diff --git a/.github/workflows/flake_vendorhash.yaml b/.github/workflows/flake_vendorhash.yaml index 5abdc8307..2ad4ff75f 100644 --- a/.github/workflows/flake_vendorhash.yaml +++ b/.github/workflows/flake_vendorhash.yaml @@ -27,11 +27,25 @@ jobs: with: fetch-depth: 0 token: ${{ steps.generate_token.outputs.token }} + persist-credentials: false + - name: Enable GPG signing + run: | + echo '#!/bin/bash' > gpg-wrapper + echo 'gpg --passphrase "'${{ secrets.OCMBOT_SIGNING_KEY_PASS }}'" --yes --batch --pinentry-mode loopback $@ <&0' >> gpg-wrapper + echo 'exit $?' >> gpg-wrapper + chmod +x gpg-wrapper + echo -n "${{ secrets.OCMBOT_SIGNING_KEY }}" | base64 -d | ./gpg-wrapper --import + git config --global gpg.program "$(realpath gpg-wrapper)" + git config --global user.name ocmbot[bot] + git config --global user.email 125909804+ocmbot[bot]@users.noreply.github.com + git config --global user.signingkey ${{ secrets.OCMBOT_SIGNING_KEY_ID }} + git config --global commit.gpgsign true + git config --global tag.gpgsign true - name: Install Nix uses: DeterminateSystems/nix-installer-action@v12 - name: Update ocm vendor hash run: nix run .#nixpkgs.nix-update -- --flake --version=skip ocm - - name: Check diff + - name: Check diff and create action summary id: check-diff run: | diff=$(git diff) @@ -39,19 +53,27 @@ jobs: echo "Everything is tidy." exit 0 fi - cat << EOF >> "${GITHUB_STEP_SUMMARY}" \`\`\`diff ${diff} \`\`\` EOF + cat << EOF >> body + This PR updates the vendorHash in flake.nix. + \`\`\`bash + nix run .#nixpkgs.nix-update -- --flake --version=skip ocm + \`\`\` + \`\`\`diff + ${diff} + \`\`\` + EOF + echo "body=$(realpath body)" >> "$GITHUB_OUTPUT" - name: Commit run: | diff=$(git diff) if [[ ! -z "$diff" ]]; then - git config --global user.name "ocmbot" - git config --global user.email "ocmbot@users.noreply.github.com" - git commit -S -am "update vendorHash" + git add flake.* + git commit -S -m "update vendorHash" fi - name: Create pull request id: create_pull_request @@ -59,7 +81,10 @@ jobs: with: token: ${{ steps.generate_token.outputs.token }} title: Update vendorHash in flake.nix + body-path: ${{ steps.check-diff.outputs.body }} branch: nix/flake + committer: ocmbot[bot] <125909804+ocmbot[bot]@users.noreply.github.com> + author: ocmbot[bot] <125909804+ocmbot[bot]@users.noreply.github.com> team-reviewers: ocm-dev add-paths: | flake.nix @@ -71,3 +96,7 @@ jobs: token: ${{ steps.generate_token.outputs.token }} pull-request-number: ${{ steps.create_pull_request.outputs.pull-request-number }} merge-method: squash + - name: Cleanup + if: always() + run: | + rm -rf gpg-wrapper