ci: add update command action

Traewelling · Sep 3, 2023 · b713046 · b713046
1 parent 4db2f84
commit b713046
Show file tree

Hide file tree

Showing 3 changed files with 174 additions and 12 deletions.
diff --git a/.github/allowed-nix-update-users.nix b/.github/allowed-nix-update-users.nix
@@ -0,0 +1,20 @@
+github:
+let
+  commenter = github.event.sender;
+  allowlist = {
+    # See id on https://api.github.com/users/<username>
+    "HerrLevin" = 1267894;
+    "jeyemwey" = 2796271;
+    "MrKrisKrisu" = 4103693;
+    "NyCodeGHG" = 37078297;
+    "xanderio" = 6298052;
+  };
+  isAllowedUser = builtins.elem commenter.id (
+    (builtins.attrValues allowlist) ++ [github.event.issue.user.id]
+  );
+in
+  if isAllowedUser then
+    builtins.trace "The user '${commenter.login}' is allowed to run the command. ✅"
+    true
+  else
+    builtins.throw "The user '${commenter.login}' is not allowed to run the command. ❌"
diff --git a/.github/workflows/nix-ci.yml b/.github/workflows/nix-ci.yml
@@ -8,6 +8,22 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+      - name: Check if relevant files changed
+        shell: bash
+        run: |
+          # most sane regex
+          # checks if one of these files/directories has been touched
+          # - package.json
+          # - package-lock.json
+          # - nix/
+          # - composer.json
+          # - composer.lock
+          if [ -n "$(git diff --name-only ${{ github.event.before }} ${{ github.sha }} | grep -P '^(?:package(?:-lock)?\.json$|nix\/|composer\.(?:json|lock)$)'" ]; then
+            echo "File(s) changed so this job runs"
+          else
+            echo "no files changed so we exit neutrally (not success or failure)"
+            exit 78
+          fi
       - name: Install nix
         uses: cachix/install-nix-action@v22
         with:
@@ -17,25 +33,45 @@ jobs:
       #     name: trawelling
       #     authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
 
-      - name: Prepare Nix shell
-        run: nix develop --impure .#ci
-
-      - name: Update npm Hashes
-        working-directory: nix/package/web
-        run: nix develop --impure .#ci --command "./update.sh"
-
-      - name: Update Composer Hashes
-        working-directory: nix/package
-        run: nix develop --impure .#ci --command "./update.sh"
+      - name: Update generated files
+        run: nix develop --impure .#ci --command "update-nix-package-deps"
 
       - name: Check if up-to-date
         shell: bash
+        id: check
         run: |
-          if [ "$(git status --porcelain=v1 2>/dev/null | wc -l)" = "1" ]; then
+          if [[ ! -z $(git status -s) ]]; then
             git status
-            echo "::error::Nix hashes are not up to date. Update them with the `update-nix-package-dep` command in the nix devshell."
+            echo "up-to-date=false" >> "$GITHUB_OUTPUT"
           fi
 
+      - name: Find Comment
+        uses: peter-evans/find-comment@v2
+        if: "github.event_name == 'pull_request' && steps.check.outputs.up-to-date == 'false'"
+        id: fc
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: 'github-actions[bot]'
+          body-includes: This comment was written by a bot!
+
+      - name: Create comment
+        if: "steps.fc.outputs.comment-id == '' && github.event_name == 'pull_request' && steps.check.outputs.up-to-date == 'false'"
+        uses: peter-evans/create-or-update-comment@v3
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          body: |
+            The composer or npm dependencies are out of sync with the generated nix files.
+
+            Please update the files by either running the `update-nix-package-dep` script locally
+            or let GitHub actions do it by running `/nix-update`.
+
+            *This comment was written by a bot!* 🤖
+
+      - name: Fail Build
+        if: "steps.check.outputs.up-to-date == 'false'"
+        shell: bash
+        run: exit 1
+
   build:
     name: Build Package
     runs-on: ubuntu-latest

diff --git a/.github/workflows/nix-update-command.yml b/.github/workflows/nix-update-command.yml
@@ -0,0 +1,106 @@
+name: Nix Update Command
+on:
+  issue_comment:
+    types:
+      - created
+      - edited
+
+concurrency: nix-update-${{ github.event.issue.number }}
+
+jobs:
+  command:
+    if: "github.event.comment.body == '/nix-update' && github.event.issue.pull_request"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
+    steps:
+      - name: Install Nix
+        uses: cachix/install-nix-action@v22
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+
+      - name: Checkout Self
+        uses: actions/checkout@v3
+        with:
+          repository: ${{ github.repository }}
+          ref: refs/heads/${{ github.event.repository.default_branch }}
+
+      - name: Check if user is allowed to run the command
+        shell: bash
+        id: perms
+        run: |
+          echo '${{ toJSON(github) }}' > /tmp/context.json
+          if nix eval --expr 'import ./.github/allowed-nix-update-users.nix (builtins.fromJSON (builtins.readFile /tmp/context.json))' --impure; then
+            echo "allowed=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "allowed=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Add no permission reacton
+        if: "${{ steps.perms.outputs.allowed == 'false' }}"
+        uses: peter-evans/create-or-update-comment@v3
+        with:
+          comment-id: ${{ github.event.comment.id }}
+          reactions: '-1'
+
+      - name: Add okay reaction
+        if: "${{ steps.perms.outputs.allowed }}"
+        uses: peter-evans/create-or-update-comment@v3
+        with:
+          comment-id: ${{ github.event.comment.id }}
+          reactions: '+1'
+
+      - id: get-branch
+        if: "${{ steps.perms.outputs.allowed }}"
+        name: Get PR branch
+        run: echo "branch=$(gh pr view $PR_NO --repo $REPO --json headRefName --jq '.headRefName')" >> "$GITHUB_OUTPUT"
+        env:
+          REPO: ${{ github.repository }}
+          PR_NO: ${{ github.event.issue.number }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Checkout PR
+        if: "${{ steps.perms.outputs.allowed }}"
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ steps.get-branch.outputs.branch }}
+
+      - name: Update Nix Files
+        if: "${{ steps.perms.outputs.allowed }}"
+        run: nix develop --impure .#ci --command "update-nix-package-deps"
+
+      - name: Commit and Push changes
+        if: "${{ steps.perms.outputs.allowed }}"
+        shell: bash
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Configure git user
+          git config user.name "GitHub Actions"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+          # Check if any changes were made
+          if [[ ! -z $(git status -s) ]]; then
+            git commit -a -F - <<EOF
+          nix: Update generated files
+
+          This commit was automatically generated by [this workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}).
+          EOF
+
+            git push
+            gh pr comment ${{ github.event.issue.number }} -F - <<EOF
+          Successfully updated generated nix files! 🚀
+
+          Run triggered by @${{ github.event.sender.login }} (${{ github.event.comment.html_url }})
+          *This comment was written by a bot!* 🤖
+          EOF
+          else
+            gh pr comment ${{ github.event.issue.number }} -F - <<EOF
+          Generated files are up to date! 👌
+
+          Run triggered by @${{ github.event.sender.login }} (${{ github.event.comment.html_url }})
+          *This comment was written by a bot!* 🤖
+          EOF
+          fi