action's input parameters. You can safely do that with [Github secrets as explained here](https://github.com/crazy-max/ghaction-import-gpg#prerequisites).
|
||||
|
||||
When using commit signing, the commit author name and email for the commits produced by this bot would correspond to the ones associated to the GPG Public Key.
|
||||
|
||||
You can find an example of how to using this action with commit signing below:
|
||||
|
||||
```yaml
|
||||
name: update-flake-lock
|
||||
on:
|
||||
workflow_dispatch: # allows manual triggering
|
||||
schedule:
|
||||
- cron: '0 0 * * 1,4' # Run twice a week
|
||||
|
||||
jobs:
|
||||
lockfile:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
- name: Install Nix
|
||||
uses: cachix/install-nix-action@v16
|
||||
- name: Update flake.lock
|
||||
uses: DeterminateSystems/update-flake-lock@vX
|
||||
with:
|
||||
sign-commits: true
|
||||
gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
|
||||
gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }}
|
||||
```
|
||||
|
||||
## Custom PR Body
|
||||
|
||||
By default the generated PR body is set to be the following template:
|
||||
|
||||
````handlebars
|
||||
Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
|
||||
|
||||
```
|
||||
{{ env.GIT_COMMIT_MESSAGE }}
|
||||
```
|
||||
|
||||
### Running GitHub Actions on this PR
|
||||
|
||||
GitHub Actions will not run workflows on pull requests which are opened by a GitHub Action.
|
||||
|
||||
To run GitHub Actions workflows on this PR, run:
|
||||
|
||||
```sh
|
||||
git branch -D update_flake_lock_action
|
||||
git fetch origin
|
||||
git checkout update_flake_lock_action
|
||||
git commit --amend --no-edit
|
||||
git push origin update_flake_lock_action --force
|
||||
```
|
||||
````
|
||||
|
||||
However you can customize it, with variable interpolation performed with [Handlebars](https://handlebarsjs.com/). This allows you to customize the template with the following variables:
|
||||
- env.GIT_AUTHOR_NAME
|
||||
- env.GIT_AUTHOR_EMAIL
|
||||
- env.GIT_COMMITTER_NAME
|
||||
- env.GIT_COMMITTER_EMAIL
|
||||
- env.GIT_COMMIT_MESSAGE
|
||||
|
||||
## Contributing
|
||||
|
||||
Feel free to send a PR or open an issue if you find something functions unexpectedly! Please make sure to test your changes and update any related documentation before submitting your PR.
|
||||
|
|
133
action.yml
133
action.yml
|
@ -21,10 +21,46 @@ inputs:
|
|||
description: 'The title of the PR to be created'
|
||||
required: false
|
||||
default: "flake.lock: Update"
|
||||
pr-body:
|
||||
description: 'The body of the PR to be created'
|
||||
required: false
|
||||
default: |
|
||||
Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
|
||||
|
||||
```
|
||||
{{ env.GIT_COMMIT_MESSAGE }}
|
||||
```
|
||||
|
||||
### Running GitHub Actions on this PR
|
||||
|
||||
GitHub Actions will not run workflows on pull requests which are opened by a GitHub Action.
|
||||
|
||||
To run GitHub Actions workflows on this PR, run:
|
||||
|
||||
```sh
|
||||
git branch -D update_flake_lock_action
|
||||
git fetch origin
|
||||
git checkout update_flake_lock_action
|
||||
git commit --amend --no-edit
|
||||
git push origin update_flake_lock_action --force
|
||||
```
|
||||
|
||||
pr-labels:
|
||||
description: 'A comma or newline separated list of labels to set on the Pull Request to be created'
|
||||
required: false
|
||||
default: ''
|
||||
sign-commits:
|
||||
description: 'Set to true if the action should sign the commit with GPG'
|
||||
required: false
|
||||
default: 'false'
|
||||
gpg-private-key:
|
||||
description: 'GPG Private Key with which to sign the commits in the PR to be created'
|
||||
required: false
|
||||
default: ''
|
||||
gpg-passphrase:
|
||||
description: 'GPG Private Key Passphrase for the GPG Private Key with which to sign the commits in the PR to be created'
|
||||
required: false
|
||||
default: ''
|
||||
outputs:
|
||||
pull-request-number:
|
||||
description: 'The number of the opened pull request'
|
||||
|
@ -32,49 +68,82 @@ outputs:
|
|||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- run: $GITHUB_ACTION_PATH/update-flake-lock.sh
|
||||
- name: Import bot's GPG key for signing commits
|
||||
if: ${{ inputs.sign-commits == 'true' }}
|
||||
id: import-gpg
|
||||
uses: crazy-max/ghaction-import-gpg@v4
|
||||
with:
|
||||
gpg_private_key: ${{ inputs.gpg-private-key }}
|
||||
passphrase: ${{ inputs.gpg-passphrase }}
|
||||
git_config_global: true
|
||||
git_user_signingkey: true
|
||||
git_commit_gpgsign: true
|
||||
- name: Set environment variables (signed commits)
|
||||
if: ${{ inputs.sign-commits == 'true' }}
|
||||
shell: bash
|
||||
env:
|
||||
GIT_AUTHOR_NAME: github-actions[bot]
|
||||
GIT_AUTHOR_EMAIL: <github-actions[bot]@users.noreply.github.com>
|
||||
GIT_COMMITTER_NAME: github-actions[bot]
|
||||
GIT_COMMITTER_EMAIL: <github-actions[bot]@users.noreply.github.com>
|
||||
GIT_AUTHOR_NAME: ${{ steps.import-gpg.outputs.name }}
|
||||
GIT_AUTHOR_EMAIL: ${{ steps.import-gpg.outputs.email }}
|
||||
GIT_COMMITTER_NAME: ${{ steps.import-gpg.outputs.name }}
|
||||
GIT_COMMITTER_EMAIL: ${{ steps.import-gpg.outputs.email }}
|
||||
TARGETS: ${{ inputs.inputs }}
|
||||
run: |
|
||||
echo "GIT_AUTHOR_NAME=$GIT_AUTHOR_NAME" >> $GITHUB_ENV
|
||||
echo "GIT_AUTHOR_EMAIL=<$GIT_AUTHOR_EMAIL>" >> $GITHUB_ENV
|
||||
echo "GIT_COMMITTER_NAME=$GIT_COMMITTER_NAME" >> $GITHUB_ENV
|
||||
echo "GIT_COMMITTER_EMAIL=<$GIT_COMMITTER_EMAIL>" >> $GITHUB_ENV
|
||||
- name: Set environment variables (unsigned commits)
|
||||
if: ${{ inputs.sign-commits != 'true' }}
|
||||
shell: bash
|
||||
run: |
|
||||
echo "GIT_AUTHOR_NAME=github-actions[bot]" >> $GITHUB_ENV
|
||||
echo "GIT_AUTHOR_EMAIL=<github-actions[bot]@users.noreply.github.com>" >> $GITHUB_ENV
|
||||
echo "GIT_COMMITTER_NAME=github-actions[bot]" >> $GITHUB_ENV
|
||||
echo "GIT_COMMITTER_EMAIL=<github-actions[bot]@users.noreply.github.com>" >> $GITHUB_ENV
|
||||
- name: Run update-flake-lock.sh
|
||||
run: $GITHUB_ACTION_PATH/update-flake-lock.sh
|
||||
shell: bash
|
||||
env:
|
||||
GIT_AUTHOR_NAME: ${{ env.GIT_AUTHOR_NAME }}
|
||||
GIT_AUTHOR_EMAIL: ${{ env.GIT_AUTHOR_EMAIL }}
|
||||
GIT_COMMITTER_NAME: ${{ env.GIT_COMMITTER_NAME }}
|
||||
GIT_COMMITTER_EMAIL: ${{ env.GIT_COMMITTER_EMAIL }}
|
||||
TARGETS: ${{ inputs.inputs }}
|
||||
COMMIT_MSG: ${{ inputs.commit-msg }}
|
||||
- run: |
|
||||
content="$(git log --format=%b -n 1)"
|
||||
content="${content//'%'/'%25'}"
|
||||
content="${content//$'\n'/'%0A'}"
|
||||
content="${content//$'\r'/'%0D'}"
|
||||
echo "::set-output name=msg::$content"
|
||||
- name: Save PR Body as file
|
||||
uses: DamianReeves/write-file-action@v1.1
|
||||
with:
|
||||
path: pr_body.template
|
||||
contents: ${{ inputs.pr-body }}
|
||||
env: {}
|
||||
- name: Set additional env variables (GIT_COMMIT_MESSAGE)
|
||||
shell: bash
|
||||
id: commit_message
|
||||
run: |
|
||||
GIT_COMMIT_MESSAGE="$(git log --format=%b -n 1)"
|
||||
GIT_COMMIT_MESSAGE="${GIT_COMMIT_MESSAGE//'%'/'%25'}"
|
||||
GIT_COMMIT_MESSAGE="${GIT_COMMIT_MESSAGE//$'\n'/'%0A'}"
|
||||
GIT_COMMIT_MESSAGE="${GIT_COMMIT_MESSAGE//$'\r'/'%0D'}"
|
||||
echo "GIT_COMMIT_MESSAGE=$GIT_COMMIT_MESSAGE" >> $GITHUB_ENV
|
||||
echo "GIT_COMMIT_MESSAGE is: ${GIT_COMMIT_MESSAGE}"
|
||||
- name: Interpolate PR Body
|
||||
uses: pedrolamas/handlebars-action@v2.0.0
|
||||
with:
|
||||
files: 'pr_body.template'
|
||||
output-filename: 'pr_body.txt'
|
||||
- name: Read pr_body.txt
|
||||
id: pr_body
|
||||
uses: andstor/file-reader-action@v1
|
||||
with:
|
||||
path: "pr_body.txt"
|
||||
- name: Create PR
|
||||
id: create-pr
|
||||
uses: peter-evans/create-pull-request@v3
|
||||
with:
|
||||
branch: ${{ inputs.branch }}
|
||||
delete-branch: true
|
||||
committer: ${{ env.GIT_COMMITTER_NAME }} ${{ env.GIT_COMMITTER_EMAIL }}
|
||||
author: ${{ env.GIT_AUTHOR_NAME }} ${{ env.GIT_AUTHOR_EMAIL }}
|
||||
title: ${{ inputs.pr-title }}
|
||||
token: ${{ inputs.token }}
|
||||
labels: ${{ inputs.pr-labels }}
|
||||
body: |
|
||||
Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
|
||||
|
||||
```
|
||||
${{ steps.commit_message.outputs.msg }}
|
||||
```
|
||||
|
||||
### Running GitHub Actions on this PR
|
||||
|
||||
GitHub Actions will not run workflows on pull requests which are opened by a GitHub Action.
|
||||
|
||||
To run GitHub Actions workflows on this PR, run:
|
||||
|
||||
```sh
|
||||
git branch -D update_flake_lock_action
|
||||
git fetch origin
|
||||
git checkout update_flake_lock_action
|
||||
git commit --amend --no-edit
|
||||
git push origin update_flake_lock_action --force
|
||||
```
|
||||
body: ${{ steps.pr_body.outputs.contents }}
|
||||
|
|
Loading…
Reference in a new issue