diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 162fed05..8ca4ed01 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,11 +1,7 @@ version: 2 updates: - package-ecosystem: github-actions + open-pull-requests-limit: 15 directory: "/" schedule: interval: daily - open-pull-requests-limit: 15 - reviewers: - - NotAShelf - assignees: - - NotAShelf diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml new file mode 100644 index 00000000..10bf2089 --- /dev/null +++ b/.github/workflows/update.yml @@ -0,0 +1,91 @@ +name: Weekly Dependency Updates +on: + workflow_dispatch: + schedule: + # 8 PM UTC every Friday + - cron: '0 20 * * 5' +jobs: + update-dependencies: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v5 + + - name: "Install Nix" + uses: cachix/install-nix-action@v31.8.2 + + - name: Set up Git + run: | + git config user.name "GitHub Actions Bot" + git config user.email "actions@github.com" + + - name: Create branch for updates + run: | + DATE=$(date +%Y-%m-%d) + BRANCH_NAME="update/dependencies-$DATE" + git checkout -b $BRANCH_NAME + echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV + + - name: Update npins + run: nix run nixpkgs#npins update + + # Only update Nixpkgs. mnw might break on update, better to track it manually to avoid + # unexpected breakage. + - name: Update nixpkgs + run: nix flake update nixpkgs + + - name: Check for changes + id: check_changes + run: | + if git diff --quiet; then + echo "No changes detected" + echo "changes_detected=false" >> "$GITHUB_OUTPUT" + exit 0 + else + echo "Changes detected" + echo "changes_detected=true" >> "$GITHUB_OUTPUT" + fi + + # FIXME: Worth adding additional checks for, e.g., fragile plugins + # or modules + # nix build .#checks.. + # We'll probably want to handle this with machine tests + - name: Verify changes + if: steps.check_changes.outputs.changes_detected == 'true' + run: | + # Run verification tests to ensure updates don't break anything + nix flake check + + + - name: Set date variable + run: echo "DATE=$(date +%Y-%m-%d)" >> "$GITHUB_ENV" + + - name: Commit and push changes + if: steps.check_changes.outputs.changes_detected == 'true' + run: | + git add . + git commit -m "pins: bump all plugins (${{ env.DATE }})" + git push -u origin $BRANCH_NAME + + - name: Create Pull Request + if: steps.check_changes.outputs.changes_detected == 'true' + uses: peter-evans/create-pull-request@v7 + with: + branch: ${{ env.BRANCH_NAME }} + base: main + labels: dependencies,automated pr + token: ${{ secrets.GITHUB_TOKEN }} + commit-message: "npins: bump all plugins (${{ env.DATE }})" + title: "Weekly Dependency Updates: ${{ env.DATE }}" + body: | + > [!NOTE] + > This PR was automatically generated by the Weekly Dependency Updates workflow. Please wait + > for all CI steps to complete, and test any major changes personally. + + Updates Performed: + + - Updated dependencies using `npins update` + - Updated nixpkgs using `nix flake update nixpkgs` + + If the verification steps have passed, updates should be safe to merge. For failing CI steps + submit a Pull Request targetting ${{ env.BRANCH_NAME }}