diff --git a/.github/allowed-nix-update-users.nix b/.github/allowed-nix-update-users.nix new file mode 100644 index 000000000..f843a6473 --- /dev/null +++ b/.github/allowed-nix-update-users.nix @@ -0,0 +1,20 @@ +github: +let + commenter = github.event.sender; + allowlist = { + # See id on https://api.github.com/users/ + "HerrLevin" = 1267894; + "jeyemwey" = 2796271; + "MrKrisKrisu" = 4103693; + "NyCodeGHG" = 37078297; + "xanderio" = 6298052; + }; + isAllowedUser = builtins.elem commenter.id ( + (builtins.attrValues allowlist) ++ [github.event.issue.user.id] + ); +in + if isAllowedUser then + builtins.trace "The user '${commenter.login}' is allowed to run the command. ✅" + true + else + builtins.throw "The user '${commenter.login}' is not allowed to run the command. ❌" diff --git a/.github/workflows/nix-ci.yml b/.github/workflows/nix-ci.yml index af79e4ee0..4230671ae 100644 --- a/.github/workflows/nix-ci.yml +++ b/.github/workflows/nix-ci.yml @@ -8,7 +8,25 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + - name: Check if relevant files changed + shell: bash + id: check + run: | + # most sane regex + # checks if one of these files/directories has been touched + # - package.json + # - package-lock.json + # - nix/ + # - composer.json + # - composer.lock + if [ -n "$(git diff --name-only ${{ github.event.before }} ${{ github.sha }} | grep -P '^(?:package(?:-lock)?\.json$|nix\/|composer\.(?:json|lock)$)')" ]; then + echo "File(s) changed so this job runs" + else + echo "no files changed so we exit neutrally" + echo "skip=true" >> "$GITHUB_OUTPUT" + fi - name: Install nix + if: "steps.check.outputs.skip != 'true'" uses: cachix/install-nix-action@v22 with: nix_path: nixpkgs=channel:nixos-unstable @@ -17,25 +35,47 @@ jobs: # name: trawelling # authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - - name: Prepare Nix shell - run: nix develop --impure .#ci - - - name: Update npm Hashes - working-directory: nix/package/web - run: nix develop --impure .#ci --command "./update.sh" - - - name: Update Composer Hashes - working-directory: nix/package - run: nix develop --impure .#ci --command "./update.sh" + - name: Update generated files + if: "steps.check.outputs.skip != 'true'" + run: nix develop --impure .#ci --command "update-nix-package-deps" - name: Check if up-to-date shell: bash + id: check + if: "steps.check.outputs.skip != 'true'" run: | - if [ "$(git status --porcelain=v1 2>/dev/null | wc -l)" = "1" ]; then + if [[ ! -z $(git status -s) ]]; then git status - echo "::error::Nix hashes are not up to date. Update them with the `update-nix-package-dep` command in the nix devshell." + echo "up-to-date=false" >> "$GITHUB_OUTPUT" fi + - name: Find Comment + uses: peter-evans/find-comment@v2 + if: "steps.check.outputs.skip != 'true' && github.event_name == 'pull_request' && steps.check.outputs.up-to-date == 'false'" + id: fc + with: + issue-number: ${{ github.event.pull_request.number }} + comment-author: 'github-actions[bot]' + body-includes: This comment was written by a bot! + + - name: Create comment + if: "steps.check.outputs.skip != 'true' && steps.fc.outputs.comment-id == '' && github.event_name == 'pull_request' && steps.check.outputs.up-to-date == 'false'" + uses: peter-evans/create-or-update-comment@v3 + with: + issue-number: ${{ github.event.pull_request.number }} + body: | + The composer or npm dependencies are out of sync with the generated nix files. + + Please update the files by either running the `update-nix-package-dep` script locally + or let GitHub actions do it by running `/nix-update`. + + *This comment was written by a bot!* 🤖 + + - name: Fail Build + if: "steps.check.outputs.skip != 'true' && steps.check.outputs.up-to-date == 'false'" + shell: bash + run: exit 1 + build: name: Build Package runs-on: ubuntu-latest diff --git a/.github/workflows/nix-update-command.yml b/.github/workflows/nix-update-command.yml new file mode 100644 index 000000000..aa52a4b94 --- /dev/null +++ b/.github/workflows/nix-update-command.yml @@ -0,0 +1,106 @@ +name: Nix Update Command +on: + issue_comment: + types: + - created + - edited + +concurrency: nix-update-${{ github.event.issue.number }} + +jobs: + command: + if: "github.event.comment.body == '/nix-update' && github.event.issue.pull_request" + runs-on: ubuntu-latest + permissions: + contents: write + issues: write + pull-requests: write + steps: + - name: Install Nix + uses: cachix/install-nix-action@v22 + with: + nix_path: nixpkgs=channel:nixos-unstable + + - name: Checkout Self + uses: actions/checkout@v3 + with: + repository: ${{ github.repository }} + ref: refs/heads/${{ github.event.repository.default_branch }} + + - name: Check if user is allowed to run the command + shell: bash + id: perms + run: | + echo '${{ toJSON(github) }}' > /tmp/context.json + if nix eval --expr 'import ./.github/allowed-nix-update-users.nix (builtins.fromJSON (builtins.readFile /tmp/context.json))' --impure; then + echo "allowed=true" >> "$GITHUB_OUTPUT" + else + echo "allowed=false" >> "$GITHUB_OUTPUT" + fi + + - name: Add no permission reacton + if: "${{ steps.perms.outputs.allowed == 'false' }}" + uses: peter-evans/create-or-update-comment@v3 + with: + comment-id: ${{ github.event.comment.id }} + reactions: '-1' + + - name: Add okay reaction + if: "${{ steps.perms.outputs.allowed }}" + uses: peter-evans/create-or-update-comment@v3 + with: + comment-id: ${{ github.event.comment.id }} + reactions: '+1' + + - id: get-branch + if: "${{ steps.perms.outputs.allowed }}" + name: Get PR branch + run: echo "branch=$(gh pr view $PR_NO --repo $REPO --json headRefName --jq '.headRefName')" >> "$GITHUB_OUTPUT" + env: + REPO: ${{ github.repository }} + PR_NO: ${{ github.event.issue.number }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Checkout PR + if: "${{ steps.perms.outputs.allowed }}" + uses: actions/checkout@v3 + with: + ref: ${{ steps.get-branch.outputs.branch }} + + - name: Update Nix Files + if: "${{ steps.perms.outputs.allowed }}" + run: nix develop --impure .#ci --command "update-nix-package-deps" + + - name: Commit and Push changes + if: "${{ steps.perms.outputs.allowed }}" + shell: bash + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + # Configure git user + git config user.name "GitHub Actions" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + + # Check if any changes were made + if [[ ! -z $(git status -s) ]]; then + git commit -a -F - <