name: Update Vendor Hash on: workflow_dispatch: push: paths: - "core/go.mod" - "core/go.sum" branches: - master permissions: contents: write jobs: update-vendor-hash: runs-on: ubuntu-latest steps: - name: Create GitHub App token id: app_token uses: actions/create-github-app-token@v1 with: app-id: ${{ secrets.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 token: ${{ steps.app_token.outputs.token }} - name: Install Nix uses: cachix/install-nix-action@v31 - name: Update vendorHash in flake.nix run: | set -euo pipefail echo "Attempting nix build to get new vendorHash..." if output=$(nix build .#dms-shell 2>&1); then echo "Build succeeded, no hash update needed" exit 0 fi new_hash=$(echo "$output" | grep -oP "got:\s+\K\S+" | head -n1) [ -n "$new_hash" ] || { echo "Could not extract new vendorHash"; echo "$output"; exit 1; } current_hash=$(grep -oP 'vendorHash = "\K[^"]+' flake.nix) [ "$current_hash" = "$new_hash" ] && { echo "vendorHash already up to date"; exit 0; } sed -i "s|vendorHash = \"$current_hash\"|vendorHash = \"$new_hash\"|" flake.nix echo "Verifying build with new vendorHash..." nix build .#dms-shell echo "vendorHash updated successfully!" - name: Commit and push vendorHash update env: GH_TOKEN: ${{ steps.app_token.outputs.token }} run: | set -euo pipefail if ! git diff --quiet flake.nix; then git config user.name "dms-ci[bot]" git config user.email "dms-ci[bot]@users.noreply.github.com" git add flake.nix git commit -m "nix: update vendorHash for go.mod changes" || exit 0 git pull --rebase origin master git push https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git HEAD:master else echo "No changes to flake.nix" fi